################################################################ # ThreatFox IOCs: Suricata rules # # Last updated: 2025-11-10 03:17:47 UTC # # # # Terms Of Use: https://threatfox.abuse.ch/faq/#tos # # For questions please contact threatfox [at] abuse.ch # ################################################################ # alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"birch.sparrowdock.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moor.sparrowdock.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blitz.sparrowdock.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adler.anvilklee.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ufer.anvilklee.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stein.anvilklee.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rauch.nimbusforge.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glade.nimbusforge.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wolke.nimbusforge.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind.sageufer.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moor.sageufer.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fels.sageufer.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bach.echohang.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"krone.echohang.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moos.echohang.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fels.shadowtal.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ufer.shadowtal.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nacht.shadowtal.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pfad.crimsonwald.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grat.crimsonwald.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637714; rev:1;) alert tcp $HOME_NET any -> [82.115.16.75] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637713; rev:1;) alert tcp $HOME_NET any -> [102.96.215.214] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637711; rev:1;) alert tcp $HOME_NET any -> [93.198.181.8] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637712; rev:1;) alert tcp $HOME_NET any -> [38.102.86.69] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637710; rev:1;) alert tcp $HOME_NET any -> [161.248.179.122] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637709; rev:1;) alert tcp $HOME_NET any -> [91.92.243.101] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_10; classtype:trojan-activity; sid:91637708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eis.crimsonwald.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stern.quartzhain.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eiche.quartzhain.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glut.quartzhain.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moos.granitebach.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adler.granitebach.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sturm.granitebach.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637690; rev:1;) alert tcp $HOME_NET any -> [64.185.236.213] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637688; rev:1;) alert tcp $HOME_NET any -> [64.185.236.213] 44133 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637689; rev:1;) alert tcp $HOME_NET any -> [45.156.87.148] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fjord.copperhang.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637686; rev:1;) alert tcp $HOME_NET any -> [94.156.155.89] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wald.copperhang.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637684; rev:1;) alert tcp $HOME_NET any -> [38.180.233.19] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637683; rev:1;) alert tcp $HOME_NET any -> [193.111.117.0] 56001 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637682; rev:1;) alert tcp $HOME_NET any -> [37.221.66.129] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eis.copperhang.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pat.microsoft-telemetry.at"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnr.microsoft-telemetry.at"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dorn.steelpfad.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637677; rev:1;) alert tcp $HOME_NET any -> [23.27.164.2] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637676; rev:1;) alert tcp $HOME_NET any -> [5.252.155.19] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tau.steelpfad.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637674; rev:1;) alert tcp $HOME_NET any -> [185.102.115.211] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637673; rev:1;) alert tcp $HOME_NET any -> [176.46.141.8] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rauch.steelpfad.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637670; rev:1;) alert tcp $HOME_NET any -> [80.97.160.211] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gleis.atlasufer.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stern.atlasufer.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moor.atlasufer.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"birch.orionfeld.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"klee.orionfeld.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wolke.orionfeld.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637660; rev:1;) alert tcp $HOME_NET any -> [206.245.132.113] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637659; rev:1;) alert tcp $HOME_NET any -> [196.251.69.129] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"05xg.br-1-ar-wild.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cliff.br-1-ar-wild.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fern.br-1-ar-wild.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ax.m0onforger.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lbgxn.m0onforger.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637653; rev:1;) alert tcp $HOME_NET any -> [182.254.171.19] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637652; rev:1;) alert tcp $HOME_NET any -> [45.81.113.237] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637651; rev:1;) alert tcp $HOME_NET any -> [91.92.120.105] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637650; rev:1;) alert tcp $HOME_NET any -> [91.92.243.103] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9l.m0onforger.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637648; rev:1;) alert tcp $HOME_NET any -> [92.205.187.34] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637647/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637647; rev:1;) alert tcp $HOME_NET any -> [92.205.187.34] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637645/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637645; rev:1;) alert tcp $HOME_NET any -> [92.205.187.34] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637646/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637646; rev:1;) alert tcp $HOME_NET any -> [157.20.182.18] 1948 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637644; rev:1;) alert tcp $HOME_NET any -> [194.102.104.154] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637643; rev:1;) alert tcp $HOME_NET any -> [92.205.187.34] 7771 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hover4.ember-trail.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaouehaehfoaeajrsl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637622/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaouehaehfoaeajrso.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637623/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaouehaehfoaeajrsp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637624/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"geauhouefheuutiiie.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637625/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"geauhouefheuutiiik.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637626/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"geauhouefheuutiiio.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637627/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"geauhouefheuutiiip.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637628/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huaeokaefoaeguaehe.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637629/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huaeokaefoaeguaehk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637630/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huaeokaefoaeguaeho.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637631/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huaeokaefoaeguaehp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637632/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rzhsudhugugfugugse.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637633/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rzhsudhugugfugugsk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637634/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rzhsudhugugfugugso.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637635/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rzhsudhugugfugugsp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637636/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"urusurofhsorhfuuhk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637637/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"urusurofhsorhfuuhl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637638/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"urusurofhsorhfuuho.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637639/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"urusurofhsorhfuuhp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637640/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeudk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637594/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeudl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637595/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeudo.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637596/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeudp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637597/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eguaheoghouughahse.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637598/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eguaheoghouughahsk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637599/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eguaheoghouughahsl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637600/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eguaheoghouughahso.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637601/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eguaheoghouughahsp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637602/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaghpaheiafhjefije.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637603/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaghpaheiafhjefijk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637604/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaghpaheiafhjefijl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637605/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaghpaheiafhjefijo.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637606/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfuge.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637607/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfugk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637608/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfugl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637609/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfugo.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637610/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfugp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637611/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoheeuofhefefhute.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637612/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoheeuofhefefhutk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637613/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoheeuofhefefhutl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637614/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoheeuofhefefhuto.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637615/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaohrhurhuhruhfsde.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637616/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaohrhurhuhruhfsdk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637617/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaohrhurhuhruhfsdl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637618/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaohrhurhuhruhfsdp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637619/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaouehaehfoaeajrse.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637620/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaouehaehfoaeajrsk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637621/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeufuaehfiuehfuhfe.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637566/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeufuaehfiuehfuhfk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637567/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeufuaehfiuehfuhfo.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637568/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeufuaehfiuehfuhfp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637569/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafe.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637570/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637571/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637572/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafo.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637573/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637574/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifie.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637575/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifik.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637576/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifil.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637577/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifio.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637578/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifip.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637579/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"befaheaiudeuhughge.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637580/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"befaheaiudeuhughgk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637581/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"befaheaiudeuhughgl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637582/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"befaheaiudeuhughgo.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637583/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"befaheaiudeuhughgp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637584/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bfagzzezgaegzgfaie.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637585/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bfagzzezgaegzgfaik.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637586/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bfagzzezgaegzgfail.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637587/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bfagzzezgaegzgfaip.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637588/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"daedagheauehfuuhfe.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637589/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"daedagheauehfuuhfk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637590/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"daedagheauehfuuhfo.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637591/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"daedagheauehfuuhfp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637592/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeude.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637593/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiiee.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637554/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiiek.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637555/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiiel.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637556/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiieo.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637557/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiiep.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637558/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeifaeifhutuhuhuse.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637559/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeifaeifhutuhuhusk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637560/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehde.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637561/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehdk.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637562/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehdl.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637563/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehdo.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637564/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehdp.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637565/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"urusurofhsorhfuuhl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637551/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"urusurofhsorhfuuho.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637552/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"urusurofhsorhfuuhp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637553/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiip.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637539/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehe.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637540/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637541/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637542/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaeho.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637543/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637544/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugse.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637545/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugsk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637546/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugsl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637547/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugso.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637548/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugsp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637549/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"urusurofhsorhfuuhk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637550/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsdo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsdp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrse.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrsk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrsl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrso.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrsp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637534/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiie.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637535/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiik.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637536/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiil.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637537/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiio.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637538/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfuge.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637515/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637516/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637517/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637518/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhute.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637520/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhutk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637521/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhutl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhuto.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhutp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsde.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsdk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsdl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeudo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637503/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeudp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637504/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahse.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637505/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahsk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637506/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahsl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637507/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahso.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637508/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahsp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefije.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefijk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637511/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefijl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637512/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefijo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637513/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefijp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637514/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfaik.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637491/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfail.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637492/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfaio.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637493/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfaip.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637494/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfe.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637495/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637496/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637497/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637498/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637499/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeude.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637500/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeudk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637501/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeudl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637502/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifik.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637481/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifil.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637482/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifio.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637483/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifip.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637484/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughge.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637485/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637486/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637487/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637488/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637489/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfaie.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637490/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehdo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637468/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehdp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637469/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfe.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637470/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637471/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637472/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637473/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637474/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafe.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637475/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637476/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637477/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637478/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637479/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifie.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637480/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiiel.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637457/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiieo.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637458/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiiep.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637459/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhuse.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637460/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhusk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637461/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhusl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637462/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhuso.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637463/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhusp.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637464/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehde.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637465/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehdk.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637466/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehdl.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637467/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiiee.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637455/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiiek.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637456/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"draft21.redirectme.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637454/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ns3177629.ip-51-195-60.eu"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637453/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637453; rev:1;) alert tcp $HOME_NET any -> [147.185.221.31] 19832 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637452/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637452; rev:1;) alert tcp $HOME_NET any -> [103.249.133.92] 19832 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637451/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637451; rev:1;) alert tcp $HOME_NET any -> [45.156.87.63] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gl.ember-trail.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637437; rev:1;) alert tcp $HOME_NET any -> [45.153.34.240] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637436; rev:1;) alert tcp $HOME_NET any -> [45.153.34.184] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1j.ember-trail.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637434; rev:1;) alert tcp $HOME_NET any -> [172.111.182.5] 11276 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637433/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meadow0.ic0n1cbrook.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mlq1.ic0n1cbrook.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0zf5z.ic0n1cbrook.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637430; rev:1;) alert tcp $HOME_NET any -> [51.79.119.230] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637429/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637429; rev:1;) alert tcp $HOME_NET any -> [45.156.25.5] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637428/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637428; rev:1;) alert tcp $HOME_NET any -> [35.71.175.86] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637427/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mto.gi-0-wmarsh.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6gx.gi-0-wmarsh.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hfcv.gi-0-wmarsh.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xzh.nightwharf.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3c7.nightwharf.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yusuf36.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/taig"; depth:5; nocase; http.host; content:"desmflp.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637420; rev:1;) alert tcp $HOME_NET any -> [8.140.42.191] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enjoy-char.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9hctu.nightwharf.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ad9vh.gi0wmarsh.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z14.gi0wmarsh.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drift.gi0wmarsh.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wild.stormharrow.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"willow.stormharrow.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thorn.stormharrow.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdjyu.m-0-on-forger.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"loom.m-0-on-forger.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spark.m-0-on-forger.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glow.wind-barrow.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a31a.wind-barrow.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dhy.wind-barrow.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637405; rev:1;) alert tcp $HOME_NET any -> [67.217.57.240] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637404; rev:1;) alert tcp $HOME_NET any -> [3.90.221.14] 4841 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637403; rev:1;) alert tcp $HOME_NET any -> [103.49.92.42] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637402; rev:1;) alert tcp $HOME_NET any -> [61.37.18.2] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637401; rev:1;) alert tcp $HOME_NET any -> [77.83.207.217] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637400; rev:1;) alert tcp $HOME_NET any -> [88.214.50.136] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637399; rev:1;) alert tcp $HOME_NET any -> [106.54.244.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637398; rev:1;) alert tcp $HOME_NET any -> [128.199.86.145] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dune.storm-harrow.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637396; rev:1;) alert tcp $HOME_NET any -> [47.243.131.179] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hu.storm-harrow.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"di.storm-harrow.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uirs.br1arwild.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bloom.br1arwild.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j0n.br1arwild.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brook.cinderloom.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637389; rev:1;) alert tcp $HOME_NET any -> [185.176.94.42] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637282/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_09; classtype:trojan-activity; sid:91637282; rev:1;) alert tcp $HOME_NET any -> [194.36.190.73] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637291/; target:src_ip; metadata: confidence_level 90, first_seen 2025_11_09; classtype:trojan-activity; sid:91637291; rev:1;) alert tcp $HOME_NET any -> [45.192.98.190] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637292; rev:1;) alert tcp $HOME_NET any -> [36.233.54.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637293; rev:1;) alert tcp $HOME_NET any -> [38.147.171.111] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637294; rev:1;) alert tcp $HOME_NET any -> [47.103.120.243] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637295; rev:1;) alert tcp $HOME_NET any -> [167.172.182.247] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637296; rev:1;) alert tcp $HOME_NET any -> [195.66.25.17] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637297; rev:1;) alert tcp $HOME_NET any -> [130.51.80.40] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vale0.cinderloom.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wharf.cinderloom.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637387; rev:1;) alert tcp $HOME_NET any -> [91.184.247.172] 4133 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637385; rev:1;) alert tcp $HOME_NET any -> [91.184.247.172] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637386; rev:1;) alert tcp $HOME_NET any -> [144.124.244.117] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637384; rev:1;) alert tcp $HOME_NET any -> [104.164.55.233] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"77.windbarrow.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637382; rev:1;) alert tcp $HOME_NET any -> [194.33.61.137] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637381; rev:1;) alert tcp $HOME_NET any -> [176.46.141.23] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637380; rev:1;) alert tcp $HOME_NET any -> [156.225.64.230] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rps7g.windbarrow.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637378; rev:1;) alert tcp $HOME_NET any -> [166.88.96.129] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637377; rev:1;) alert tcp $HOME_NET any -> [94.156.236.154] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7ih.windbarrow.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637375; rev:1;) alert tcp $HOME_NET any -> [156.225.64.164] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637374; rev:1;) alert tcp $HOME_NET any -> [66.78.40.82] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637373; rev:1;) alert tcp $HOME_NET any -> [194.55.137.74] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hover.fr0stciiff.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637371; rev:1;) alert tcp $HOME_NET any -> [80.66.72.37] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637370; rev:1;) alert tcp $HOME_NET any -> [109.172.54.126] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637369; rev:1;) alert tcp $HOME_NET any -> [185.198.234.100] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637368; rev:1;) alert tcp $HOME_NET any -> [185.198.234.232] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f4.fr0stciiff.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637366; rev:1;) alert tcp $HOME_NET any -> [185.242.245.10] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637365; rev:1;) alert tcp $HOME_NET any -> [194.33.61.152] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637364; rev:1;) alert tcp $HOME_NET any -> [144.31.191.199] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uf6qo.fr0stciiff.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637362; rev:1;) alert tcp $HOME_NET any -> [5.149.248.82] 35888 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637361; rev:1;) alert tcp $HOME_NET any -> [104.248.88.63] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pwmt.embertrail.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637359; rev:1;) alert tcp $HOME_NET any -> [104.164.55.96] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637358; rev:1;) alert tcp $HOME_NET any -> [80.253.251.193] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gift.embertrail.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637356; rev:1;) alert tcp $HOME_NET any -> [77.105.143.139] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637355; rev:1;) alert tcp $HOME_NET any -> [109.107.178.32] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"igf.embertrail.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.goodfatherbab.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637352; rev:1;) alert tcp $HOME_NET any -> [217.156.67.101] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mist0.icy-moth.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637350; rev:1;) alert tcp $HOME_NET any -> [213.176.79.90] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637349; rev:1;) alert tcp $HOME_NET any -> [195.24.236.23] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637348; rev:1;) alert tcp $HOME_NET any -> [83.147.18.16] 8445 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637347/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637347; rev:1;) alert tcp $HOME_NET any -> [70.36.99.102] 54585 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3xlu.icy-moth.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vtbg5.icy-moth.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rv4sh.frost-fox.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5f2zf.frost-fox.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rp.frost-fox.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecio.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"travelok.dynuddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marketings.mysynology.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"installinfo.dynu.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decorcom.ddnsguru.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pureworkcom.dynuddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"companies.bumbleshrimp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"romanticweb.dynu.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"travel.bumbleshrimp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homelog.dynuddns.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daysincome.ddnsguru.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nayaink1990.dynu.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"babyblue.dynuddns.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sufcompany.ddnsguru.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homelog2002.dynuddns.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beautyandbeef.dyndns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leetboy.dynuddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"60w.lake-spry.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investment-entirely.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huge-killer.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"astromattel.hopto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"standoffgey-42127.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cut-carry.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pigb.lake-spry.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637317; rev:1;) alert tcp $HOME_NET any -> [176.46.141.40] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tc.lake-spry.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637315; rev:1;) alert tcp $HOME_NET any -> [217.156.122.8] 5888 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637314; rev:1;) alert tcp $HOME_NET any -> [80.97.160.202] 5888 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637313; rev:1;) alert tcp $HOME_NET any -> [176.65.132.72] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637311; rev:1;) alert tcp $HOME_NET any -> [176.65.132.73] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7tq70.rock-bay.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"masazkielce.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637309/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"acebirdrep.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637306/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"birdrankopt.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637307/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tapbirdrank.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637308/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sysbirdrep.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637305/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637305; rev:1;) alert tcp $HOME_NET any -> [36.255.98.252] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"littlekitty.at"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4v.rock-bay.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637302; rev:1;) alert tcp $HOME_NET any -> [221.14.182.99] 54002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gale2.rock-bay.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"snow5.sm-0-kewood.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3.sm-0-kewood.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w4.sm-0-kewood.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637289; rev:1;) alert tcp $HOME_NET any -> [101.132.71.240] 1443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637288/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"88c2.pyroclay.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y4k.pyroclay.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4d.pyroclay.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w0umz.s0ftfern.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i6gx6.s0ftfern.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shade.s0ftfern.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ib.lakespry.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vale.lakespry.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r349.lakespry.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"86.bl1zpond.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gk0.bl1zpond.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hush5.bl1zpond.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637275; rev:1;) alert tcp $HOME_NET any -> [23.27.177.183] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637274/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xhw.icymoth.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6s.icymoth.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637272; rev:1;) alert tcp $HOME_NET any -> [91.231.222.220] 7076 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ajml.icymoth.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637270; rev:1;) alert tcp $HOME_NET any -> [91.92.243.2] 443 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637268/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637268; rev:1;) alert tcp $HOME_NET any -> [91.92.243.87] 443 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637269/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637269; rev:1;) alert tcp $HOME_NET any -> [51.79.117.159] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637267/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l3.sm0kewood.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spark7.sm0kewood.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mist7.sm0kewood.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1g.windowl.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fnnl.windowl.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"willow9.windowl.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637261; rev:1;) alert tcp $HOME_NET any -> [154.49.3.43] 8080 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637259; rev:1;) alert tcp $HOME_NET any -> [185.154.195.94] 1337 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637260; rev:1;) alert tcp $HOME_NET any -> [104.194.153.132] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637258; rev:1;) alert tcp $HOME_NET any -> [95.112.70.120] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637257; rev:1;) alert tcp $HOME_NET any -> [64.94.85.199] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637256; rev:1;) alert tcp $HOME_NET any -> [62.60.226.65] 43155 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637255; rev:1;) alert tcp $HOME_NET any -> [207.148.70.26] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drift.frostfox.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637253; rev:1;) alert tcp $HOME_NET any -> [103.237.86.164] 3435 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637249/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637249; rev:1;) alert tcp $HOME_NET any -> [203.202.232.87] 40406 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637250/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637250; rev:1;) alert tcp $HOME_NET any -> [203.202.232.87] 40407 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637251/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637251; rev:1;) alert tcp $HOME_NET any -> [23.140.8.132] 22033 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637252/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"botnet.hqdata.vn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637248/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"football-reflect.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637245/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2.xoilaczzzfz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637246/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v3.xoilaczzzfz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637247/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637247; rev:1;) alert tcp $HOME_NET any -> [185.240.104.20] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637242/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637242; rev:1;) alert tcp $HOME_NET any -> [185.240.104.20] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637243/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637243; rev:1;) alert tcp $HOME_NET any -> [185.240.104.20] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637244/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aperture-48940.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637237/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kw.atrishop.lol"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637238/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"left-cure.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637239/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"startmenuexperiencehosting.ydns.eu"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637240/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xoilaczzzfz.tv"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637241/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa1at/y/"; depth:9; nocase; http.host; content:"salator.es"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637235/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa1at/l/"; depth:9; nocase; http.host; content:"salator.es"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637236/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.156.87.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637234/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_09; classtype:trojan-activity; sid:91637234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hlojonar.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637142; rev:1;) alert tcp $HOME_NET any -> [108.165.228.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nubiloma.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637143; rev:1;) alert tcp $HOME_NET any -> [111.229.148.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637145; rev:1;) alert tcp $HOME_NET any -> [23.249.20.52] 14994 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637147/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637147; rev:1;) alert tcp $HOME_NET any -> [93.144.224.162] 1338 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637148; rev:1;) alert tcp $HOME_NET any -> [45.156.87.7] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637149; rev:1;) alert tcp $HOME_NET any -> [188.68.168.150] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637151/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637151; rev:1;) alert tcp $HOME_NET any -> [78.46.167.21] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637152; rev:1;) alert tcp $HOME_NET any -> [72.60.113.48] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637153; rev:1;) alert tcp $HOME_NET any -> [173.212.254.5] 38364 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637154; rev:1;) alert tcp $HOME_NET any -> [196.251.116.84] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637227/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_09; classtype:trojan-activity; sid:91637227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"koh2.frostfox.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637233; rev:1;) alert tcp $HOME_NET any -> [162.220.12.209] 8990 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637232/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brook.frostfox.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stern.willowufer.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moos.willowufer.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adler.willowufer.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"klee.cometpfad.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gleis.cometpfad.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mond.cometpfad.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glut.ravenkamm.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind.ravenkamm.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ufer.ravenkamm.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nacht.stormgrat.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blatt.stormgrat.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637219; rev:1;) alert tcp $HOME_NET any -> [156.240.108.30] 446 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637217; rev:1;) alert tcp $HOME_NET any -> [156.240.108.30] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ydbao2.cyou"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637216; rev:1;) alert tcp $HOME_NET any -> [160.202.133.151] 6293 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"envioansyr.dynuddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637214; rev:1;) alert tcp $HOME_NET any -> [23.95.198.241] 61315 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637213; rev:1;) alert tcp $HOME_NET any -> [90.100.52.173] 9999 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"editor-okay.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eis.stormgrat.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wolke.polarhafen.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tau.polarhafen.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fjord.polarhafen.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wolfe.pixelbuche.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"birch.pixelbuche.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stern.pixelbuche.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fauna.driftkrone.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nebel.driftkrone.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gleis.driftkrone.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sturm.glaciergrat.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alpen.glaciergrat.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637199; rev:1;) alert tcp $HOME_NET any -> [150.40.127.100] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637198; rev:1;) alert tcp $HOME_NET any -> [54.92.90.78] 56213 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637197; rev:1;) alert tcp $HOME_NET any -> [51.112.231.248] 6727 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637196; rev:1;) alert tcp $HOME_NET any -> [154.64.231.55] 8889 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637195; rev:1;) alert tcp $HOME_NET any -> [179.145.48.152] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637194; rev:1;) alert tcp $HOME_NET any -> [92.118.56.54] 7755 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637193; rev:1;) alert tcp $HOME_NET any -> [92.205.187.34] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fels.glaciergrat.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moor.frostgipfel.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sonne.frostgipfel.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dampf.frostgipfel.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quarz.ashenkrone.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wolke.ashenkrone.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glut.ashenkrone.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637185; rev:1;) alert tcp $HOME_NET any -> [77.83.207.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637184/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637184; rev:1;) alert tcp $HOME_NET any -> [36.213.15.83] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637183/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"prod.setupcloudos.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637181/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"searchmtcn.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637182/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind.cedarsteg.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"app.setupcloudos.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637179/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_09; classtype:trojan-activity; sid:91637179; rev:1;) alert tcp $HOME_NET any -> [45.141.215.75] 8080 (msg:"ThreatFox XenoRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ufer.cedarsteg.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nacht.cedarsteg.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zorn.brassgipfel.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"klee.brassgipfel.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eiche.brassgipfel.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dorn.ironklippe.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"harz.ironklippe.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blitz.ironklippe.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rauch.swiftgasse.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tau.swiftgasse.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moos.swiftgasse.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"geist.quillwinkel.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fjord.quillwinkel.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wolke.quillwinkel.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fx.sn0wmint.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t3.sn0wmint.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637162; rev:1;) alert tcp $HOME_NET any -> [13.38.46.18] 789 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_09; classtype:trojan-activity; sid:91637161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"srs01.sn0wmint.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"80deo.oak-ember.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2xado.oak-ember.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qcn6.oak-ember.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eiyxc.fl0wbud.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b4.fl0wbud.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2qn80.fl0wbud.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"21k2.fl-0-wbud.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uy4g.fl-0-wbud.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o6.fl-0-wbud.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v42le.fog-map.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e4.fog-map.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6jr.fog-map.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v5w.r1mrock.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hd1p.r1mrock.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pkc.r1mrock.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kzw.lakeray.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637132; rev:1;) alert tcp $HOME_NET any -> [108.187.7.85] 447 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0zjkg.lakeray.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kwxwi.lakeray.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u8.sn-0-wmint.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g2.sn-0-wmint.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kp.sn-0-wmint.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"br.r-1-mrock.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5jxd.r-1-mrock.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ped.r-1-mrock.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asgp2.lake-ray.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0gk.lake-ray.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"os0.pooflare.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2luj.pooflare.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637119; rev:1;) alert tcp $HOME_NET any -> [196.75.213.17] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637118; rev:1;) alert tcp $HOME_NET any -> [54.95.111.44] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637117; rev:1;) alert tcp $HOME_NET any -> [178.16.55.222] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637116; rev:1;) alert tcp $HOME_NET any -> [45.77.41.162] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637115; rev:1;) alert tcp $HOME_NET any -> [113.45.36.119] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637114; rev:1;) alert tcp $HOME_NET any -> [158.94.209.119] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637113; rev:1;) alert tcp $HOME_NET any -> [23.249.28.150] 14994 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637112; rev:1;) alert tcp $HOME_NET any -> [103.143.11.214] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"39o1.oakember.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"14myx.oakember.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u18t.oakember.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cp.skyaxe.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0w2j.skyaxe.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e5.skyaxe.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2r.icetap.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jbp.icetap.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637103; rev:1;) alert tcp $HOME_NET any -> [207.246.112.9] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637102/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91637102; rev:1;) alert tcp $HOME_NET any -> [158.69.116.15] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637101/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91637101; rev:1;) alert tcp $HOME_NET any -> [15.197.186.130] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637100/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91637100; rev:1;) alert tcp $HOME_NET any -> [13.40.132.190] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637099/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91637099; rev:1;) alert tcp $HOME_NET any -> [119.36.33.26] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637098/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91637098; rev:1;) alert tcp $HOME_NET any -> [112.213.120.162] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637097/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91637097; rev:1;) alert tcp $HOME_NET any -> [107.172.3.15] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637096/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91637096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"14ba.fogmap.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eu5.fogmap.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mr5.fogmap.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"11.clear-fog.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xmn.clear-fog.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lmy0.clear-fog.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ei.sun-hill.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jfn.sun-hill.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637088; rev:1;) alert tcp $HOME_NET any -> [216.250.249.20] 2416 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637087/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91637087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nn15s.sun-hill.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1u74z.moss-owl.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637085; rev:1;) alert tcp $HOME_NET any -> [47.79.19.147] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webpanel/panel/login.php"; depth:25; nocase; http.host; content:"80.66.72.229"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637061; rev:1;) alert tcp $HOME_NET any -> [196.251.72.110] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637080/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_08; classtype:trojan-activity; sid:91637080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nxc.moss-owl.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"enq.moss-owl.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0okm8.dew-root.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h5.dew-root.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637079; rev:1;) alert tcp $HOME_NET any -> [45.156.87.226] 8080 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637078; rev:1;) alert tcp $HOME_NET any -> [45.156.25.5] 80 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637077; rev:1;) alert tcp $HOME_NET any -> [16.170.141.201] 8001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637076; rev:1;) alert tcp $HOME_NET any -> [16.51.132.109] 1911 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637075; rev:1;) alert tcp $HOME_NET any -> [86.54.42.167] 3000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637073; rev:1;) alert tcp $HOME_NET any -> [139.59.253.102] 7771 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637074; rev:1;) alert tcp $HOME_NET any -> [47.129.1.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637072; rev:1;) alert tcp $HOME_NET any -> [91.92.242.95] 3000 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637071; rev:1;) alert tcp $HOME_NET any -> [159.65.115.176] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637070; rev:1;) alert tcp $HOME_NET any -> [77.3.46.159] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637069; rev:1;) alert tcp $HOME_NET any -> [45.156.87.170] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637068; rev:1;) alert tcp $HOME_NET any -> [47.108.14.32] 4434 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637067; rev:1;) alert tcp $HOME_NET any -> [185.177.238.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637066; rev:1;) alert tcp $HOME_NET any -> [38.147.170.119] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637064; rev:1;) alert tcp $HOME_NET any -> [185.212.44.194] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637065; rev:1;) alert tcp $HOME_NET any -> [88.214.50.137] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637063; rev:1;) alert tcp $HOME_NET any -> [77.83.207.218] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2x9mv.dew-root.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8vpz.r0ckveil.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637059; rev:1;) alert tcp $HOME_NET any -> [103.43.8.226] 57899 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8376905353:aaf2xiff2tcuiah2b88lahxisrfwtojznru/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecohaus.webd.pl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8024716497:aagmo2pb30ttufcq8nixd_2h7wmrm5eq1zo/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636920/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636920; rev:1;) alert tcp $HOME_NET any -> [158.94.208.29] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636932; rev:1;) alert tcp $HOME_NET any -> [47.94.197.104] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636931; rev:1;) alert tcp $HOME_NET any -> [8.137.147.224] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636933; rev:1;) alert tcp $HOME_NET any -> [149.56.190.183] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636934/; target:src_ip; metadata: confidence_level 90, first_seen 2025_11_08; classtype:trojan-activity; sid:91636934; rev:1;) alert tcp $HOME_NET any -> [39.97.51.221] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636935; rev:1;) alert tcp $HOME_NET any -> [41.251.52.112] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636936; rev:1;) alert tcp $HOME_NET any -> [91.92.242.95] 4000 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636937; rev:1;) alert tcp $HOME_NET any -> [44.244.204.235] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636939; rev:1;) alert tcp $HOME_NET any -> [46.101.113.8] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636940; rev:1;) alert tcp $HOME_NET any -> [3.8.23.180] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636938; rev:1;) alert tcp $HOME_NET any -> [46.62.245.242] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636941; rev:1;) alert tcp $HOME_NET any -> [107.173.221.187] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636942; rev:1;) alert tcp $HOME_NET any -> [54.208.235.233] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636943; rev:1;) alert tcp $HOME_NET any -> [52.59.22.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636944; rev:1;) alert tcp $HOME_NET any -> [52.59.22.113] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636945; rev:1;) alert tcp $HOME_NET any -> [34.200.163.136] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ma.r0ckveil.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ojxk.r0ckveil.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f4vc.clearfog.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g4h.clearfog.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"weo.clearfog.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g60.1ronpath.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dvi.1ronpath.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n5.1ronpath.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637051; rev:1;) alert tcp $HOME_NET any -> [83.217.208.189] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637050; rev:1;) alert tcp $HOME_NET any -> [5.252.155.81] 58121 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637049; rev:1;) alert tcp $HOME_NET any -> [80.66.72.64] 443 (msg:"ThreatFox donut_injector botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4jx.mossowl.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637047; rev:1;) alert tcp $HOME_NET any -> [176.46.141.16] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"super-mega-shop-2025-online.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v5.mossowl.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637044; rev:1;) alert tcp $HOME_NET any -> [202.71.14.117] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637043; rev:1;) alert tcp $HOME_NET any -> [93.115.172.166] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637042; rev:1;) alert tcp $HOME_NET any -> [217.156.66.207] 5888 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637041; rev:1;) alert tcp $HOME_NET any -> [80.97.160.208] 5888 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7.mossowl.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.nostragand.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"livehostingers.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637037; rev:1;) alert tcp $HOME_NET any -> [78.159.156.87] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domendominator.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637035; rev:1;) alert tcp $HOME_NET any -> [196.251.69.183] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637034; rev:1;) alert tcp $HOME_NET any -> [176.46.141.22] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637033; rev:1;) alert tcp $HOME_NET any -> [193.23.199.125] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637032; rev:1;) alert tcp $HOME_NET any -> [94.74.164.203] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5rq9.t1nystar.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637030; rev:1;) alert tcp $HOME_NET any -> [176.65.132.69] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637029; rev:1;) alert tcp $HOME_NET any -> [80.97.160.155] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1637028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"policxu.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"organbq.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hermoae.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fatbaem.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auricpp.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superko.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stronpn.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solemfk.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winter-snow.su"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saddlbo.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bluescm.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mw9k.t1nystar.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"84.t1nystar.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nync.g0ldnest.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3uv.g0ldnest.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"passkby.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thirskk.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upperat.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoseaza.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gentiax.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genusix.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biddyoz.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olibaeq.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auldlxm.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exterminal.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cb3yh.ic3gate.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"passkby.courses"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1637001/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91637001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"75qk.ic3gate.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1637000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91637000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d6ksj.ic3gate.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636999; rev:1;) alert tcp $HOME_NET any -> [160.202.133.137] 43269 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636997; rev:1;) alert tcp $HOME_NET any -> [88.214.50.113] 55888 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xa3q.dewroot.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636996; rev:1;) alert tcp $HOME_NET any -> [31.57.97.206] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636988; rev:1;) alert tcp $HOME_NET any -> [45.156.87.43] 5552 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636989; rev:1;) alert tcp $HOME_NET any -> [85.121.4.92] 1604 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636990; rev:1;) alert tcp $HOME_NET any -> [107.175.246.23] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636991; rev:1;) alert tcp $HOME_NET any -> [157.245.210.115] 6781 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636992; rev:1;) alert tcp $HOME_NET any -> [165.227.150.223] 5465 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636993; rev:1;) alert tcp $HOME_NET any -> [172.245.246.82] 2000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636994; rev:1;) alert tcp $HOME_NET any -> [188.137.178.184] 1488 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y714.dewroot.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7640954071:aag4hiuwocfivd491lu7ds96qgelreftrgq/senddocument"; depth:63; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0mf.dewroot.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5ye8.n0rthw1nd.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636984; rev:1;) alert tcp $HOME_NET any -> [2.57.241.239] 8090 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636983; rev:1;) alert tcp $HOME_NET any -> [45.156.87.7] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636982; rev:1;) alert tcp $HOME_NET any -> [102.117.162.65] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636981; rev:1;) alert tcp $HOME_NET any -> [88.214.50.85] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ed-rn.gl.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636979; rev:1;) alert tcp $HOME_NET any -> [143.92.32.222] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636977; rev:1;) alert tcp $HOME_NET any -> [185.208.158.217] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636978; rev:1;) alert tcp $HOME_NET any -> [47.108.197.82] 4434 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"saddlbo.courses"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tungsahurchik228-49806.portmap.host"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"index-hall.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636974; rev:1;) alert tcp $HOME_NET any -> [194.68.45.100] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636971; rev:1;) alert tcp $HOME_NET any -> [45.58.183.18] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636972; rev:1;) alert tcp $HOME_NET any -> [23.228.66.219] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636963; rev:1;) alert tcp $HOME_NET any -> [104.152.54.52] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636964; rev:1;) alert tcp $HOME_NET any -> [199.71.214.87] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636965; rev:1;) alert tcp $HOME_NET any -> [172.83.156.122] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636966; rev:1;) alert tcp $HOME_NET any -> [186.233.185.155] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636967; rev:1;) alert tcp $HOME_NET any -> [94.125.182.255] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636968; rev:1;) alert tcp $HOME_NET any -> [45.88.202.250] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636969; rev:1;) alert tcp $HOME_NET any -> [185.243.218.59] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"srd.n0rthw1nd.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ix1.undernet.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ix2.undernet.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ashburn.va.us.undernet.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bucharest.ro.eu.undernet.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"budapest.hu.eu.undernet.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chicago.il.us.undernet.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5h.n0rthw1nd.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9jc.n-0-rthw-1-nd.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xpkyb.n-0-rthw-1-nd.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fnw9.n-0-rthw-1-nd.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3j6cb.ic0n1ctrove.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bynbv.ic0n1ctrove.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"59gwy.ic0n1ctrove.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cs4.starforged.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"42s.starforged.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x5.starforged.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"microsharepolnt.store"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636927/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kocs45.916919.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636926/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"js.driftshad0w.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tz.driftshad0w.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3a.driftshad0w.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rfrz.emberharbor.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zz5.emberharbor.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4v9.emberharbor.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2hk8u.drift-shad-0-w.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9zpya.drift-shad-0-w.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"i9.hiringimmediatelyjobs.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636914/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"i9.hiringimmediatelyjobs.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636913/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lasxz.drift-shad-0-w.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zt.ember-harbor.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"te.ember-harbor.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f7r3e.ember-harbor.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w0eh.copperlattice.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wk.copperlattice.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5vyg.copperlattice.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x1rje.horizonbloom.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636904; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 48377 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636903/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"natsu213dz213-46328.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636900/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sawkech-38774.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636901/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hiamego-48377.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636902/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/f7bahdd9"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636899/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636899; rev:1;) alert tcp $HOME_NET any -> [103.133.109.188] 1230 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636896/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636896; rev:1;) alert tcp $HOME_NET any -> [198.23.175.60] 9898 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636897/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636897; rev:1;) alert tcp $HOME_NET any -> [80.64.19.173] 5004 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636898/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"enviojs2025.kozow.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636894/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goldmoney.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636895/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636887/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636888/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636889/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636890/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636891/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636892/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636893/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636863/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636864/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"urusurofhsorhfuuhl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636865/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"urusurofhsorhfuuhm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636866/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"urusurofhsorhfuuhr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636867/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"urusurofhsorhfuuhu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636868/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636869/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636870/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636871/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636872/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636873/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636874/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636875/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636876/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636877/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636878/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636879/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636880/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636881/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636882/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636883/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636884/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636885/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zeaigfiagefagfzgi.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636886/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636841/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636842/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636843/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636844/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636845/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636846/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636847/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636848/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636849/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636850/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636851/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636852/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636853/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636854/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636855/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636856/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636857/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636858/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636859/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636860/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636861/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636862/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636820/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636821/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636822/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636823/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636824/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636825/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636826/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636827/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636828/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636829/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636830/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636831/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636832/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636833/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636834/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636835/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636836/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636837/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636838/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636839/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"uoiaefnouegiajifj.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636840/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636797/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636798/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636799/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636800/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636801/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636802/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636803/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636804/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636805/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636806/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636807/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636808/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636809/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rzhsudhugugfugugsm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636810/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rzhsudhugugfugugsr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636811/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rzhsudhugugfugugss.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636812/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rzhsudhugugfugugsu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636813/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636814/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636815/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636816/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636817/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636818/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siiifibiiegiiciib.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636819/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636773/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636774/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636775/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636776/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636777/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636778/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636779/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636780/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636781/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636782/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636783/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636784/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636785/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636786/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636787/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636788/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636789/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636790/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636791/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636792/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636793/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636794/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636795/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rohgoruhgsorhugih.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636796/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636750/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636751/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636752/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636753/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636754/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636755/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636756/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636757/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636758/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636759/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636760/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636761/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636762/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636763/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636764/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636765/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636766/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636767/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636768/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636769/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636770/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636771/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeihefoeaboeubfuo.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636772/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636727/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636728/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636729/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636730/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636731/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636732/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636733/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636734/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636735/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636736/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636737/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636738/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636739/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636740/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636741/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636742/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636743/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636744/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636745/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636746/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636747/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636748/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeboufanecoauegfe.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636749/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636704/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636705/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636706/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636707/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636708/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636709/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636710/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636711/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636712/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636713/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636714/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636715/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636716/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636717/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636718/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636719/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636720/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636721/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636722/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636723/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636724/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636725/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oeabocbeogoaehgoi.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636726/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636682/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636683/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636684/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636685/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636686/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636687/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636688/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636689/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636690/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636691/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636692/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636693/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636694/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636695/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636696/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636697/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636698/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636699/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636700/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636701/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636702/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oahefaefoehgfueuu.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636703/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636659/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636660/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636661/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636662/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636663/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636664/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636665/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636666/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636667/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636668/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636669/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636670/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636671/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636672/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636673/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636674/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636675/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636676/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636677/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636678/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636679/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636680/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iugeaifeifauegeai.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636681/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huaeokaefoaeguaehm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636637/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huaeokaefoaeguaehr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636638/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huaeokaefoaeguaehu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636639/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636640/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636641/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636642/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636643/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636644/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636645/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636646/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636647/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636648/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636649/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636650/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636651/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636652/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636653/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636654/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636655/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636656/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636657/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"iapghahpnpnapcipa.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636658/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636615/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636616/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636617/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636618/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636619/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636620/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636621/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636622/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636623/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636624/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636625/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636626/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636627/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636628/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636629/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636630/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636631/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636632/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636633/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636634/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636635/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huaeokaefoaeguaehl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636636/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfugs.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636594/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfugu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636595/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoheeuofhefefhutl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636596/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoheeuofhefefhutm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636597/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoheeuofhefefhutr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636598/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoheeuofhefefhuts.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636599/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoheeuofhefefhutu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636600/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaohrhurhuhruhfsdl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636601/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaohrhurhuhruhfsdm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636602/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaohrhurhuhruhfsdr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636603/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaohrhurhuhruhfsdu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636604/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaouehaehfoaeajrsm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636605/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaouehaehfoaeajrsr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636606/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaouehaehfoaeajrss.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636607/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaouehaehfoaeajrsu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636608/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"geauhouefheuutiiim.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636609/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"geauhouefheuutiiir.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636610/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"geauhouefheuutiiis.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636611/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"geauhouefheuutiiiu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636612/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636613/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"goiaegodbuebieibg.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636614/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636571/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636572/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636573/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636574/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636575/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636576/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636577/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636578/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636579/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636580/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636581/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636582/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636583/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636584/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636585/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaghpaheiafhjefijl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636586/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaghpaheiafhjefijm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636587/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaghpaheiafhjefijr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636588/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaghpaheiafhjefijs.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636589/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaghpaheiafhjefiju.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636590/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfugl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636591/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfugm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636592/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaoehuoaoefhuhfugr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636593/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636548/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636549/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636550/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636551/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636552/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636553/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636554/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636555/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eguaheoghouughahsm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636556/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eguaheoghouughahsr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636557/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eguaheoghouughahss.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636558/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eguaheoghouughahsu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636559/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636560/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636561/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636562/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636563/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636564/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636565/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636566/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636567/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636568/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636569/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoahegohaeohgeehr.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636570/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeudl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeudm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeudr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeuds.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaeuafhuaegfugeudu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636534/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636535/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636536/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636537/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636538/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636539/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636540/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636541/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636542/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636543/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636544/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636545/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636546/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eghoabeogbuaeofua.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636547/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636506/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636507/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636508/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636511/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636512/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636513/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"befaheaiudeuhughgl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636514/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"befaheaiudeuhughgm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636515/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"befaheaiudeuhughgr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636516/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"befaheaiudeuhughgs.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636517/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bfagzzezgaegzgfail.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636518/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bfagzzezgaegzgfaim.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bfagzzezgaegzgfair.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636520/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bfagzzezgaegzgfais.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636521/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bfagzzezgaegzgfaiu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"daedagheauehfuuhfl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"daedagheauehfuuhfm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"daedagheauehfuuhfr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"daedagheauehfuuhfs.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636483/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636484/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636485/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636486/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636487/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636488/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636489/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636490/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636491/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636492/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636493/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636494/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636495/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636496/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636497/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636498/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636499/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636500/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636501/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636502/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636503/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636504/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"auoegfiaefuageudn.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636505/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifis.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636461/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifiu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636462/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636463/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636464/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636465/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636466/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636467/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636468/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636469/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636470/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636471/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636472/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636473/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636474/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636475/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636476/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636477/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636478/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636479/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636480/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636481/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ageihehaioeoaiegj.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636482/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeifaeifhutuhuhusm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636440/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeifaeifhutuhuhusr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636441/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeifaeifhutuhuhusu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636442/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehdl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636443/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehdm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636444/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehdr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636445/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehds.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636446/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoughaoheguaoehdu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636447/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeufuaehfiuehfuhfl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636448/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeufuaehfiuehfuhfm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636449/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeufuaehfiuehfuhfr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636450/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeufuaehfiuehfuhfs.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636451/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeufuaehfiuehfuhfu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636452/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636453/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafm.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636454/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafr.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636455/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafs.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636456/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaeigaifgsgrhhafu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636457/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifil.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636458/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifim.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636459/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afaigaeigieufuifir.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636460/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636418/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636419/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636420/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636421/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636422/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636423/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636424/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636425/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636426/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636427/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636428/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636429/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636430/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636431/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636432/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636433/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiiel.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636434/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiiem.to"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636435/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiier.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636436/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiies.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636437/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aegohaohuoruitiieu.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636438/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeifaeifhutuhuhusl.co"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636439/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.kz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636396/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.lu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636397/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.md"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636398/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.mobi"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636399/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.name"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636400/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636401/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636402/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.pl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636403/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.ro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636404/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636405/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636406/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.ua"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636407/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.ws"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636408/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636409/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636410/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636411/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636412/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636413/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636414/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636415/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636416/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aefobfboabobfaoua.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636417/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636384/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.be"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636385/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636386/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636387/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636388/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.es"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636389/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636390/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.gr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636391/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636392/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636393/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.ir"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636394/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abvainvienvaiebai.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636395/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"urusurofhsorhfuuhz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636383/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugsl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636372/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugsm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636373/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugsr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636374/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugss.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636375/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugsu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636376/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rzhsudhugugfugugsz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636377/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"thaus.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636378/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"urusurofhsorhfuuhl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636379/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"urusurofhsorhfuuhm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636380/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"urusurofhsorhfuuhr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636381/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"urusurofhsorhfuuhu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636382/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiis.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636363/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiiu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636364/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiiz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636365/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636366/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636367/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636368/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehs.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636369/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636370/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huaeokaefoaeguaehz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636371/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsdz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636353/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrsl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636354/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrsm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636355/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrsr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636356/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrss.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636357/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrsu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636358/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaouehaehfoaeajrsz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636359/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiil.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636360/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiim.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636361/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"geauhouefheuutiiir.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636362/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhutr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636344/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhuts.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636345/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhutu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636346/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhutz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636347/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsdl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636348/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsdm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636349/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsdr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636350/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsds.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636351/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaohrhurhuhruhfsdu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636352/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefiju.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636334/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefijz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636335/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636336/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636337/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636338/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugs.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636339/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636340/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoehuoaoefhuhfugz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636341/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhutl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636342/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaoheeuofhefefhutm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636343/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahsl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636324/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahsm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636325/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahsr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636326/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahss.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636327/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahsu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636328/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eguaheoghouughahsz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636329/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefijl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636330/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefijm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636331/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefijr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636332/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gaghpaheiafhjefijs.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636333/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfs.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636315/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636316/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636317/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeudl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636318/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeudm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636319/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeudr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636320/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeuds.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636321/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeudu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636322/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaeuafhuaegfugeudz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636323/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636305/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfail.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636306/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfaim.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636307/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfair.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636308/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfais.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636309/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfaiu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636310/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bfagzzezgaegzgfaiz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636311/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636312/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636313/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"daedagheauehfuuhfr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636314/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifim.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636295/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifir.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636296/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifis.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636297/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifiu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636298/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifiz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636299/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636300/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636301/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636302/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgs.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636303/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"befaheaiudeuhughgu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636304/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfs.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636285/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636286/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636287/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636288/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636289/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636290/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafs.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636291/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636292/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaeigaifgsgrhhafz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636293/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"afaigaeigieufuifil.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636294/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhusz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636275/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehdl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636276/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehdm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636277/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehdr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636278/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehds.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636279/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehdu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636280/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoughaoheguaoehdz.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636281/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636282/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636283/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeufuaehfiuehfuhfr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636284/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiiem.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636265/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiier.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636266/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiies.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636267/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiieu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636268/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiiez.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636269/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhusl.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636270/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhusm.to"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636271/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhusr.su"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636272/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhuss.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636273/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeifaeifhutuhuhusu.cc"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636274/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aegohaohuoruitiiel.co"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636264/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cqf47.horizonbloom.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"seznam.accesscam.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636262/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rony.publicvm.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636261/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot5477996112:aahfnfzff6lpd1lkgcmu64s9ngrtyzvbcsa/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636259/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8297071814:aahqyvkue0vgfldi5g3etjdzffbp0s7n0wc/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636260/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hni5tbx"; depth:8; nocase; http.host; content:"standard-analytics-endpoint-54.s3.ca-central-1.amazonaws.com"; depth:60; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636257/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hni5tbx"; depth:8; nocase; http.host; content:"standard-analytics-endpoint-54.s3.ca-central-1.amazonaws.com"; depth:60; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636258/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hni5tbx"; depth:8; nocase; http.host; content:"standard-analytics-endpoint-54.s3.ca-central-1.amazonaws.com"; depth:60; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636256/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1efdd996aae4f49.php"; depth:21; nocase; http.host; content:"178.236.252.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636255/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6lz.horizonbloom.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"123123123.asia"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636253/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_08; classtype:trojan-activity; sid:91636253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gk.silversummit.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636252; rev:1;) alert tcp $HOME_NET any -> [40.160.60.97] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636251/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636251; rev:1;) alert tcp $HOME_NET any -> [40.160.53.203] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636250/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636250; rev:1;) alert tcp $HOME_NET any -> [34.202.63.188] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636249/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636249; rev:1;) alert tcp $HOME_NET any -> [183.232.157.70] 46657 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636248/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636248; rev:1;) alert tcp $HOME_NET any -> [158.69.52.200] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636247/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636247; rev:1;) alert tcp $HOME_NET any -> [103.161.255.216] 20493 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636246/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"geskw.silversummit.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"swa.silversummit.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7b9o0.fr0stp1llar.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a8eq.fr0stp1llar.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lkyb.fr0stp1llar.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636241; rev:1;) alert tcp $HOME_NET any -> [192.30.240.101] 1287 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636240/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gqu3.brightvoyage.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636239; rev:1;) alert tcp $HOME_NET any -> [196.251.87.155] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636238; rev:1;) alert tcp $HOME_NET any -> [63.177.93.228] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636237; rev:1;) alert tcp $HOME_NET any -> [45.155.69.224] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636236; rev:1;) alert tcp $HOME_NET any -> [18.230.45.123] 4444 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636235; rev:1;) alert tcp $HOME_NET any -> [47.108.74.39] 4434 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mreow.store"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mreow.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zkefi.brightvoyage.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medialito.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmcare.help"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gtjoin.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suitsoap.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"framestove.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plasticstem.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bloodscarf.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0.brightvoyage.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solomand.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"solomand.pro"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"solomand.pro"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chrmeupdate.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pixelnoased.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"pixelnoased.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"pixelnoased.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"journeywekk.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"journeywekk.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"journeywekk.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stern.emberkranz.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"files.parsonspaving.ca"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"capckutapk.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636080/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glut.emberkranz.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"feuer.emberkranz.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spark.flintwerder.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rauch.flintwerder.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stein.flintwerder.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind.zirconweg.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ufer.zirconweg.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pfad.zirconweg.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grat.citrinewald.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"maskofmistery.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"anfesq.com"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1636183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636183; rev:1;) alert tcp $HOME_NET any -> [85.192.42.92] 300 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"licht.citrinewald.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amber.citrinewald.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bach.jasperhain.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rune.jasperhain.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moor.jasperhain.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glow.rubyraum.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"raum.rubyraum.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ruby.rubyraum.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gruen.jadeecke.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ecke.jadeecke.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jade.jadeecke.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636171; rev:1;) alert tcp $HOME_NET any -> [3.96.200.29] 35057 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636170; rev:1;) alert tcp $HOME_NET any -> [16.62.85.86] 2181 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636169; rev:1;) alert tcp $HOME_NET any -> [47.243.131.179] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636168; rev:1;) alert tcp $HOME_NET any -> [20.196.129.27] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind.hawkmast.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636166; rev:1;) alert tcp $HOME_NET any -> [143.92.32.177] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636165; rev:1;) alert tcp $HOME_NET any -> [113.45.205.53] 8182 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mast.hawkmast.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hawk.hawkmast.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nacht.owlflug.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flug.owlflug.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0er.owlflug.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0ver.heronturm.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"23.heronturm.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1on.heronturm.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"segel.pumaschiff.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"schiff.pumaschiff.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636154; rev:1;) alert tcp $HOME_NET any -> [123.53.36.194] 54002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636153/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_08; classtype:trojan-activity; sid:91636153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"puma.pumaschiff.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"claw.tigerzaun.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zaun.tigerzaun.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tiger.tigerzaun.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flug.cranezeit.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zeit.cranezeit.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crane.cranezeit.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externaleternal_httpapimultiwpdlepublic.php"; depth:44; nocase; http.host; content:"446195cm.nyash.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wolke.cloudkreis.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kreis.cloudkreis.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloud.cloudkreis.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sturm.rainrad.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rad.rainrad.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rain.rainrad.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ufer.otterweg.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"weg.otterweg.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"otter.otterweg.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stein.badgerfels.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636135; rev:1;) alert tcp $HOME_NET any -> [45.153.34.5] 1911 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636134; rev:1;) alert tcp $HOME_NET any -> [15.161.127.193] 6316 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636132; rev:1;) alert tcp $HOME_NET any -> [15.206.91.105] 1098 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636133; rev:1;) alert tcp $HOME_NET any -> [54.152.7.169] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636131; rev:1;) alert tcp $HOME_NET any -> [5.101.82.49] 57742 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_08; classtype:trojan-activity; sid:91636130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fels.badgerfels.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"badger.badgerfels.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"feld.harewinkel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"winkel.harewinkel.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hare.harewinkel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wald.martenhain.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636114; rev:1;) alert tcp $HOME_NET any -> [51.15.142.216] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636113; rev:1;) alert tcp $HOME_NET any -> [212.15.188.43] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636111; rev:1;) alert tcp $HOME_NET any -> [135.171.155.254] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636112; rev:1;) alert tcp $HOME_NET any -> [34.57.216.237] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636109; rev:1;) alert tcp $HOME_NET any -> [141.94.207.199] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636110; rev:1;) alert tcp $HOME_NET any -> [52.203.125.131] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636107; rev:1;) alert tcp $HOME_NET any -> [185.95.165.36] 1234 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636108; rev:1;) alert tcp $HOME_NET any -> [36.154.179.148] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636106; rev:1;) alert tcp $HOME_NET any -> [3.254.128.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636105; rev:1;) alert tcp $HOME_NET any -> [122.116.50.142] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636104; rev:1;) alert tcp $HOME_NET any -> [78.73.2.13] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636102; rev:1;) alert tcp $HOME_NET any -> [1.36.91.188] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636103; rev:1;) alert tcp $HOME_NET any -> [191.8.225.71] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636101; rev:1;) alert tcp $HOME_NET any -> [147.45.45.12] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636100; rev:1;) alert tcp $HOME_NET any -> [111.228.55.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hain.martenhain.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marten.martenhain.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pfad.stoatgasse.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stoat.stoatgasse.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gasse.stoatgasse.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"peak.eaglekrone.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"krone.eaglekrone.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adler.eaglekrone.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ufer.wrenhafen.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hafen.wrenhafen.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wren.wrenhafen.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eiche.boargrund.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wild.boargrund.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hain.boargrund.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"heath.beechmoor.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moor.beechmoor.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636083; rev:1;) alert tcp $HOME_NET any -> [147.45.147.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636082/; target:src_ip; metadata: confidence_level 90, first_seen 2025_11_07; classtype:trojan-activity; sid:91636082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"birch.beechmoor.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fluss.nickelweide.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wald.nickelweide.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"erz.nickelweide.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4q.rubyraum.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frost.icylotus.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eis.icylotus.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636074; rev:1;) alert tcp $HOME_NET any -> [141.227.137.121] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636073; rev:1;) alert tcp $HOME_NET any -> [172.177.254.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636072; rev:1;) alert tcp $HOME_NET any -> [104.250.169.2] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636070; rev:1;) alert tcp $HOME_NET any -> [129.212.186.153] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636071; rev:1;) alert tcp $HOME_NET any -> [38.207.191.40] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636069; rev:1;) alert tcp $HOME_NET any -> [103.236.77.35] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636068; rev:1;) alert tcp $HOME_NET any -> [107.189.31.239] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636067; rev:1;) alert tcp $HOME_NET any -> [144.172.109.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"weave.m00nweaver.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nacht.m00nweaver.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gale.m00nweaver.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mond.m00nweaver.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mist.1ittleriver.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stern.1ittleriver.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fluss.1ittleriver.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oak.1ittleriver.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0sebioom.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ciearstream.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"whisper-lake.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636054; rev:1;) alert tcp $HOME_NET any -> [91.92.243.56] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636053/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636053; rev:1;) alert tcp $HOME_NET any -> [54.220.26.199] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636052/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silent-grove.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636051; rev:1;) alert tcp $HOME_NET any -> [40.160.55.226] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636049/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636049; rev:1;) alert tcp $HOME_NET any -> [40.160.57.149] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636050/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636050; rev:1;) alert tcp $HOME_NET any -> [212.95.55.121] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636048/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636048; rev:1;) alert tcp $HOME_NET any -> [209.17.118.59] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636047/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"copperwerft.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636046; rev:1;) alert tcp $HOME_NET any -> [193.143.1.216] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636044/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636044; rev:1;) alert tcp $HOME_NET any -> [193.168.197.76] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636045/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636045; rev:1;) alert tcp $HOME_NET any -> [186.169.48.188] 5061 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636043/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636043; rev:1;) alert tcp $HOME_NET any -> [139.59.246.150] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636042/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"neonheide.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636041; rev:1;) alert tcp $HOME_NET any -> [121.127.34.144] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636040/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91636040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thunderforst.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flintwiese.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solarfracht.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zephyrsteg.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ironbucht.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adult-understanding.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636034; rev:1;) alert tcp $HOME_NET any -> [23.249.28.195] 53 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636033; rev:1;) alert tcp $HOME_NET any -> [23.249.28.195] 90 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"olibaeq.courses"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636031; rev:1;) alert tcp $HOME_NET any -> [135.181.161.150] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"markaug.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abstract-intake.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mpykaug5o.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brassufer.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"starmarkt.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beartor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636024; rev:1;) alert tcp $HOME_NET any -> [108.187.7.143] 447 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quartzdamm.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"peridotgarten.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"berylhammer.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"garnetschmiede.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ebonyecke.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pearlkrone.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"duskpfad.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dawnanker.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mistgraben.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"astralwiese.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maplequelle.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cedarhafen.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"orbitkamm.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636010; rev:1;) alert tcp $HOME_NET any -> [91.99.153.95] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ik.fabiankorte.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.hiringimmediatelyjobs.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1636008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ik.fabiankorte.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qq.hiringimmediatelyjobs.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1636006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636006; rev:1;) alert tcp $HOME_NET any -> [84.154.189.250] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636004; rev:1;) alert tcp $HOME_NET any -> [155.94.163.48] 3000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636002; rev:1;) alert tcp $HOME_NET any -> [149.248.76.152] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636003; rev:1;) alert tcp $HOME_NET any -> [65.109.146.101] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636001; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 1000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1636000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91636000; rev:1;) alert tcp $HOME_NET any -> [212.11.64.126] 5050 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635999; rev:1;) alert tcp $HOME_NET any -> [197.246.198.177] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635998; rev:1;) alert tcp $HOME_NET any -> [146.70.67.50] 6156 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635997; rev:1;) alert tcp $HOME_NET any -> [38.147.170.204] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"basaltstern.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mossufer.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"prismboden.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ravenwehr.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thistletal.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"embergrund.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0thlake.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"br1mbay.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"giowrust.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1w2w.js"; depth:8; nocase; http.host; content:"virtvan.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"virtvan.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"virtvan.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/on"; depth:3; nocase; http.host; content:"206.166.251.184"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ic3hill.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"redfern.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quietwhite.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fox3den.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stormoak.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1nefour.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agatehof.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fjordkante.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mesaweide.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glyphsteg.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"runesonne.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"topazrand.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"canyonsturm.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spruceinsel.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kestrelwinkel.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pinezirkel.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"valeschild.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"auricklang.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oasisfuchs.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kilnberg.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lynxdelta.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grovebach.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xin.hc666.bond"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635960; rev:1;) alert tcp $HOME_NET any -> [114.66.50.239] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635950; rev:1;) alert tcp $HOME_NET any -> [103.100.170.134] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635951; rev:1;) alert tcp $HOME_NET any -> [112.121.167.250] 1667 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635952; rev:1;) alert tcp $HOME_NET any -> [114.66.50.239] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635953; rev:1;) alert tcp $HOME_NET any -> [103.100.170.134] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635954; rev:1;) alert tcp $HOME_NET any -> [91.92.242.115] 81 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635955; rev:1;) alert tcp $HOME_NET any -> [151.243.95.164] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635956; rev:1;) alert tcp $HOME_NET any -> [103.176.197.134] 90 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635957; rev:1;) alert tcp $HOME_NET any -> [43.163.83.81] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635958; rev:1;) alert tcp $HOME_NET any -> [129.226.156.129] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635959; rev:1;) alert tcp $HOME_NET any -> [112.196.218.3] 69 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635942; rev:1;) alert tcp $HOME_NET any -> [103.86.44.185] 69 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635943; rev:1;) alert tcp $HOME_NET any -> [103.86.44.185] 288 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635944; rev:1;) alert tcp $HOME_NET any -> [137.220.156.16] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635945; rev:1;) alert tcp $HOME_NET any -> [38.12.22.122] 433 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635946; rev:1;) alert tcp $HOME_NET any -> [114.66.50.239] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635947; rev:1;) alert tcp $HOME_NET any -> [112.121.167.250] 1666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635948; rev:1;) alert tcp $HOME_NET any -> [103.176.197.134] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635949; rev:1;) alert tcp $HOME_NET any -> [103.86.46.39] 288 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635932; rev:1;) alert tcp $HOME_NET any -> [137.220.156.16] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635933; rev:1;) alert tcp $HOME_NET any -> [103.86.46.39] 73 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635934; rev:1;) alert tcp $HOME_NET any -> [137.220.156.16] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635935; rev:1;) alert tcp $HOME_NET any -> [38.47.221.20] 6688 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635936; rev:1;) alert tcp $HOME_NET any -> [112.196.218.3] 73 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635937; rev:1;) alert tcp $HOME_NET any -> [103.86.47.226] 288 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635938; rev:1;) alert tcp $HOME_NET any -> [103.86.44.185] 73 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635939; rev:1;) alert tcp $HOME_NET any -> [112.196.218.3] 288 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635940; rev:1;) alert tcp $HOME_NET any -> [103.86.46.39] 69 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635941; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 10876 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updated-odds.gi.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635930; rev:1;) alert tcp $HOME_NET any -> [103.86.47.226] 73 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adsdadadad.ddnsgeek.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ajshgdhjfgasthjydyufasghjfdafsgudgfhjasgfjh.satyr.wtf"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635927; rev:1;) alert tcp $HOME_NET any -> [107.148.12.75] 8888 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mistermal.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"report.nullrouted.wtf"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boratfiction.vipcncnetwork.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paratodos.spamhaussupport.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psycholife.accessdennied.uk"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahahahahahajs.unproxy.st"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"convac123.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morte.redirectme.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1saadqdwdqd.camdvr.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdkdakd.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botevecc.boteve.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewwfwedd.ooguy.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdsksdkldsd.accesscam.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bsq808t"; depth:8; nocase; http.host; content:"shoesdiscountmee.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xplfalcon1.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"destinywatch.chickenkiller.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostnummer1number1.zapto.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ovideloo.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rango.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bodybuilding.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635911; rev:1;) alert tcp $HOME_NET any -> [188.166.230.26] 1002 (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635912; rev:1;) alert tcp $HOME_NET any -> [196.251.87.18] 909 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635899; rev:1;) alert tcp $HOME_NET any -> [164.92.201.130] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635900; rev:1;) alert tcp $HOME_NET any -> [87.121.84.21] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635901; rev:1;) alert tcp $HOME_NET any -> [89.35.130.116] 1561 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635902; rev:1;) alert tcp $HOME_NET any -> [5.175.192.151] 420 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635903; rev:1;) alert tcp $HOME_NET any -> [45.156.87.83] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mortyhacks.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynetfodao.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635889; rev:1;) alert tcp $HOME_NET any -> [176.104.208.197] 999 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635890; rev:1;) alert tcp $HOME_NET any -> [23.95.102.204] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635891; rev:1;) alert tcp $HOME_NET any -> [104.248.53.107] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635892; rev:1;) alert tcp $HOME_NET any -> [167.172.47.97] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635893; rev:1;) alert tcp $HOME_NET any -> [107.172.195.130] 4535 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635894; rev:1;) alert tcp $HOME_NET any -> [121.127.34.118] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635895; rev:1;) alert tcp $HOME_NET any -> [196.251.115.19] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635896; rev:1;) alert tcp $HOME_NET any -> [172.105.120.88] 4567 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635897; rev:1;) alert tcp $HOME_NET any -> [167.99.208.171] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f60vinnie75.city"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taileenanahi.company"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h5441eqzey.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thtmagics21.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azizsadak.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glow/add.php"; depth:13; nocase; http.host; content:"prolasde.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loni/panel/index.php"; depth:21; nocase; http.host; content:"gossipinformation.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635882; rev:1;) alert tcp $HOME_NET any -> [82.202.167.229] 4445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.132.242"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1635879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635879; rev:1;) alert tcp $HOME_NET any -> [103.83.87.230] 1989 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635877; rev:1;) alert tcp $HOME_NET any -> [147.124.213.155] 35300 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635878; rev:1;) alert tcp $HOME_NET any -> [5.101.85.24] 60376 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635873; rev:1;) alert tcp $HOME_NET any -> [45.88.186.161] 1987 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635874; rev:1;) alert tcp $HOME_NET any -> [91.92.241.175] 9182 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635875; rev:1;) alert tcp $HOME_NET any -> [23.236.169.227] 8486 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gufhhfhddddddddddddddddjjjjjfjfiijndnudn.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"result673.airdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chimusgen.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nightnoghwednesdaymanaagerxxxxx.duckdns.org"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"round-districts.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"street-golf.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ready-andorra.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plan-railroad.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parts-almost.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yourself-berry.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goods-hilton.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benefits-blocking.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"provide-abu.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taken-housewives.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"input-conduct.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"envioxword20.mysynology.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rootkitow-webkillez.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"china-sec.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyrics-host.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows-mine.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y783hdhf.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"effect-unless.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"browser-real.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635856; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 55667 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635847; rev:1;) alert tcp $HOME_NET any -> [82.14.101.190] 46377 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635848; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 8169 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635849; rev:1;) alert tcp $HOME_NET any -> [147.185.221.211] 47893 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635837; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 12474 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635838; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 55667 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635839; rev:1;) alert tcp $HOME_NET any -> [82.14.101.190] 54949 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635840; rev:1;) alert tcp $HOME_NET any -> [193.193.193.193] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635841; rev:1;) alert tcp $HOME_NET any -> [82.14.101.190] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635842; rev:1;) alert tcp $HOME_NET any -> [79.250.139.167] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635843; rev:1;) alert tcp $HOME_NET any -> [82.14.101.190] 48783 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635844; rev:1;) alert tcp $HOME_NET any -> [147.185.221.31] 31640 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635845; rev:1;) alert tcp $HOME_NET any -> [82.26.74.32] 777 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8009489309:aahcgklqfpl8rk3ewpdw1mbsczclcyh04i0/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635832; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 46467 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635833; rev:1;) alert tcp $HOME_NET any -> [158.173.24.104] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635834; rev:1;) alert tcp $HOME_NET any -> [195.231.114.164] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635835; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 15620 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635836; rev:1;) alert tcp $HOME_NET any -> [1.0.0.229] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635820; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 50237 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635821; rev:1;) alert tcp $HOME_NET any -> [193.26.115.124] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635822; rev:1;) alert tcp $HOME_NET any -> [158.220.115.77] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635823; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 4118 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635824; rev:1;) alert tcp $HOME_NET any -> [84.229.20.69] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635825; rev:1;) alert tcp $HOME_NET any -> [84.229.20.69] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635826; rev:1;) alert tcp $HOME_NET any -> [79.117.69.84] 4118 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635827; rev:1;) alert tcp $HOME_NET any -> [212.15.49.30] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635828; rev:1;) alert tcp $HOME_NET any -> [1.0.0.229] 53 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635829; rev:1;) alert tcp $HOME_NET any -> [158.220.115.77] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635830; rev:1;) alert tcp $HOME_NET any -> [95.31.51.170] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635831; rev:1;) alert tcp $HOME_NET any -> [78.73.129.246] 44444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635810; rev:1;) alert tcp $HOME_NET any -> [78.73.129.246] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635811; rev:1;) alert tcp $HOME_NET any -> [84.229.20.69] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635812; rev:1;) alert tcp $HOME_NET any -> [158.220.115.77] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635813; rev:1;) alert tcp $HOME_NET any -> [188.132.202.20] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635814; rev:1;) alert tcp $HOME_NET any -> [146.70.51.74] 2306 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635815; rev:1;) alert tcp $HOME_NET any -> [212.15.49.30] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635816; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635817; rev:1;) alert tcp $HOME_NET any -> [141.98.10.99] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635818; rev:1;) alert tcp $HOME_NET any -> [1.0.0.229] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635819; rev:1;) alert tcp $HOME_NET any -> [78.73.129.246] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635808; rev:1;) alert tcp $HOME_NET any -> [78.73.129.246] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connff99.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"standard-graduate.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xoilaczzzez.tv"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gatex.xoilaczzzez.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilaczzzez.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilaczzzez.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wood-visits.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gatex.xoilaczzzdz.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliado1.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilaczzzdz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connff77.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8kdan394.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"envi03-10.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilaczzzdz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"services-msc.selfip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"in-ul.gl.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oska123-58079.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobilmoe.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connff88.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"islands-instance.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"group-atm.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shoes-each.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635788; rev:1;) alert tcp $HOME_NET any -> [86.83.128.156] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635781; rev:1;) alert tcp $HOME_NET any -> [213.152.162.27] 6984 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635782; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 65397 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635783; rev:1;) alert tcp $HOME_NET any -> [90.243.201.32] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635784; rev:1;) alert tcp $HOME_NET any -> [213.152.162.23] 3005 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635785; rev:1;) alert tcp $HOME_NET any -> [158.94.208.102] 8881 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635776; rev:1;) alert tcp $HOME_NET any -> [136.0.157.34] 4781 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635777; rev:1;) alert tcp $HOME_NET any -> [78.70.235.44] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635778; rev:1;) alert tcp $HOME_NET any -> [136.0.157.34] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635779; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 35109 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"splwplx.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"worldtimeapi.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"litteru.lat"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"aspedyd.mom"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"indef.locker"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"genusal.lat"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pabuloa.asia"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"endzed.asia"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scratfx.asia"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635769; rev:1;) alert tcp $HOME_NET any -> [88.214.50.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635765/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635765; rev:1;) alert tcp $HOME_NET any -> [88.214.50.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635766/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635766; rev:1;) alert tcp $HOME_NET any -> [8.155.175.63] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635764/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"services.datasystemconsulting.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635762/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"support.seodevserver.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635763/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"int.datasystemconsulting.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635761/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"console.seodevserver.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635760/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chat.seodevserver.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635759/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"backend.datasystemconsulting.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635758/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"foxklippe.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stellarblick.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/windows/download.php"; depth:26; nocase; http.host; content:"surrezooominvite.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635748/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meeting/windows/zoomworkspace.clientsetup.exe"; depth:46; nocase; http.host; content:"mine.teknikbayi.com.tr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635749/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/windows/download.php"; depth:26; nocase; http.host; content:"surrezooominvite.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635750/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/download.php"; depth:21; nocase; http.host; content:"zoommeeting1.n2c0.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635751/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/windows/invite.php"; depth:24; nocase; http.host; content:"surrezooominvite.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635752/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/invite.php"; depth:19; nocase; http.host; content:"zoommeeting1.n2c0.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635753/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meeting/windows/invite.php"; depth:27; nocase; http.host; content:"mine.teknikbayi.com.tr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635754/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/windows/invite.php"; depth:24; nocase; http.host; content:"surrezooominvite.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635755/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eclipsenebel.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lilacdorn.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"toueafhuoaefhefu.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635743/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tpleflpokadkeoot.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635744/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tploaeieifuebaub.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635745/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"teuaueufuanbbgbg.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635733/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tezaeazdgzegdget.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635734/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tfubaebeanfienfi.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635735/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tganieeidiehgihe.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635736/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tgauheudbbchaiii.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635737/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tinbeafbiaebfiie.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635738/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tlpaenimonadfueh.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635739/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tnabeuffhshsueur.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635740/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"toeghaiofiehfihf.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635741/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"toirgsiorgididii.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635742/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"soueafhuoaefhefu.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635723/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"spleflpokadkeoot.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635724/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sploaeieifuebaub.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635725/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tadbabbabefnefmf.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635726/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"taedvezdeahfhuea.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635727/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"taefneabdmemdnaf.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635728/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tauedaiednaibduf.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635729/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tbdadnmolaedbfau.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635730/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tefiaeieiififnnf.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635731/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tefiefijiejdijef.ws"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635732/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sezaeazdgzegdget.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635714/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sfubaebeanfienfi.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635715/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sganieeidiehgihe.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635716/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sgauheudbbchaiii.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635717/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sinbeafbiaebfiie.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635718/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"slpaenimonadfueh.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635719/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"snabeuffhshsueur.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635720/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"soeghaiofiehfihf.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635721/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"soirgsiorgididii.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635722/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"npleflpokadkeoot.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635704/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nploaeieifuebaub.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635705/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sadbabbabefnefmf.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635706/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"saedvezdeahfhuea.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635707/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"saefneabdmemdnaf.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635708/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sauedaiednaibduf.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635709/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sbdadnmolaedbfau.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635710/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sefiaeieiififnnf.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635711/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sefiefijiejdijef.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635712/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"seuaueufuanbbgbg.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635713/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nezaeazdgzegdget.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635694/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nfubaebeanfienfi.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635695/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nganieeidiehgihe.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635696/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ngauheudbbchaiii.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635697/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ninbeafbiaebfiie.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635698/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nlpaenimonadfueh.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635699/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nnabeuffhshsueur.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635700/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"noeghaiofiehfihf.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635701/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"noirgsiorgididii.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635702/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"noueafhuoaefhefu.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635703/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"loueafhuoaefhefu.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635683/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lpleflpokadkeoot.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635684/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lploaeieifuebaub.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635685/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nadbabbabefnefmf.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635686/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"naedvezdeahfhuea.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635687/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"naefneabdmemdnaf.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635688/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nauedaiednaibduf.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635689/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nbdadnmolaedbfau.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635690/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nefiaeieiififnnf.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635691/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nefiefijiejdijef.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635692/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"neuaueufuanbbgbg.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635693/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"leuaueufuanbbgbg.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635673/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lezaeazdgzegdget.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635674/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lfubaebeanfienfi.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635675/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lganieeidiehgihe.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635676/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lgauheudbbchaiii.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635677/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"linbeafbiaebfiie.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635678/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"llpaenimonadfueh.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635679/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lnabeuffhshsueur.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635680/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"loeghaiofiehfihf.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635681/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"loirgsiorgididii.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635682/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoueafhuoaefhefu.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635663/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"epleflpokadkeoot.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635664/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eploaeieifuebaub.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635665/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ladbabbabefnefmf.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635666/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"laedvezdeahfhuea.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635667/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"laefneabdmemdnaf.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635668/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lauedaiednaibduf.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635669/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lbdadnmolaedbfau.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635670/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lefiaeieiififnnf.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635671/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lefiefijiejdijef.to"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635672/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"efubaebeanfienfi.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635655/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eganieeidiehgihe.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635656/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"egauheudbbchaiii.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635657/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"einbeafbiaebfiie.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635658/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"elpaenimonadfueh.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635659/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"enabeuffhshsueur.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635660/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoeghaiofiehfihf.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635661/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eoirgsiorgididii.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635662/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaedvezdeahfhuea.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635647/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eaefneabdmemdnaf.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635648/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eauedaiednaibduf.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635649/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ebdadnmolaedbfau.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635650/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eefiaeieiififnnf.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635651/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eefiefijiejdijef.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635652/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eeuaueufuanbbgbg.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635653/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eezaeazdgzegdget.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635654/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"eadbabbabefnefmf.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635646/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tpleflpokadkeoot.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635644/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tploaeieifuebaub.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635645/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tlpaenimonadfueh.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635639/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tnabeuffhshsueur.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635640/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"toeghaiofiehfihf.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635641/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"toirgsiorgididii.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635642/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"toueafhuoaefhefu.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635643/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tinbeafbiaebfiie.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635636/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tldrnet.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635637/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pe/32.exe"; depth:10; nocase; http.host; content:"tldrnet.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635638/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tezaeazdgzegdget.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635632/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tfubaebeanfienfi.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635633/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tganieeidiehgihe.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635634/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tgauheudbbchaiii.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635635/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tauedaiednaibduf.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635627/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tbdadnmolaedbfau.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635628/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tefiaeieiififnnf.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635629/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tefiefijiejdijef.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635630/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"teuaueufuanbbgbg.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635631/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sploaeieifuebaub.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635623/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tadbabbabefnefmf.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635624/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"taedvezdeahfhuea.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635625/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"taefneabdmemdnaf.ws"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635626/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soueafhuoaefhefu.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635621/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"spleflpokadkeoot.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635622/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soirgsiorgididii.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635620/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sinbeafbiaebfiie.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635616/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"slpaenimonadfueh.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635617/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"snabeuffhshsueur.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635618/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soeghaiofiehfihf.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635619/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"seuaueufuanbbgbg.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635611/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sezaeazdgzegdget.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635612/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sfubaebeanfienfi.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635613/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sganieeidiehgihe.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635614/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sgauheudbbchaiii.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635615/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sauedaiednaibduf.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635607/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sbdadnmolaedbfau.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635608/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sefiaeieiififnnf.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635609/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sefiefijiejdijef.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635610/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"npleflpokadkeoot.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635602/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nploaeieifuebaub.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635603/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sadbabbabefnefmf.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635604/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"saedvezdeahfhuea.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635605/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"saefneabdmemdnaf.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635606/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nlpaenimonadfueh.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635597/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nnabeuffhshsueur.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635598/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"noeghaiofiehfihf.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635599/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"noirgsiorgididii.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635600/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"noueafhuoaefhefu.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635601/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nfubaebeanfienfi.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635593/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nganieeidiehgihe.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635594/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ngauheudbbchaiii.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635595/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ninbeafbiaebfiie.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635596/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nefiaeieiififnnf.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635589/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nefiefijiejdijef.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635590/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"neuaueufuanbbgbg.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635591/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nezaeazdgzegdget.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635592/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"naedvezdeahfhuea.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635585/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"naefneabdmemdnaf.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635586/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nauedaiednaibduf.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635587/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nbdadnmolaedbfau.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635588/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"loirgsiorgididii.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635580/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"loueafhuoaefhefu.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635581/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lpleflpokadkeoot.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635582/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lploaeieifuebaub.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635583/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nadbabbabefnefmf.su"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635584/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"linbeafbiaebfiie.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635576/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"llpaenimonadfueh.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635577/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lnabeuffhshsueur.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635578/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"loeghaiofiehfihf.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635579/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lezaeazdgzegdget.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635572/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lfubaebeanfienfi.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635573/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lganieeidiehgihe.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635574/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lgauheudbbchaiii.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635575/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lbdadnmolaedbfau.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635568/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lefiaeieiififnnf.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635569/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lefiefijiejdijef.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635570/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"leuaueufuanbbgbg.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635571/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ladbabbabefnefmf.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635564/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"laedvezdeahfhuea.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635565/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"laefneabdmemdnaf.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635566/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lauedaiednaibduf.to"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635567/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eoueafhuoaefhefu.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635561/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"epleflpokadkeoot.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635562/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eploaeieifuebaub.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635563/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"elpaenimonadfueh.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635557/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"enabeuffhshsueur.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635558/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eoeghaiofiehfihf.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635559/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eoirgsiorgididii.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635560/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"efubaebeanfienfi.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635553/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eganieeidiehgihe.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635554/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"egauheudbbchaiii.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635555/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"einbeafbiaebfiie.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635556/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eefiaeieiififnnf.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635549/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eefiefijiejdijef.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635550/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eeuaueufuanbbgbg.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635551/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eezaeazdgzegdget.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635552/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaedvezdeahfhuea.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635545/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eaefneabdmemdnaf.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635546/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eauedaiednaibduf.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635547/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ebdadnmolaedbfau.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635548/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eadbabbabefnefmf.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635544/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"violetmoos.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635543; rev:1;) alert tcp $HOME_NET any -> [128.241.254.112] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635541; rev:1;) alert tcp $HOME_NET any -> [128.241.254.176] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635542; rev:1;) alert tcp $HOME_NET any -> [8.140.50.115] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635540; rev:1;) alert tcp $HOME_NET any -> [107.189.19.88] 4571 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635539; rev:1;) alert tcp $HOME_NET any -> [172.111.169.7] 5671 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635538; rev:1;) alert tcp $HOME_NET any -> [23.230.3.188] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635537; rev:1;) alert tcp $HOME_NET any -> [23.230.3.188] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"makelifecomehardsoteemannogofitfeedhimfa.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quantumrinde.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"hello-squiblydoo-do-you-like-kitties.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"summerandsilver.co.uk"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"captaincoin.io"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3.wav"; depth:6; nocase; http.host; content:"captaincoin.io"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tambunting.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.baccosrl.it"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"urs.org.vn"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88tdtc.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"garudamaskosmetik.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"amalgadget.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.aprendaceo.com.br"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vakarpishkov.magnaart.ru.fbweb.ru"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"emaragogi.com.br"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635520/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"excellencebpo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635521/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"piworfolo.com.theplatinumguesthouse.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4j1.glacierbruecke.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7.glacierbruecke.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qtf.glacierbruecke.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g8p.glacierbruecke.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635515; rev:1;) alert tcp $HOME_NET any -> [52.195.10.170] 80 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635514; rev:1;) alert tcp $HOME_NET any -> [18.175.134.18] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635513; rev:1;) alert tcp $HOME_NET any -> [44.230.247.139] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635512; rev:1;) alert tcp $HOME_NET any -> [16.171.38.3] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635511; rev:1;) alert tcp $HOME_NET any -> [176.9.117.52] 9333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635509; rev:1;) alert tcp $HOME_NET any -> [200.130.16.171] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635510; rev:1;) alert tcp $HOME_NET any -> [43.218.182.100] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635508; rev:1;) alert tcp $HOME_NET any -> [13.127.74.194] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635507; rev:1;) alert tcp $HOME_NET any -> [203.195.217.161] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635506; rev:1;) alert tcp $HOME_NET any -> [101.201.53.137] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635505; rev:1;) alert tcp $HOME_NET any -> [59.0.49.66] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635504; rev:1;) alert tcp $HOME_NET any -> [184.55.180.114] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635502; rev:1;) alert tcp $HOME_NET any -> [125.230.28.43] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635503; rev:1;) alert tcp $HOME_NET any -> [106.247.205.227] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635500; rev:1;) alert tcp $HOME_NET any -> [221.145.78.84] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635501; rev:1;) alert tcp $HOME_NET any -> [97.107.206.49] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635499; rev:1;) alert tcp $HOME_NET any -> [185.123.102.160] 23514 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635498/; target:src_ip; metadata: confidence_level 90, first_seen 2025_11_07; classtype:trojan-activity; sid:91635498; rev:1;) alert tcp $HOME_NET any -> [91.92.243.10] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635497; rev:1;) alert tcp $HOME_NET any -> [45.77.119.155] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635496; rev:1;) alert tcp $HOME_NET any -> [129.212.190.70] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635495; rev:1;) alert tcp $HOME_NET any -> [129.212.190.70] 1000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635494; rev:1;) alert tcp $HOME_NET any -> [123.53.36.74] 54002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635493; rev:1;) alert tcp $HOME_NET any -> [77.83.207.219] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635492; rev:1;) alert tcp $HOME_NET any -> [39.102.102.170] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3fp.glacierbruecke.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mrpatate.myddns.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635489/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daj.glacierbruecke.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"10.glacierbruecke.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635487; rev:1;) alert tcp $HOME_NET any -> [170.64.169.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635480/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1i.glacierbruecke.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l3.basaltwerk.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8343.basaltwerk.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sbeo.basaltwerk.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j4.basaltwerk.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bv9.basaltwerk.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7.basaltwerk.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635479; rev:1;) alert tcp $HOME_NET any -> [54.39.16.59] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635478/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635478; rev:1;) alert tcp $HOME_NET any -> [40.160.61.7] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635477/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635477; rev:1;) alert tcp $HOME_NET any -> [175.29.22.57] 33994 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635476/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91635476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wp6.basaltwerk.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uhz.basaltwerk.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3t.bramblestrom.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635473; rev:1;) alert tcp $HOME_NET any -> [100.27.186.21] 5938 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635472; rev:1;) alert tcp $HOME_NET any -> [89.221.203.147] 8080 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635471; rev:1;) alert tcp $HOME_NET any -> [95.111.216.21] 8000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635470; rev:1;) alert tcp $HOME_NET any -> [16.63.110.247] 20547 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635469; rev:1;) alert tcp $HOME_NET any -> [105.159.140.215] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635467; rev:1;) alert tcp $HOME_NET any -> [98.130.47.152] 41795 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635468; rev:1;) alert tcp $HOME_NET any -> [193.25.218.109] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635466; rev:1;) alert tcp $HOME_NET any -> [34.172.35.200] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635465; rev:1;) alert tcp $HOME_NET any -> [91.98.170.69] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635464; rev:1;) alert tcp $HOME_NET any -> [83.136.211.176] 40000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635463; rev:1;) alert tcp $HOME_NET any -> [103.97.178.243] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635462; rev:1;) alert tcp $HOME_NET any -> [34.207.216.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635461; rev:1;) alert tcp $HOME_NET any -> [124.222.63.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635460; rev:1;) alert tcp $HOME_NET any -> [88.214.50.149] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635459; rev:1;) alert tcp $HOME_NET any -> [180.76.240.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635458; rev:1;) alert tcp $HOME_NET any -> [178.16.54.35] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.fabiankorte.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qq.fabiankorte.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"74.bramblestrom.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9ls.bramblestrom.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huy"; depth:4; nocase; http.host; content:"lite.trustnik.sbs"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635452/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hrjob-forward-build.store"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635451/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mi.bramblestrom.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635450; rev:1;) alert tcp $HOME_NET any -> [120.79.212.191] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3hg.bramblestrom.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ehu.bramblestrom.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6w9h.js"; depth:8; nocase; http.host; content:"saeam.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"saeam.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"saeam.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634675; rev:1;) alert tcp $HOME_NET any -> [178.16.54.33] 80 (msg:"ThreatFox Mozi payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634687; rev:1;) alert tcp $HOME_NET any -> [45.156.87.15] 39691 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"images.nestledinniagara.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634695; rev:1;) alert tcp $HOME_NET any -> [58.22.95.157] 6868 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634747/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91634747; rev:1;) alert tcp $HOME_NET any -> [222.137.145.249] 55445 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634748/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91634748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bq.bramblestrom.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4r.bramblestrom.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635445; rev:1;) alert tcp $HOME_NET any -> [95.81.117.45] 101 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635444/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2m.horizonspur.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0x.horizonspur.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635442; rev:1;) alert tcp $HOME_NET any -> [172.203.85.252] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oz.horizonspur.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635440; rev:1;) alert tcp $HOME_NET any -> [209.54.102.138] 1624 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635439/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sportewindows.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635438/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"teuaueudgs.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635418/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"teubeufubg.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635419/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tiaeufaehe.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635420/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tieieieros.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635421/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tiheiufisd.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635422/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tniaeninie.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635423/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wbaeubuegs.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635424/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"weoghehofu.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635425/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"weuaueudgs.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635426/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"weubeufubg.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635427/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wiaeufaehe.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635428/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wieieieros.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635429/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wiheiufisd.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635430/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wniaeninie.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635431/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xbaeubuegs.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635432/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xeoghehofu.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635433/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xiaeufaehe.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635434/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xieieieros.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635435/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xiheiufisd.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635436/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xniaeninie.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635437/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abaeubuegs.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635408/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeoghehofu.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635409/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeuaueudgs.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635410/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aeubeufubg.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635411/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aiaeufaehe.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635412/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aieieieros.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635413/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aiheiufisd.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635414/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aniaeninie.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635415/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tbaeubuegs.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635416/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"teoghehofu.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635417/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xiaeufaehe.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635404/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xieieieros.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635405/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xiheiufisd.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635406/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xniaeninie.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635407/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"weoghehofu.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635395/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"weuaueudgs.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635396/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"weubeufubg.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635397/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wiaeufaehe.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635398/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wieieieros.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635399/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wiheiufisd.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635400/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wniaeninie.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635401/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xbaeubuegs.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635402/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xeoghehofu.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635403/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aniaeninie.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635385/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tbaeubuegs.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635386/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"teoghehofu.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635387/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"teuaueudgs.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635388/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"teubeufubg.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635389/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tiaeufaehe.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635390/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tieieieros.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635391/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tiheiufisd.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635392/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tniaeninie.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635393/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wbaeubuegs.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635394/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"abaeubuegs.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635378/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeoghehofu.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635379/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeuaueudgs.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635380/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aeubeufubg.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635381/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aiaeufaehe.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635382/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aieieieros.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635383/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aiheiufisd.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635384/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mortex.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635377/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3r.horizonspur.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ulfstreammotors.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635363/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.undquantumfusion.forum"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635364/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.utfitsstyle.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635365/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uungro.store"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635366/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vctwatchs.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635367/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vspool.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635368/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xtraklimatyzacje.pl"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635369/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ya288.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635370/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yj775.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635371/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ymronmississippi.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635372/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yrrkh.app"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635373/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yunyou44.vip"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635374/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.zeitgeistguard.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635375/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ubady.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635362/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.site-flow.app"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635346/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.smzwgaegeglszxfb.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635347/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.stifffatty.club"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635348/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.syicollc.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635349/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.t7hjzd.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635350/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tar-mfo.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635351/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.telier-moode.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635352/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tephanievoneuw.fr"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635353/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.thequbitcoin.dev"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635354/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.thfa.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635355/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tlctechnical.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635356/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tokeno6a.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635357/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.topcryptocasinos.app"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635358/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.toryprintacademy.help"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635359/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tylechicescape.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635360/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.u59ga.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635361/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oreadybusiness.asia"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635327/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.otelgoldenheart.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635328/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ouse-renovation-design-1.click"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635329/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pagesetupsystem.online"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635330/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.phonenumberleak.one"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635331/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pixplay777.fun"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635332/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pmb26.mobi"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635333/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pragma123-777.click"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635334/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.qgsnsc.org.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635335/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.raghealthtech.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635336/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rdsrb.mobi"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635337/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rganimalsmx.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635338/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rinturo.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635339/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rqprwa20.vip"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635340/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rrinfanticidal.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635341/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.samavet.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635342/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.sb5g6ku.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635343/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.scmcm.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635344/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.seqmachineryhireresale.store"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635345/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.kurepier.house"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635308/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.larityhrco.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635309/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.layoutbank.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635310/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.laywin159.mobi"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635311/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lbtvod930.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635312/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lounge.cash"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635313/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.louwhigraig.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635314/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.moneynode.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635315/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mpn22surabaya.sch.id"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635316/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nnmm.beauty"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635317/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.notourdns.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635318/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nselfiber.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635319/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nthsxsuccess.sbs"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635320/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ntrinsicoutboundfirm.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635321/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nuoria.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635322/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ogagix.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635323/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.olombiabestcoffee.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635324/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.onus-connect.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635325/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.onvexphone.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635326/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gitim.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635290/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gtwin9.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635291/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hardware.bio"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635292/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.harmaciechamplain-orange.fr"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635293/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.heliosvoltaics.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635294/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.himsygroveadventures.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635295/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hx671.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635296/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hyperliquid-app.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635297/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ibelimity.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635298/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.imguillorytampa.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635299/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.imyfpshmxxnis.website"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635300/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.indspark.fitness"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635301/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ingse258.life"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635302/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.irtualhouse.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635303/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.itchspellanddrops.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635304/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jwv8d.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635305/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.keber.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635306/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ks70yx.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635307/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ccentricseahorse.pro"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635271/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.clermonttreeservice.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635272/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cyber-security-jobs-60364.bond"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635273/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.djzbgu.mobi"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635274/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ealthislife.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635275/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ealthmindsettoday.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635276/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eercoin.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635277/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.emanticvalue.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635278/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.enzoshop.store"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635279/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.etsynapseint.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635280/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ewafricakitchen.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635281/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ewataslotbet60.store"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635282/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ewishamilton.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635283/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.exclusivity-music.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635284/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fdhlg.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635285/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fjoztwcountry.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635286/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fkeeper.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635287/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fkm88e.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635288/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fsworld.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635289/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.58e0as.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635251/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.94ozgcgq8ai.today"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635252/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.acnotworking.app"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635253/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.agtagshop.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635254/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.akryb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635255/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aljhomeimprovementllc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635256/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.amara99.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635257/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.anantapro.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635258/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.androseltium.sbs"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635259/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arktmaastricht.nl"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635260/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arryyeni-bossseo.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635261/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ashionbay.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635262/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ashvostro.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635263/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.atthunsane.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635264/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.avesandersonevents.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635265/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aviagro.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635266/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bor-trading.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635267/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bw447.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635268/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.capitalsmg.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635269/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.carewelltechinsurance.ac"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635270/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.117a.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635246/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.1475p.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635247/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.21581.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635248/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.371q.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635249/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.483650885622.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635250/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.vspool.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635238/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.xtraklimatyzacje.pl"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635239/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ya288.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635240/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.yj775.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635241/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ymronmississippi.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635242/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.yrrkh.app"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635243/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.yunyou44.vip"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635244/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.zeitgeistguard.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635245/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.toryprintacademy.help"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635229/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.tylechicescape.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635230/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.u59ga.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635231/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.ubady.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635232/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ulfstreammotors.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635233/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.undquantumfusion.forum"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635234/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.utfitsstyle.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635235/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.uungro.store"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635236/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.vctwatchs.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635237/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.syicollc.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635219/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.t7hjzd.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635220/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.tar-mfo.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635221/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.telier-moode.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635222/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.tephanievoneuw.fr"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635223/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.thequbitcoin.dev"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635224/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.thfa.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635225/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.tlctechnical.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635226/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.tokeno6a.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635227/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.topcryptocasinos.app"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635228/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.rinturo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635209/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.rqprwa20.vip"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635210/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.rrinfanticidal.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635211/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.samavet.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635212/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.sb5g6ku.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635213/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.scmcm.pro"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635214/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.seqmachineryhireresale.store"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635215/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.site-flow.app"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635216/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.smzwgaegeglszxfb.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635217/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.stifffatty.club"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635218/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.ouse-renovation-design-1.click"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635199/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.pagesetupsystem.online"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635200/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.phonenumberleak.one"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635201/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.pixplay777.fun"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635202/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.pmb26.mobi"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635203/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.pragma123-777.click"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635204/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.qgsnsc.org.cn"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635205/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.raghealthtech.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635206/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.rdsrb.mobi"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635207/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.rganimalsmx.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635208/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.nselfiber.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635189/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.nthsxsuccess.sbs"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635190/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ntrinsicoutboundfirm.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635191/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.nuoria.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635192/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ogagix.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635193/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.olombiabestcoffee.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635194/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.onus-connect.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635195/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.onvexphone.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635196/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.oreadybusiness.asia"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635197/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.otelgoldenheart.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635198/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.larityhrco.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635179/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.layoutbank.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635180/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.laywin159.mobi"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635181/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.lbtvod930.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635182/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.lounge.cash"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635183/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.louwhigraig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635184/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.moneynode.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635185/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.mpn22surabaya.sch.id"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635186/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.nnmm.beauty"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635187/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.notourdns.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635188/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.imguillorytampa.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635169/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.imyfpshmxxnis.website"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635170/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.indspark.fitness"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635171/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ingse258.life"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635172/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.irtualhouse.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635173/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.itchspellanddrops.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635174/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.jwv8d.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635175/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.keber.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635176/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.ks70yx.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635177/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.kurepier.house"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635178/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.gitim.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635160/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.gtwin9.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635161/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.hardware.bio"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635162/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.harmaciechamplain-orange.fr"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635163/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.heliosvoltaics.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635164/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.himsygroveadventures.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635165/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.hx671.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635166/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.hyperliquid-app.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635167/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ibelimity.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635168/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ewafricakitchen.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635151/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.ewataslotbet60.store"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635152/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ewishamilton.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635153/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.exclusivity-music.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635154/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.fdhlg.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635155/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.fjoztwcountry.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635156/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.fkeeper.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635157/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.fkm88e.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635158/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.fsworld.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635159/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.clermonttreeservice.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635142/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.cyber-security-jobs-60364.bond"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635143/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.djzbgu.mobi"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635144/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ealthislife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635145/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ealthmindsettoday.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635146/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.eercoin.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635147/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.emanticvalue.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635148/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.enzoshop.store"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635149/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.etsynapseint.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635150/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ashvostro.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635133/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.atthunsane.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635134/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.avesandersonevents.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635135/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.aviagro.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635136/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.bor-trading.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635137/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.bw447.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635138/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.capitalsmg.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635139/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.carewelltechinsurance.ac"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635140/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ccentricseahorse.pro"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635141/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.94ozgcgq8ai.today"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635122/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.acnotworking.app"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635123/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.agtagshop.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635124/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.akryb.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635125/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.aljhomeimprovementllc.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635126/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.amara99.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635127/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.anantapro.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635128/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.androseltium.sbs"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635129/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.arktmaastricht.nl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635130/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.arryyeni-bossseo.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635131/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.ashionbay.online"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635132/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.117a.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635116/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.1475p.cc"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635117/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.21581.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635118/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ned5/"; depth:6; nocase; http.host; content:"www.371q.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635119/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.483650885622.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635120/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gb52/"; depth:6; nocase; http.host; content:"www.58e0as.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635121/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"flowers-lounge.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635115/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"diyarbakir.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635114/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nuevos2025.dynuddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635113/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.24.55.37"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1635112/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635112; rev:1;) alert tcp $HOME_NET any -> [118.195.142.38] 48888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635111/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635111; rev:1;) alert tcp $HOME_NET any -> [37.59.103.250] 444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635110/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635110; rev:1;) alert tcp $HOME_NET any -> [45.61.157.210] 49 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635109/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635109; rev:1;) alert tcp $HOME_NET any -> [188.212.158.97] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635108/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635108; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 3001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635107/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635107; rev:1;) alert tcp $HOME_NET any -> [209.38.39.251] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635106/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635106; rev:1;) alert tcp $HOME_NET any -> [39.100.76.30] 9091 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635105/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635105; rev:1;) alert tcp $HOME_NET any -> [34.125.164.249] 135 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635103/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635103; rev:1;) alert tcp $HOME_NET any -> [102.209.117.183] 135 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635104/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635104; rev:1;) alert tcp $HOME_NET any -> [38.127.138.152] 135 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635102/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635102; rev:1;) alert tcp $HOME_NET any -> [13.40.101.124] 9333 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635100/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635100; rev:1;) alert tcp $HOME_NET any -> [15.160.125.231] 12562 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635101/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635101; rev:1;) alert tcp $HOME_NET any -> [211.217.97.121] 6000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635099/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635099; rev:1;) alert tcp $HOME_NET any -> [185.148.146.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635095/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635095; rev:1;) alert tcp $HOME_NET any -> [112.213.120.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635096/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635096; rev:1;) alert tcp $HOME_NET any -> [158.160.66.212] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635097/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635097; rev:1;) alert tcp $HOME_NET any -> [196.251.69.92] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635098/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635098; rev:1;) alert tcp $HOME_NET any -> [136.107.24.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635094/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635094; rev:1;) alert tcp $HOME_NET any -> [115.120.245.134] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635093/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635093; rev:1;) alert tcp $HOME_NET any -> [119.29.107.2] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635091/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635091; rev:1;) alert tcp $HOME_NET any -> [23.94.40.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635092/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635092; rev:1;) alert tcp $HOME_NET any -> [103.54.62.91] 5543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635089/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635089; rev:1;) alert tcp $HOME_NET any -> [119.29.64.87] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635090/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1p.horizonspur.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1635088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635088; rev:1;) alert tcp $HOME_NET any -> [162.216.240.143] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635087/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635087; rev:1;) alert tcp $HOME_NET any -> [161.248.178.175] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635086/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635086; rev:1;) alert tcp $HOME_NET any -> [43.209.252.30] 22622 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635085/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635085; rev:1;) alert tcp $HOME_NET any -> [43.209.252.30] 22522 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635084/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635084; rev:1;) alert tcp $HOME_NET any -> [43.209.252.30] 22422 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635083/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635083; rev:1;) alert tcp $HOME_NET any -> [40.177.211.221] 11103 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635082/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635082; rev:1;) alert tcp $HOME_NET any -> [196.75.79.3] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635081/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635081; rev:1;) alert tcp $HOME_NET any -> [13.247.66.128] 32440 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635080/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635080; rev:1;) alert tcp $HOME_NET any -> [13.247.66.128] 4840 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635079/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635079; rev:1;) alert tcp $HOME_NET any -> [51.17.167.223] 623 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635078/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635078; rev:1;) alert tcp $HOME_NET any -> [54.248.189.23] 49045 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635077/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635077; rev:1;) alert tcp $HOME_NET any -> [51.85.5.246] 20546 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635076/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635076; rev:1;) alert tcp $HOME_NET any -> [51.85.5.246] 12496 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635075/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635075; rev:1;) alert tcp $HOME_NET any -> [13.124.212.48] 23543 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635074/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635074; rev:1;) alert tcp $HOME_NET any -> [13.124.212.48] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635073/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635073; rev:1;) alert tcp $HOME_NET any -> [18.132.2.88] 15443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635072/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635072; rev:1;) alert tcp $HOME_NET any -> [35.152.140.123] 15717 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635071/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635071; rev:1;) alert tcp $HOME_NET any -> [65.2.170.173] 12679 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635070/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635070; rev:1;) alert tcp $HOME_NET any -> [15.237.130.54] 832 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635069/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635069; rev:1;) alert tcp $HOME_NET any -> [51.112.53.149] 51200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635068/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635068; rev:1;) alert tcp $HOME_NET any -> [51.112.53.149] 15000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635067/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635067; rev:1;) alert tcp $HOME_NET any -> [15.160.231.245] 58000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635066/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635066; rev:1;) alert tcp $HOME_NET any -> [15.160.231.245] 40000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635065/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635065; rev:1;) alert tcp $HOME_NET any -> [15.160.231.245] 13000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635064/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635064; rev:1;) alert tcp $HOME_NET any -> [54.215.74.102] 43527 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635063/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635063; rev:1;) alert tcp $HOME_NET any -> [35.183.209.109] 2077 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635062/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635062; rev:1;) alert tcp $HOME_NET any -> [54.193.1.23] 1912 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635061/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635061; rev:1;) alert tcp $HOME_NET any -> [157.175.224.150] 31387 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635060/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635060; rev:1;) alert tcp $HOME_NET any -> [56.155.114.58] 9205 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635059/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635059; rev:1;) alert tcp $HOME_NET any -> [16.112.4.166] 7001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635058/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635058; rev:1;) alert tcp $HOME_NET any -> [18.143.94.10] 58603 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635057/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635057; rev:1;) alert tcp $HOME_NET any -> [18.143.94.10] 2403 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635056/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635056; rev:1;) alert tcp $HOME_NET any -> [18.143.94.10] 503 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635055/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635055; rev:1;) alert tcp $HOME_NET any -> [18.143.94.10] 103 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635054/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635054; rev:1;) alert tcp $HOME_NET any -> [52.53.178.160] 51005 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635053/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635053; rev:1;) alert tcp $HOME_NET any -> [43.204.24.207] 4433 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635052/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635052; rev:1;) alert tcp $HOME_NET any -> [43.204.24.207] 83 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635051/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635051; rev:1;) alert tcp $HOME_NET any -> [16.16.186.179] 8089 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635050/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635050; rev:1;) alert tcp $HOME_NET any -> [16.16.186.179] 3389 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635049/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635049; rev:1;) alert tcp $HOME_NET any -> [16.16.186.179] 789 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635048/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635048; rev:1;) alert tcp $HOME_NET any -> [18.231.92.247] 8090 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635047/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635047; rev:1;) alert tcp $HOME_NET any -> [18.231.92.247] 4840 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635046/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635046; rev:1;) alert tcp $HOME_NET any -> [15.223.196.14] 2404 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635045/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635045; rev:1;) alert tcp $HOME_NET any -> [54.184.64.248] 22622 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635044/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635044; rev:1;) alert tcp $HOME_NET any -> [54.184.64.248] 15522 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635043/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635043; rev:1;) alert tcp $HOME_NET any -> [43.198.103.218] 788 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635042/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635042; rev:1;) alert tcp $HOME_NET any -> [51.92.24.138] 3000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635041/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635041; rev:1;) alert tcp $HOME_NET any -> [51.16.39.213] 18333 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635040/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635040; rev:1;) alert tcp $HOME_NET any -> [16.26.207.142] 995 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635039/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635039; rev:1;) alert tcp $HOME_NET any -> [16.79.104.148] 832 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635038/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635038; rev:1;) alert tcp $HOME_NET any -> [3.28.39.206] 2004 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635037/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635037; rev:1;) alert tcp $HOME_NET any -> [43.218.76.37] 53282 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635036/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635036; rev:1;) alert tcp $HOME_NET any -> [13.212.19.134] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635035/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635035; rev:1;) alert tcp $HOME_NET any -> [15.237.183.150] 4840 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635034/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635034; rev:1;) alert tcp $HOME_NET any -> [40.192.121.174] 2 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635033/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635033; rev:1;) alert tcp $HOME_NET any -> [54.169.213.106] 3260 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635032/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635032; rev:1;) alert tcp $HOME_NET any -> [40.177.170.22] 83 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635031/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635031; rev:1;) alert tcp $HOME_NET any -> [16.51.185.109] 49152 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635030/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635030; rev:1;) alert tcp $HOME_NET any -> [18.175.134.118] 3299 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635029/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635029; rev:1;) alert tcp $HOME_NET any -> [54.251.196.224] 1178 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635028/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635028; rev:1;) alert tcp $HOME_NET any -> [35.180.122.198] 1224 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635027/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635027; rev:1;) alert tcp $HOME_NET any -> [15.160.148.247] 789 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635026/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635026; rev:1;) alert tcp $HOME_NET any -> [18.183.80.144] 19271 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635025/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635025; rev:1;) alert tcp $HOME_NET any -> [15.222.4.118] 1089 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635024/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635024; rev:1;) alert tcp $HOME_NET any -> [51.44.25.228] 7170 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635023/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635023; rev:1;) alert tcp $HOME_NET any -> [13.208.44.106] 21412 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635022/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"88.214.50.76"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1635021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91635021; rev:1;) alert tcp $HOME_NET any -> [13.49.73.244] 5901 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635020/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635020; rev:1;) alert tcp $HOME_NET any -> [54.176.30.152] 31023 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635019/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635019; rev:1;) alert tcp $HOME_NET any -> [15.168.61.26] 1913 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635018/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635018; rev:1;) alert tcp $HOME_NET any -> [63.33.62.169] 18245 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635017/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635017; rev:1;) alert tcp $HOME_NET any -> [115.233.60.197] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635016/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635016; rev:1;) alert tcp $HOME_NET any -> [115.233.60.197] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635015/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635015; rev:1;) alert tcp $HOME_NET any -> [162.217.85.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635014/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635014; rev:1;) alert tcp $HOME_NET any -> [106.13.78.105] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635013/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635013; rev:1;) alert tcp $HOME_NET any -> [47.121.29.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635012/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635012; rev:1;) alert tcp $HOME_NET any -> [77.221.148.90] 8002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635011/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635011; rev:1;) alert tcp $HOME_NET any -> [77.221.148.90] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635010/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635010; rev:1;) alert tcp $HOME_NET any -> [172.191.98.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635009/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635009; rev:1;) alert tcp $HOME_NET any -> [4.201.196.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635008/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635008; rev:1;) alert tcp $HOME_NET any -> [111.119.238.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635007/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635007; rev:1;) alert tcp $HOME_NET any -> [149.88.65.139] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635006/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635006; rev:1;) alert tcp $HOME_NET any -> [37.120.247.190] 10003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635005/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635005; rev:1;) alert tcp $HOME_NET any -> [37.120.247.190] 10002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635004/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635004; rev:1;) alert tcp $HOME_NET any -> [37.120.247.190] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635003/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635003; rev:1;) alert tcp $HOME_NET any -> [16.163.116.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635002/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635002; rev:1;) alert tcp $HOME_NET any -> [106.54.208.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635001/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635001; rev:1;) alert tcp $HOME_NET any -> [149.88.65.239] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1635000/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91635000; rev:1;) alert tcp $HOME_NET any -> [54.175.28.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634999/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634999; rev:1;) alert tcp $HOME_NET any -> [172.245.129.102] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634998/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634998; rev:1;) alert tcp $HOME_NET any -> [101.42.41.127] 54101 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634997/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634997; rev:1;) alert tcp $HOME_NET any -> [107.175.24.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634996/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634996; rev:1;) alert tcp $HOME_NET any -> [46.8.226.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634995/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634995; rev:1;) alert tcp $HOME_NET any -> [188.120.232.76] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634994/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634994; rev:1;) alert tcp $HOME_NET any -> [206.206.77.66] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634993/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634993; rev:1;) alert tcp $HOME_NET any -> [3.16.91.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634992/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634992; rev:1;) alert tcp $HOME_NET any -> [38.60.220.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634991/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634991; rev:1;) alert tcp $HOME_NET any -> [120.76.136.19] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634990/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634990; rev:1;) alert tcp $HOME_NET any -> [120.26.146.96] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634989/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634989; rev:1;) alert tcp $HOME_NET any -> [209.200.252.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634988/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634988; rev:1;) alert tcp $HOME_NET any -> [39.100.98.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634987/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634987; rev:1;) alert tcp $HOME_NET any -> [83.147.243.120] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634985; rev:1;) alert tcp $HOME_NET any -> [83.147.243.120] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ansy20225.dynuddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blessbebenard21.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scvpdnfej.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634982; rev:1;) alert tcp $HOME_NET any -> [62.234.180.14] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634981/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634981; rev:1;) alert tcp $HOME_NET any -> [3.105.127.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634980/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634980; rev:1;) alert tcp $HOME_NET any -> [31.59.41.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634979/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634979; rev:1;) alert tcp $HOME_NET any -> [13.56.140.67] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634978/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634978; rev:1;) alert tcp $HOME_NET any -> [43.138.21.125] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634977/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634977; rev:1;) alert tcp $HOME_NET any -> [43.138.21.125] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634976/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634976; rev:1;) alert tcp $HOME_NET any -> [108.61.192.191] 8181 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634975/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_07; classtype:trojan-activity; sid:91634975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"so.horizonspur.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h4n.phoenixbogen.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xk.phoenixbogen.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p2k.phoenixbogen.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c3r.phoenixbogen.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w92.phoenixbogen.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"be.phoenixbogen.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9.crystalmoor.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tqf.crystalmoor.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.crystalmoor.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bd2.crystalmoor.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m.crystalmoor.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634963; rev:1;) alert tcp $HOME_NET any -> [104.236.195.234] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gs.crystalmoor.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t7z.saffronkern.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bqk.saffronkern.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2.saffronkern.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pc4.saffronkern.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m8q.saffronkern.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aj.saffronkern.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634746; rev:1;) alert tcp $HOME_NET any -> [38.54.20.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634745/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91634745; rev:1;) alert tcp $HOME_NET any -> [165.154.225.239] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634744/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91634744; rev:1;) alert tcp $HOME_NET any -> [124.223.104.136] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634743/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91634743; rev:1;) alert tcp $HOME_NET any -> [1.94.62.205] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634742/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91634742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gdatasoftvare.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634741/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_07; classtype:trojan-activity; sid:91634741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z0r.nebularanke.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nq5.nebularanke.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634739; rev:1;) alert tcp $HOME_NET any -> [206.119.174.5] 8081 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d34.nebularanke.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w9.nebularanke.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7x.nebularanke.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f2a.nebularanke.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z7.whisperlake.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2r.whisperlake.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634732; rev:1;) alert tcp $HOME_NET any -> [103.83.87.241] 2070 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634731; rev:1;) alert tcp $HOME_NET any -> [154.86.157.18] 23001 (msg:"ThreatFox FatalRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634730; rev:1;) alert tcp $HOME_NET any -> [103.226.153.164] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4n.whisperlake.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yxm4.whisperlake.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t3q.whisperlake.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2v.whisperlake.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rz4.sunny-harbor.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9m.sunny-harbor.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x1p.sunny-harbor.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2k.sunny-harbor.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634721; rev:1;) alert tcp $HOME_NET any -> [16.171.54.42] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634720; rev:1;) alert tcp $HOME_NET any -> [88.214.50.133] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_07; classtype:trojan-activity; sid:91634719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9x.sunny-harbor.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ab7.sunny-harbor.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634717; rev:1;) alert tcp $HOME_NET any -> [202.10.48.87] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634716; rev:1;) alert tcp $HOME_NET any -> [89.111.155.168] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634715; rev:1;) alert tcp $HOME_NET any -> [20.83.189.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634713; rev:1;) alert tcp $HOME_NET any -> [37.97.172.252] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634714; rev:1;) alert tcp $HOME_NET any -> [35.223.103.96] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634712; rev:1;) alert tcp $HOME_NET any -> [45.145.171.123] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634711; rev:1;) alert tcp $HOME_NET any -> [68.183.227.109] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634710; rev:1;) alert tcp $HOME_NET any -> [129.212.190.70] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634709; rev:1;) alert tcp $HOME_NET any -> [217.114.0.113] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634708; rev:1;) alert tcp $HOME_NET any -> [134.209.96.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brightsilk.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"serenapoint.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ic0nicr1ver.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shadow-grove.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crystal-berry.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0onsh1nebay.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sunnyharbor.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"serena-point.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dawn-mirror.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mighty-flora.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shadowgrove.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1unarpetal.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dawnmirror.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mightyflora.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mintnord.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cindertau.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"indigowelle.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ambergeist.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poisson6026.dedyn.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"filigrane-dossier.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634684; rev:1;) alert tcp $HOME_NET any -> [194.113.72.222] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zenithspitze.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gladeeiche.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vectorblitz.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634680; rev:1;) alert tcp $HOME_NET any -> [124.198.132.80] 1234 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"echozauber.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tidalschatten.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"emberkiesel.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634676; rev:1;) alert tcp $HOME_NET any -> [77.110.114.27] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634672/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634672; rev:1;) alert tcp $HOME_NET any -> [40.160.55.217] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634671/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634671; rev:1;) alert tcp $HOME_NET any -> [40.160.55.206] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634670/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1ev.amberr-0-ck-et.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634669; rev:1;) alert tcp $HOME_NET any -> [159.0.46.33] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634668/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634668; rev:1;) alert tcp $HOME_NET any -> [158.69.225.86] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634667/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634667; rev:1;) alert tcp $HOME_NET any -> [139.180.221.232] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634666/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634666; rev:1;) alert tcp $HOME_NET any -> [137.175.65.213] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634665/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634665; rev:1;) alert tcp $HOME_NET any -> [104.206.234.91] 30150 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634664/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634664; rev:1;) alert tcp $HOME_NET any -> [104.206.234.8] 30244 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634663/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634663; rev:1;) alert tcp $HOME_NET any -> [104.206.234.64] 30055 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634662/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634662; rev:1;) alert tcp $HOME_NET any -> [104.206.234.43] 30202 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634660/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634660; rev:1;) alert tcp $HOME_NET any -> [104.206.234.47] 30106 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634661/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634661; rev:1;) alert tcp $HOME_NET any -> [104.206.234.227] 30034 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634658/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634658; rev:1;) alert tcp $HOME_NET any -> [104.206.234.230] 30202 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634659/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634659; rev:1;) alert tcp $HOME_NET any -> [104.206.234.225] 30035 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634657/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634657; rev:1;) alert tcp $HOME_NET any -> [104.206.234.185] 30179 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634656/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634656; rev:1;) alert tcp $HOME_NET any -> [104.206.234.177] 30037 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634655/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634655; rev:1;) alert tcp $HOME_NET any -> [104.206.234.126] 30244 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634653/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634653; rev:1;) alert tcp $HOME_NET any -> [104.206.234.161] 30244 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634654/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634654; rev:1;) alert tcp $HOME_NET any -> [104.206.234.107] 30012 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634652/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634652; rev:1;) alert tcp $HOME_NET any -> [104.140.154.92] 30115 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634651/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634651; rev:1;) alert tcp $HOME_NET any -> [104.140.154.86] 30079 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634650/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634650; rev:1;) alert tcp $HOME_NET any -> [104.140.154.62] 30024 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634649/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634649; rev:1;) alert tcp $HOME_NET any -> [104.140.154.52] 30132 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634648/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634648; rev:1;) alert tcp $HOME_NET any -> [104.140.154.47] 30177 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634647/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634647; rev:1;) alert tcp $HOME_NET any -> [104.140.154.39] 30005 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634646/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634646; rev:1;) alert tcp $HOME_NET any -> [104.140.154.26] 30031 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634644/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634644; rev:1;) alert tcp $HOME_NET any -> [104.140.154.29] 30132 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634645/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634645; rev:1;) alert tcp $HOME_NET any -> [104.140.154.235] 30142 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634642/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634642; rev:1;) alert tcp $HOME_NET any -> [104.140.154.238] 30034 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634643/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634643; rev:1;) alert tcp $HOME_NET any -> [104.140.154.21] 30114 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634641/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634641; rev:1;) alert tcp $HOME_NET any -> [104.140.154.187] 30004 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634639/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634639; rev:1;) alert tcp $HOME_NET any -> [104.140.154.188] 30066 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634640/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634640; rev:1;) alert tcp $HOME_NET any -> [104.140.154.181] 30071 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634638/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634638; rev:1;) alert tcp $HOME_NET any -> [104.140.154.18] 30164 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634637/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634637; rev:1;) alert tcp $HOME_NET any -> [104.140.154.148] 30004 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634636/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634636; rev:1;) alert tcp $HOME_NET any -> [104.140.154.132] 30228 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634635/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634635; rev:1;) alert tcp $HOME_NET any -> [104.140.154.105] 30022 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634634/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ovs.amberr-0-ck-et.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8cj.amberr-0-ck-et.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h40.amberr-0-ck-et.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bz.lilacsilo.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634630; rev:1;) alert tcp $HOME_NET any -> [192.151.255.213] 1688 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634629; rev:1;) alert tcp $HOME_NET any -> [196.251.116.2] 5077 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shopping-administrative.gl.at.ply.gg"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n-ea.gl.at.ply.gg"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"johndoessssss-32696.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cq.lilacsilo.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fb.lilacsilo.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j0h.lilacsilo.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0b.lilacsilo.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"14.lilacsilo.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fsrm.lilacsilo.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fhp.lilacsilo.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634618; rev:1;) alert tcp $HOME_NET any -> [159.69.179.240] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hy.fabiankorte.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hy.fundsreclaimllc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hy.fabiankorte.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hy.fundsreclaimllc.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634614; rev:1;) alert tcp $HOME_NET any -> [171.43.169.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634612/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634612; rev:1;) alert tcp $HOME_NET any -> [122.228.223.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634611/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634611; rev:1;) alert tcp $HOME_NET any -> [117.21.178.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634610/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634610; rev:1;) alert tcp $HOME_NET any -> [113.5.183.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634609/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g1t4.starmarkt.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silicon-moss.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634607; rev:1;) alert tcp $HOME_NET any -> [178.16.54.225] 59007 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"orbitkrone.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soniccobalt.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k8x1.starmarkt.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lotioniron.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"driftfels.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"siliconmoss.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0b3.starmarkt.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pixel-orbit.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634598; rev:1;) alert tcp $HOME_NET any -> [168.245.201.110] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1v0ry51gnai.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634596; rev:1;) alert tcp $HOME_NET any -> [37.59.103.250] 443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634595; rev:1;) alert tcp $HOME_NET any -> [176.46.158.9] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634594; rev:1;) alert tcp $HOME_NET any -> [155.94.150.52] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634593; rev:1;) alert tcp $HOME_NET any -> [172.201.48.145] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634592; rev:1;) alert tcp $HOME_NET any -> [107.175.148.72] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634591; rev:1;) alert tcp $HOME_NET any -> [124.220.0.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634590; rev:1;) alert tcp $HOME_NET any -> [156.238.233.21] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solarviolet.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"swiftfluss.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pixelorbit.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meteorsegel.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l2f7.starmarkt.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphacinder.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-required-integumentary/index.php"; depth:55; nocase; http.host; content:"keyworksrl.it"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634578/; target:src_ip; metadata: confidence_level 95, first_seen 2025_11_06; classtype:trojan-activity; sid:91634578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flowascatch.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"flowascatch.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"flowascatch.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alpha-cinder.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9c.starmarkt.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ix.n0vaharbor.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5d.n0vaharbor.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"auldlxm.courses"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634574/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a6v1.brassufer.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5kch.n0vaharbor.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pr.ember-grove.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"51cv.ember-grove.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d7x.ember-grove.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flintwiese.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dolmain.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5w8h.js"; depth:8; nocase; http.host; content:"dolmain.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"dolmain.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quartzraven.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h8s2.brassufer.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pixe1tu1ip.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thunderforst.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z5m.brassufer.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5a.frost-indigo.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1q4.brassufer.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frostindigo.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e3k9.brassufer.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5mx.ve1vet0rchid.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"et.ve1vet0rchid.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w7d.brassufer.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"copperwerft.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bw9.ve1vet0rchid.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1t7.ironbucht.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g74n.maplexenon.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634549; rev:1;) alert tcp $HOME_NET any -> [8.137.17.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634491; rev:1;) alert tcp $HOME_NET any -> [165.154.224.126] 45231 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634490; rev:1;) alert tcp $HOME_NET any -> [23.27.169.36] 9898 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634492; rev:1;) alert tcp $HOME_NET any -> [81.17.103.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634493; rev:1;) alert tcp $HOME_NET any -> [185.95.165.36] 4848 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634494; rev:1;) alert tcp $HOME_NET any -> [52.54.98.210] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634495; rev:1;) alert tcp $HOME_NET any -> [43.161.231.96] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634496; rev:1;) alert tcp $HOME_NET any -> [37.32.26.5] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634497; rev:1;) alert tcp $HOME_NET any -> [34.57.13.237] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634500; rev:1;) alert tcp $HOME_NET any -> [161.97.140.124] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634498; rev:1;) alert tcp $HOME_NET any -> [13.48.76.72] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5g7o.js"; depth:8; nocase; http.host; content:"edentista.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edentista.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"edentista.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frt44"; depth:6; nocase; http.host; content:"168.100.11.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9l2.ironbucht.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kmg.maplexenon.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634543; rev:1;) alert tcp $HOME_NET any -> [220.158.234.77] 11211 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634542; rev:1;) alert tcp $HOME_NET any -> [193.143.1.64] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634540; rev:1;) alert tcp $HOME_NET any -> [193.143.1.64] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634541; rev:1;) alert tcp $HOME_NET any -> [136.119.79.219] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634539; rev:1;) alert tcp $HOME_NET any -> [91.205.191.202] 6767 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634537; rev:1;) alert tcp $HOME_NET any -> [91.205.191.202] 6262 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sislaps.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fortelio.karina2bento-com.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1hx8.maplexenon.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f5q.ironbucht.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sz.maplexenon.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sanguen.courses"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"tamku.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"tamku.shoplerter.opnetorologies.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"significant-adopted-bearing-own.trycloudflare.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"forrbes.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634527; rev:1;) alert tcp $HOME_NET any -> [109.248.150.195] 7745 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dv3.bbanddd.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bot.osintitalia.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"teamc2.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ee181.jiangyieeee.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634522; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634521/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634521; rev:1;) alert tcp $HOME_NET any -> [15.160.125.231] 11112 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634519; rev:1;) alert tcp $HOME_NET any -> [13.38.80.185] 50100 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634520/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634520; rev:1;) alert tcp $HOME_NET any -> [56.124.121.107] 12538 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634518/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634518; rev:1;) alert tcp $HOME_NET any -> [66.23.203.98] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634514/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634514; rev:1;) alert tcp $HOME_NET any -> [103.57.250.241] 135 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634515/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634515; rev:1;) alert tcp $HOME_NET any -> [186.156.92.198] 81 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634516/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634516; rev:1;) alert tcp $HOME_NET any -> [47.77.192.39] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634517/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634517; rev:1;) alert tcp $HOME_NET any -> [122.51.31.224] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634513/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634513; rev:1;) alert tcp $HOME_NET any -> [122.51.31.224] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634512/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xt83.maplexenon.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634511; rev:1;) alert tcp $HOME_NET any -> [38.60.250.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634510; rev:1;) alert tcp $HOME_NET any -> [156.234.218.59] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_06; classtype:trojan-activity; sid:91634509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d7w2.zephyrsteg.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q88.maplexenon.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j4va.frosthain.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0r.zephyrsteg.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5m.maplexenon.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8w.amberr0cket.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3t9.zephyrsteg.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xse3.frosthain.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m1r3.amberr0cket.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2d63.amberr0cket.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kp6.zephyrsteg.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634487; rev:1;) alert tcp $HOME_NET any -> [23.88.114.55] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ka.fundsreclaimllc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ka.fundsreclaimllc.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oa.amberr0cket.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v4n1.zephyrsteg.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7rd.frosthain.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f8s.amberr0cket.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y8c.zephyrsteg.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9x.frosthain.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u3k.amberr0cket.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h0f8.solarfracht.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zm4.amberr0cket.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2l.solarfracht.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yzc.amberr0cket.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"swm5.dr1ftpanda.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1x3.solarfracht.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2n.dr1ftpanda.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qk7.solarfracht.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u3zc.dr1ftpanda.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y6kb.l3rc-0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"we.dr1ftpanda.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t9m2.solarfracht.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hbo8.dr1ftpanda.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634464; rev:1;) alert tcp $HOME_NET any -> [198.55.102.84] 1818 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634463/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wmw2.dr1ftpanda.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634462; rev:1;) alert tcp $HOME_NET any -> [8.218.173.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634461/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g4v.solarfracht.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634460; rev:1;) alert tcp $HOME_NET any -> [99.83.254.91] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634459/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634459; rev:1;) alert tcp $HOME_NET any -> [62.106.66.143] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634458/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634458; rev:1;) alert tcp $HOME_NET any -> [54.39.157.132] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634456/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634456; rev:1;) alert tcp $HOME_NET any -> [54.39.16.39] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634457/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634457; rev:1;) alert tcp $HOME_NET any -> [52.223.42.221] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634455/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vo5.dr1ftpanda.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634454; rev:1;) alert tcp $HOME_NET any -> [46.8.78.79] 8000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634453/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634453; rev:1;) alert tcp $HOME_NET any -> [45.150.108.43] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634452/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634452; rev:1;) alert tcp $HOME_NET any -> [40.160.61.8] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634451/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634451; rev:1;) alert tcp $HOME_NET any -> [40.160.61.50] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634450/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634450; rev:1;) alert tcp $HOME_NET any -> [40.160.53.57] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634448/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634448; rev:1;) alert tcp $HOME_NET any -> [40.160.53.76] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634449/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634449; rev:1;) alert tcp $HOME_NET any -> [196.251.83.192] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634447/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634447; rev:1;) alert tcp $HOME_NET any -> [189.235.164.54] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634446/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634446; rev:1;) alert tcp $HOME_NET any -> [188.36.27.2] 80 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634445/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634445; rev:1;) alert tcp $HOME_NET any -> [18.217.220.102] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634444/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634444; rev:1;) alert tcp $HOME_NET any -> [166.117.137.157] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634443/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634443; rev:1;) alert tcp $HOME_NET any -> [142.44.139.130] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634442/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p3wz1.l3rc-0.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634441; rev:1;) alert tcp $HOME_NET any -> [104.206.234.59] 30034 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634440/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634440; rev:1;) alert tcp $HOME_NET any -> [104.140.154.54] 30042 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634439/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634439; rev:1;) alert tcp $HOME_NET any -> [104.140.154.27] 30079 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634438/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634438; rev:1;) alert tcp $HOME_NET any -> [104.140.154.202] 30091 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634436/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634436; rev:1;) alert tcp $HOME_NET any -> [104.140.154.203] 30191 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634437/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634437; rev:1;) alert tcp $HOME_NET any -> [104.140.154.189] 30181 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634435/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634435; rev:1;) alert tcp $HOME_NET any -> [104.140.154.167] 30132 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634434/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634434; rev:1;) alert tcp $HOME_NET any -> [104.140.154.102] 30244 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634432/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634432; rev:1;) alert tcp $HOME_NET any -> [104.140.154.102] 30254 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634433/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_06; classtype:trojan-activity; sid:91634433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7.kzg-w-4-y.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sj.dr1ftpanda.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9hm.l3rc-0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g5.tundrasable.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c2.kzg-w-4-y.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v4q7p.l3rc-0.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e5.tundrasable.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb.tweethost.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb.fabiankorte.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb.ethicaltechinstitute.org.uk"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bb.tweethost.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bb.fabiankorte.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bb.ethicaltechinstitute.org.uk"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1m.tundrasable.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634418; rev:1;) alert tcp $HOME_NET any -> [168.245.201.54] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634417; rev:1;) alert tcp $HOME_NET any -> [31.97.134.73] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634416; rev:1;) alert tcp $HOME_NET any -> [1.52.157.76] 6001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634415; rev:1;) alert tcp $HOME_NET any -> [47.250.118.135] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634414; rev:1;) alert tcp $HOME_NET any -> [36.255.98.84] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634413; rev:1;) alert tcp $HOME_NET any -> [129.212.190.70] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634411; rev:1;) alert tcp $HOME_NET any -> [129.212.190.70] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634412; rev:1;) alert tcp $HOME_NET any -> [93.113.98.36] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634410; rev:1;) alert tcp $HOME_NET any -> [91.92.243.28] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634409; rev:1;) alert tcp $HOME_NET any -> [8.152.223.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634408; rev:1;) alert tcp $HOME_NET any -> [101.126.151.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634407; rev:1;) alert tcp $HOME_NET any -> [8.163.22.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634406; rev:1;) alert tcp $HOME_NET any -> [194.87.10.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634405; rev:1;) alert tcp $HOME_NET any -> [119.45.25.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634403; rev:1;) alert tcp $HOME_NET any -> [120.53.107.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634404; rev:1;) alert tcp $HOME_NET any -> [121.197.3.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634401; rev:1;) alert tcp $HOME_NET any -> [47.79.19.147] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9h0y.js"; depth:8; nocase; http.host; content:"imf1.com"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"imf1.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"imf1.com"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frt44"; depth:6; nocase; http.host; content:"72.5.43.147"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2nd"; depth:4; nocase; http.host; content:"72.5.43.147"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634101; rev:1;) alert tcp $HOME_NET any -> [82.147.85.212] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634277/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_06; classtype:trojan-activity; sid:91634277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"ft.imugandas.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634278/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_06; classtype:trojan-activity; sid:91634278; rev:1;) alert tcp $HOME_NET any -> [196.251.66.212] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634351/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_06; classtype:trojan-activity; sid:91634351; rev:1;) alert tcp $HOME_NET any -> [18.230.118.147] 443 (msg:"ThreatFox XMRIG botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure.kasindramaharaj.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smilesmash.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"smilesmash.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"smilesmash.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8.tundrasable.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wwe.kzg-w-4-y.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sm.tundrasable.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1k.coralglanz.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7.quasarorchid.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6k9.kzg-w-4-y.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y9p.coralglanz.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x4m.quasarorchid.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634393; rev:1;) alert tcp $HOME_NET any -> [154.198.162.92] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634391; rev:1;) alert tcp $HOME_NET any -> [156.238.233.21] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634392; rev:1;) alert tcp $HOME_NET any -> [156.238.233.21] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634390; rev:1;) alert tcp $HOME_NET any -> [139.196.111.118] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634389; rev:1;) alert tcp $HOME_NET any -> [124.222.63.49] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bz.quasarorchid.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4p1m.kzg-w-4-y.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.quasarorchid.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ge.quasarorchid.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s8rk2.085-x-89-c.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h5.coralglanz.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0x.opaldrift.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oz.opaldrift.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0la.085-x-89-c.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3.opaldrift.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1p.opaldrift.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2w.coralglanz.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2w5e.085-x-89-c.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"so.opaldrift.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servidoresethernet.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supercoolweb.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sa3.cedarnova.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7.prismquelle.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634370; rev:1;) alert tcp $HOME_NET any -> [104.243.242.226] 57484 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b3h7.085-x-89-c.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cm.cedarnova.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9tqn.085-x-89-c.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n7.cedarnova.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0x.prismquelle.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1n.cedarnova.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r5.cedarnova.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bqk.aspenatlas.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d6y1.085-x-89-c.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z8q.prismquelle.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2.aspenatlas.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pc4.aspenatlas.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d7q.a-8-xp.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m8q.aspenatlas.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aj.aspenatlas.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hpn4.a-8-xp.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xk.vortexgipfel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p2.vortexgipfel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.prismquelle.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634349; rev:1;) alert tcp $HOME_NET any -> [13.53.40.179] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634348; rev:1;) alert tcp $HOME_NET any -> [18.178.163.94] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634347; rev:1;) alert tcp $HOME_NET any -> [45.61.157.210] 911 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634346; rev:1;) alert tcp $HOME_NET any -> [125.24.165.154] 7443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634345; rev:1;) alert tcp $HOME_NET any -> [34.207.216.71] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634344; rev:1;) alert tcp $HOME_NET any -> [102.117.161.196] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634343; rev:1;) alert tcp $HOME_NET any -> [192.3.136.221] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634342; rev:1;) alert tcp $HOME_NET any -> [114.67.65.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634341; rev:1;) alert tcp $HOME_NET any -> [42.192.49.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634340; rev:1;) alert tcp $HOME_NET any -> [120.55.101.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634339; rev:1;) alert tcp $HOME_NET any -> [1.95.207.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ty3.a-8-xp.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c3r.vortexgipfel.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z01.a-8-xp.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w9.vortexgipfel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w2t.ravenpfad.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"be.vortexgipfel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tqf.summitmond.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3.ravenpfad.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.summitmond.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v9r.a-8-xp.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bd2.summitmond.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n7x.ravenpfad.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m.summitmond.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2.a-8-xp.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gs.summitmond.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0k.8-f-e8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x4.ripplerover.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4.ravenpfad.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1v.8-f-e8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a2n.ripplerover.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pr6q.8-f-e8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zt3.ripplerover.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n8.ripplerover.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9am.8-f-e8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kp.ripplerover.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yxm.forgehafen.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d5.willowberg.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x4d.8-f-e8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4n.forgehafen.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2.forgehafen.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7k2.willowberg.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t3k.forgehafen.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t8.8-f-e8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rz.forgehafen.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9m.lunarlicht.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7m2.7nf214.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x1.lunarlicht.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0p.willowberg.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2k.lunarlicht.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3qd.7nf214.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7x.lunarlicht.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634297; rev:1;) alert tcp $HOME_NET any -> [91.92.243.7] 1155 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1w.cometwald.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ab.lunarlicht.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634294; rev:1;) alert tcp $HOME_NET any -> [51.155.228.1] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634293; rev:1;) alert tcp $HOME_NET any -> [89.35.130.116] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n1k.7nf214.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634291; rev:1;) alert tcp $HOME_NET any -> [160.176.88.16] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634289; rev:1;) alert tcp $HOME_NET any -> [18.217.155.157] 80 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634290; rev:1;) alert tcp $HOME_NET any -> [212.71.246.109] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634288; rev:1;) alert tcp $HOME_NET any -> [196.251.114.166] 12352 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_06; classtype:trojan-activity; sid:91634287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.onyxmorgen.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.cometwald.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bz.onyxmorgen.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.onyxmorgen.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wz0.7nf214.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g5.onyxmorgen.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e5.paradeabend.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1m.paradeabend.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8.paradeabend.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634276; rev:1;) alert tcp $HOME_NET any -> [69.62.69.116] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634275; rev:1;) alert tcp $HOME_NET any -> [36.154.179.149] 6443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634273; rev:1;) alert tcp $HOME_NET any -> [202.10.48.87] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634274; rev:1;) alert tcp $HOME_NET any -> [52.200.91.163] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634271; rev:1;) alert tcp $HOME_NET any -> [147.93.31.118] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634272; rev:1;) alert tcp $HOME_NET any -> [159.223.5.84] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634270; rev:1;) alert tcp $HOME_NET any -> [157.230.139.52] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634267; rev:1;) alert tcp $HOME_NET any -> [136.113.83.111] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634268; rev:1;) alert tcp $HOME_NET any -> [72.60.221.181] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634269; rev:1;) alert tcp $HOME_NET any -> [52.54.155.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634265; rev:1;) alert tcp $HOME_NET any -> [167.71.173.0] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634266; rev:1;) alert tcp $HOME_NET any -> [78.153.131.140] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634262; rev:1;) alert tcp $HOME_NET any -> [72.61.39.221] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634263; rev:1;) alert tcp $HOME_NET any -> [87.106.64.174] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634264; rev:1;) alert tcp $HOME_NET any -> [5.188.166.68] 54444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634261; rev:1;) alert tcp $HOME_NET any -> [164.92.139.228] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634260; rev:1;) alert tcp $HOME_NET any -> [92.113.21.116] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634259; rev:1;) alert tcp $HOME_NET any -> [151.241.100.8] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634258; rev:1;) alert tcp $HOME_NET any -> [154.37.219.249] 60001 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634257; rev:1;) alert tcp $HOME_NET any -> [38.175.194.35] 60001 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634256; rev:1;) alert tcp $HOME_NET any -> [90.227.91.229] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634255; rev:1;) alert tcp $HOME_NET any -> [188.148.129.144] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634253; rev:1;) alert tcp $HOME_NET any -> [115.20.176.56] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634254; rev:1;) alert tcp $HOME_NET any -> [37.192.32.102] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634252; rev:1;) alert tcp $HOME_NET any -> [218.155.61.70] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634250; rev:1;) alert tcp $HOME_NET any -> [220.92.206.44] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634251; rev:1;) alert tcp $HOME_NET any -> [151.251.49.90] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634248; rev:1;) alert tcp $HOME_NET any -> [210.123.100.70] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634249; rev:1;) alert tcp $HOME_NET any -> [44.244.204.235] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634247; rev:1;) alert tcp $HOME_NET any -> [212.15.49.246] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634245; rev:1;) alert tcp $HOME_NET any -> [192.252.180.23] 8880 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634246; rev:1;) alert tcp $HOME_NET any -> [176.46.158.9] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634243; rev:1;) alert tcp $HOME_NET any -> [103.125.219.16] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634244; rev:1;) alert tcp $HOME_NET any -> [192.159.99.232] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634242; rev:1;) alert tcp $HOME_NET any -> [103.184.47.158] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634240; rev:1;) alert tcp $HOME_NET any -> [47.105.117.209] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634241; rev:1;) alert tcp $HOME_NET any -> [124.223.25.186] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634239; rev:1;) alert tcp $HOME_NET any -> [59.110.144.209] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634237; rev:1;) alert tcp $HOME_NET any -> [178.16.54.35] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634238; rev:1;) alert tcp $HOME_NET any -> [1.14.96.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0.paradeabend.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2p.7nf214.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0z.sproutkraft.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r7k2.sk-f0s.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3.sproutkraft.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1.sk-f0s.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1.sproutkraft.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gh.7nf214.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.sproutkraft.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9p3.566318z8.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n7.cobaltwolke.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1.cobaltwolke.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z.566318z8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r9.cobaltwolke.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bq.cobaltwolke.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2x.566318z8.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2.velvetnebel.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7.566318z8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pc.velvetnebel.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m8.velvetnebel.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634212; rev:1;) alert tcp $HOME_NET any -> [198.135.48.117] 52404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634211/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mal289re1.es"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634210/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.velvetnebel.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xoilaczzzoz.tv"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634208/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634208; rev:1;) alert tcp $HOME_NET any -> [43.163.215.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634207/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91634207; rev:1;) alert tcp $HOME_NET any -> [54.215.246.24] 9042 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634206/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634206; rev:1;) alert tcp $HOME_NET any -> [45.221.115.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634205/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634205; rev:1;) alert tcp $HOME_NET any -> [15.223.199.130] 2000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634204/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634204; rev:1;) alert tcp $HOME_NET any -> [44.244.204.235] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634203/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634203; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 9944 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634202/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634202; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 16048 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634197/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634197; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 2134 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634198/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634198; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 2133 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634199/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634199; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 12557 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634200/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634200; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 102 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634201/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634201; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 30025 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634191/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634191; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 19015 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634192/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634192; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 18063 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634193/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634193; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 12352 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634194/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634194; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 21025 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634195/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634195; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 2568 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634196/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634196; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 3524 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634185/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634185; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 113 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634186/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634186; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 42443 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634187/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634187; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 9003 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634188/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634188; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 636 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634189/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634189; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 49152 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634190/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634190; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 591 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634180/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634180; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 7801 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634181/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634181; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 16046 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634182/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634182; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 887 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634183/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634183; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 21001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634184/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634184; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 8015 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634174/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634174; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 7403 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634175/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634175; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 55442 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634176/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634176; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 8109 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634177/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634177; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 8173 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634178/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634178; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 21243 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634179/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634179; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 4095 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634169/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634169; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 3333 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634170/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634170; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 5357 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634171/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634171; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 2332 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634172/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634172; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 12349 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634173/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634173; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 5251 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634163/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634163; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 451 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634164/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634164; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 4321 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634165/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634165; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 9797 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634166/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634166; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 4103 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634167/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634167; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 8554 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634168/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634168; rev:1;) alert tcp $HOME_NET any -> [184.105.8.117] 135 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634157/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634157; rev:1;) alert tcp $HOME_NET any -> [172.237.132.129] 135 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634158/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634158; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 8334 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634159/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634159; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 10023 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634160/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634160; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 12201 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634161/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634161; rev:1;) alert tcp $HOME_NET any -> [37.106.40.89] 6081 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634162/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634162; rev:1;) alert tcp $HOME_NET any -> [51.79.189.220] 8889 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634155/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634155; rev:1;) alert tcp $HOME_NET any -> [184.105.8.220] 135 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634156/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91634156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cm.pixelstern.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7k2.q3v8p.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0p.q3v8p.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7.pixelstern.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0.pixelstern.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"29q.n-61-5.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq.pixelstern.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.falconhimmel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1p.n-61-5.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1.q3v8p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bd.falconhimmel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wz0.n-61-5.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634143; rev:1;) alert tcp $HOME_NET any -> [64.225.11.206] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634142; rev:1;) alert tcp $HOME_NET any -> [91.92.243.29] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634141; rev:1;) alert tcp $HOME_NET any -> [91.92.243.27] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634140; rev:1;) alert tcp $HOME_NET any -> [178.16.52.57] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4.falconhimmel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"op.2218pb.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g.falconhimmel.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634136; rev:1;) alert tcp $HOME_NET any -> [91.99.74.194] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634134; rev:1;) alert tcp $HOME_NET any -> [95.216.183.94] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634135; rev:1;) alert tcp $HOME_NET any -> [138.199.228.42] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mv.ethicaltechinstitute.org.uk"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mv.fabiankorte.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4r2.n-61-5.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mv.ethicaltechinstitute.org.uk"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mv.fabiankorte.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.183.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kz.harborfreund.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1m.harborfreund.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vj3.n-61-5.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8.harborfreund.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g8.n-61-5.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p.harborfreund.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2k8.d-k-6j.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0z.cloverschnee.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3.cloverschnee.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634118; rev:1;) alert tcp $HOME_NET any -> [31.215.13.86] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634117/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91634117; rev:1;) alert tcp $HOME_NET any -> [27.185.226.162] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634116/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91634116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cmv.d-k-6j.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634115; rev:1;) alert tcp $HOME_NET any -> [172.104.138.71] 1234 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634113/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91634113; rev:1;) alert tcp $HOME_NET any -> [169.55.102.20] 9979 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634112/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91634112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2.cloverschnee.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zk8.384v2271.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.cloverschnee.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r01.d-k-6j.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1x.384v2271.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x1.embergarten.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7n.d-k-6j.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2.embergarten.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xq9.d-k-6j.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7.embergarten.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634102; rev:1;) alert tcp $HOME_NET any -> [91.92.242.116] 8082 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634096; rev:1;) alert tcp $HOME_NET any -> [91.92.242.116] 8081 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quontran.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.embergarten.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a4.d-k-6j.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.107.170.21"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1634091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634091; rev:1;) alert tcp $HOME_NET any -> [192.3.136.217] 8268 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634090; rev:1;) alert tcp $HOME_NET any -> [185.165.169.252] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bpu.v4-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dv6.kgto6b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mlo.j-7m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9yi.j935.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634085; rev:1;) alert tcp $HOME_NET any -> [216.250.251.199] 4142 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634084/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91634084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0x.kgto6b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xa2.027-7i.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e7f.oqtx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0i4.4qo8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5wf.yw9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t9h3.kgto6b.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hp.5g-t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634077; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 54644 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r6.027-7i.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uq.v4-z.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"za1.kgto6b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uh.67tf.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7m4.lweaq9b.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2v.kgto6b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x74.j-7m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"my.znx7.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634068; rev:1;) alert tcp $HOME_NET any -> [45.144.174.2] 80 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634065; rev:1;) alert tcp $HOME_NET any -> [116.203.204.172] 80 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634066; rev:1;) alert tcp $HOME_NET any -> [158.94.208.47] 80 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634067; rev:1;) alert tcp $HOME_NET any -> [46.203.233.236] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634059; rev:1;) alert tcp $HOME_NET any -> [176.65.132.21] 9487 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634060; rev:1;) alert tcp $HOME_NET any -> [82.27.2.153] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634061; rev:1;) alert tcp $HOME_NET any -> [69.164.242.42] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634062; rev:1;) alert tcp $HOME_NET any -> [37.114.37.13] 7777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634063; rev:1;) alert tcp $HOME_NET any -> [64.72.205.163] 56699 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634064; rev:1;) alert tcp $HOME_NET any -> [185.208.159.151] 8235 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634056; rev:1;) alert tcp $HOME_NET any -> [185.14.92.5] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634057; rev:1;) alert tcp $HOME_NET any -> [82.27.2.154] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7.kgto6b.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vhi.j935.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n9i.oqtx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmr.exe"; depth:8; nocase; http.host; content:"176.46.158.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634038; rev:1;) alert tcp $HOME_NET any -> [111.229.48.203] 8888 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634052; rev:1;) alert tcp $HOME_NET any -> [98.84.187.81] 35349 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634051; rev:1;) alert tcp $HOME_NET any -> [213.210.13.209] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634050; rev:1;) alert tcp $HOME_NET any -> [62.171.190.148] 1111 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634049; rev:1;) alert tcp $HOME_NET any -> [91.92.243.10] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634048; rev:1;) alert tcp $HOME_NET any -> [144.124.240.165] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n8z.lweaq9b.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2cr.4qo8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hf.yw9a.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1sp.5g-t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u3c.v4-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t8cz.y2u-72.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7yf.67tf.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"os.j-7m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lr.znx7.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7ya.y2u-72.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d1o.j935.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s2lmx.y2u-72.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"io8.oqtx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o4.4qo8.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634032; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 50551 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndy.yw9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lga.5g-t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7.v4-z.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/work/"; depth:6; nocase; http.host; content:"oasioncounertstrike.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634027/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91634027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/work/"; depth:6; nocase; http.host; content:"levovestrigerklobis.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634026/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91634026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w7x.d3-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pul.5b-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7c5.kzg-w-4y.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zon.z-x0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e9rn.y2u-72.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9xz.24s6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/ojkdam4t.ik05p"; depth:23; nocase; http.host; content:"136.0.141.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634007; rev:1;) alert tcp $HOME_NET any -> [136.0.141.235] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/u9shv5da.jh57u"; depth:23; nocase; http.host; content:"151.243.113.45"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b56f6970725f4fdeaf08fda137f0a45c_build.bin"; depth:43; nocase; http.host; content:"62.60.226.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1634019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2q9a.kzg-w-4y.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qak.n2vr.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u5q8.y2u-72.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ljh.dc-8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0bn4.kzg-w-4y.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frt.8i-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n6q.i1msth.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2pq.z2q2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"00x.7-h9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p8t3k.kzg-w-4y.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9.wo-h3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5x.03e3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1r6.kzg-w-4y.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1634003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jgj535.lol"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1634002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634002; rev:1;) alert tcp $HOME_NET any -> [72.61.141.82] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634001; rev:1;) alert tcp $HOME_NET any -> [58.244.47.107] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633999; rev:1;) alert tcp $HOME_NET any -> [37.27.17.205] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1634000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91634000; rev:1;) alert tcp $HOME_NET any -> [168.245.200.26] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633998; rev:1;) alert tcp $HOME_NET any -> [80.211.238.184] 43 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drpolok.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633996; rev:1;) alert tcp $HOME_NET any -> [178.16.54.21] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633995; rev:1;) alert tcp $HOME_NET any -> [196.251.87.168] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kastefer8jagr1.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633993; rev:1;) alert tcp $HOME_NET any -> [8.130.22.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u5bd1.i1msth.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"04.614lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lx.w8i0h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"42.oc57y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3l.hb0-e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"were-eye.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633842/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633842; rev:1;) alert tcp $HOME_NET any -> [45.154.98.167] 2727 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633840/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633840; rev:1;) alert tcp $HOME_NET any -> [91.219.82.190] 5552 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633841/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"surit2948estoat02.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633839/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hxipzknrsojnitzv.zip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633838/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gamindcr.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633836/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"logs.skillface.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633837/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633837; rev:1;) alert tcp $HOME_NET any -> [103.54.153.108] 8809 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633835/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4k.888-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mei34.toptubereviews.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633833/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"69.62.75.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633832/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633832; rev:1;) alert tcp $HOME_NET any -> [54.207.55.128] 4949 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633831/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633831; rev:1;) alert tcp $HOME_NET any -> [120.197.127.138] 8008 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633830/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633830; rev:1;) alert tcp $HOME_NET any -> [105.101.4.116] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633828/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633828; rev:1;) alert tcp $HOME_NET any -> [94.154.35.73] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633827/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633827; rev:1;) alert tcp $HOME_NET any -> [83.147.245.110] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633826/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633826; rev:1;) alert tcp $HOME_NET any -> [72.11.151.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633824/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633824; rev:1;) alert tcp $HOME_NET any -> [170.239.86.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633825/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633825; rev:1;) alert tcp $HOME_NET any -> [218.146.160.46] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633822/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633822; rev:1;) alert tcp $HOME_NET any -> [115.21.120.70] 6000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633823/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633823; rev:1;) alert tcp $HOME_NET any -> [16.28.103.75] 12366 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633821/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633821; rev:1;) alert tcp $HOME_NET any -> [111.228.35.33] 9898 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633820/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633820; rev:1;) alert tcp $HOME_NET any -> [122.51.31.224] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633819/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633819; rev:1;) alert tcp $HOME_NET any -> [120.26.92.32] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633818/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633818; rev:1;) alert tcp $HOME_NET any -> [43.242.32.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633817/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_05; classtype:trojan-activity; sid:91633817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d9.8b-1d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amyt11besco01.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0sj.i1msth.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3w7a.gfk-8120.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633813; rev:1;) alert tcp $HOME_NET any -> [20.157.75.32] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633810; rev:1;) alert tcp $HOME_NET any -> [18.214.182.95] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633811; rev:1;) alert tcp $HOME_NET any -> [147.93.190.186] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633812; rev:1;) alert tcp $HOME_NET any -> [157.230.139.52] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633808; rev:1;) alert tcp $HOME_NET any -> [34.122.149.58] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633809; rev:1;) alert tcp $HOME_NET any -> [54.37.156.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633805; rev:1;) alert tcp $HOME_NET any -> [202.10.44.38] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633806; rev:1;) alert tcp $HOME_NET any -> [121.78.125.157] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633807; rev:1;) alert tcp $HOME_NET any -> [3.144.118.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633803; rev:1;) alert tcp $HOME_NET any -> [161.8.70.19] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633804; rev:1;) alert tcp $HOME_NET any -> [35.89.213.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633799; rev:1;) alert tcp $HOME_NET any -> [78.153.131.234] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633800; rev:1;) alert tcp $HOME_NET any -> [207.248.2.34] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633801; rev:1;) alert tcp $HOME_NET any -> [108.137.184.200] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633802; rev:1;) alert tcp $HOME_NET any -> [43.218.106.9] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633797; rev:1;) alert tcp $HOME_NET any -> [121.4.105.10] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633798; rev:1;) alert tcp $HOME_NET any -> [34.207.46.29] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633794; rev:1;) alert tcp $HOME_NET any -> [13.229.25.158] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633795; rev:1;) alert tcp $HOME_NET any -> [157.245.51.23] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633796; rev:1;) alert tcp $HOME_NET any -> [13.208.185.215] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633792; rev:1;) alert tcp $HOME_NET any -> [18.216.188.1] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633793; rev:1;) alert tcp $HOME_NET any -> [20.0.3.195] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633791; rev:1;) alert tcp $HOME_NET any -> [147.93.31.118] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633789; rev:1;) alert tcp $HOME_NET any -> [103.237.86.178] 2096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633790; rev:1;) alert tcp $HOME_NET any -> [193.233.18.177] 39393 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633787; rev:1;) alert tcp $HOME_NET any -> [35.174.57.156] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633788; rev:1;) alert tcp $HOME_NET any -> [43.132.175.104] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633786; rev:1;) alert tcp $HOME_NET any -> [66.222.156.51] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633785; rev:1;) alert tcp $HOME_NET any -> [213.244.243.211] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633784; rev:1;) alert tcp $HOME_NET any -> [5.182.211.16] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633783; rev:1;) alert tcp $HOME_NET any -> [2.59.134.234] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633782; rev:1;) alert tcp $HOME_NET any -> [18.167.20.90] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633780; rev:1;) alert tcp $HOME_NET any -> [212.14.244.222] 806 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633781; rev:1;) alert tcp $HOME_NET any -> [39.104.81.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7.95tbm.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ik.55-0p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nzs.d3-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r5z0t.gfk-8120.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"20q.5b-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r8y.i1msth.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h93.z-x0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c2x8.gfk-8120.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ke0.24s6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p3nkd.i1msth.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7m1v.gfk-8120.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z6l.n2vr.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633767; rev:1;) alert tcp $HOME_NET any -> [196.251.70.24] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633766/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h4p9q.gfk-8120.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"els.dc-8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t9w4.i1msth.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wdr.8i-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n5i.z2q2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0x0.7-h9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0x9a.3-f72v.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2e.wo-h3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8r5q.3-f72v.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhfhfdkhdfdk32.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633756; rev:1;) alert tcp $HOME_NET any -> [194.87.245.7] 12121 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633755/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aj.03e3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y1t4.3-f72v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633753; rev:1;) alert tcp $HOME_NET any -> [193.233.161.219] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633752/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2v.i1msth.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pv.614lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3d8n.3-f72v.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bh.w8i0h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633748; rev:1;) alert tcp $HOME_NET any -> [40.160.61.15] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633747/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633747; rev:1;) alert tcp $HOME_NET any -> [40.160.57.173] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633746/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633746; rev:1;) alert tcp $HOME_NET any -> [198.244.224.75] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633745/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633745; rev:1;) alert tcp $HOME_NET any -> [189.137.160.79] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633744/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633744; rev:1;) alert tcp $HOME_NET any -> [185.247.224.66] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633743/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633743; rev:1;) alert tcp $HOME_NET any -> [160.202.247.176] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633742/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633742; rev:1;) alert tcp $HOME_NET any -> [139.59.162.66] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633740/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633740; rev:1;) alert tcp $HOME_NET any -> [139.59.162.66] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633741/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9p7m.3-f72v.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tz.oc57y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633738; rev:1;) alert tcp $HOME_NET any -> [196.251.87.155] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633732/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_05; classtype:trojan-activity; sid:91633732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l6q2.3-f72v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0.hb0-e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c5jqq.s64lr5ok.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"14.888-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yx0n.s64lr5ok.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tc.8b-1d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j4z8m.x625v7.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633730; rev:1;) alert tcp $HOME_NET any -> [185.245.34.186] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633729; rev:1;) alert tcp $HOME_NET any -> [154.37.219.142] 60001 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633728; rev:1;) alert tcp $HOME_NET any -> [45.89.127.45] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633727; rev:1;) alert tcp $HOME_NET any -> [102.96.214.21] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633726; rev:1;) alert tcp $HOME_NET any -> [201.43.44.12] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633724; rev:1;) alert tcp $HOME_NET any -> [1.52.157.76] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633725; rev:1;) alert tcp $HOME_NET any -> [34.170.176.93] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633723; rev:1;) alert tcp $HOME_NET any -> [94.154.35.73] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633722; rev:1;) alert tcp $HOME_NET any -> [4.198.122.37] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633720; rev:1;) alert tcp $HOME_NET any -> [148.135.80.46] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633721; rev:1;) alert tcp $HOME_NET any -> [45.90.99.82] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633719; rev:1;) alert tcp $HOME_NET any -> [150.158.199.46] 8889 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633718; rev:1;) alert tcp $HOME_NET any -> [91.92.243.26] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633717; rev:1;) alert tcp $HOME_NET any -> [91.92.243.31] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633715; rev:1;) alert tcp $HOME_NET any -> [91.92.243.30] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633716; rev:1;) alert tcp $HOME_NET any -> [114.132.217.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633714; rev:1;) alert tcp $HOME_NET any -> [194.120.24.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633713; rev:1;) alert tcp $HOME_NET any -> [194.120.24.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633712; rev:1;) alert tcp $HOME_NET any -> [34.165.201.31] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633711; rev:1;) alert tcp $HOME_NET any -> [116.62.114.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633710; rev:1;) alert tcp $HOME_NET any -> [156.225.20.77] 5006 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7r.95tbm.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633708; rev:1;) alert tcp $HOME_NET any -> [180.76.168.207] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633706; rev:1;) alert tcp $HOME_NET any -> [1.13.175.24] 8060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633707; rev:1;) alert tcp $HOME_NET any -> [8.155.161.181] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633705; rev:1;) alert tcp $HOME_NET any -> [38.54.13.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zf42.s64lr5ok.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"go.tweethost.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"go.bestjacksonvillehotels.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mx.55-0p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"go.tweethost.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"go.bestjacksonvillehotels.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0h5.x625v7.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2iz.d3-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"excellencebpo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/molop"; depth:6; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1"; depth:2; nocase; http.host; content:"176.46.158.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plop"; depth:5; nocase; http.host; content:"176.46.158.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2"; depth:2; nocase; http.host; content:"176.46.158.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"emaragogi.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s3.mirgaza.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connect.zave.lol"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vakarpishkov.magnaart.ru.fbweb.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633430; rev:1;) alert tcp $HOME_NET any -> [109.199.113.204] 9999 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633454; rev:1;) alert tcp $HOME_NET any -> [95.181.213.48] 7777 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"controllerjs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"controllerjs.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"controllerjs.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cpajoliette.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d.js"; depth:5; nocase; http.host; content:"cpajoliette.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kislonij.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"kislonij.pro"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"kislonij.pro"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633467; rev:1;) alert tcp $HOME_NET any -> [109.199.113.250] 9999 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acrobatupdatesystem.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pdfacrobatupdate.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"securefiledepot.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scan-doc794559.pdf.exe"; depth:23; nocase; http.host; content:"securefiledepot.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633529; rev:1;) alert tcp $HOME_NET any -> [216.126.86.17] 59211 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633530/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xgdk7bk3h0mm10mdhvbb1ol3tsdd7bkqkw=="; depth:37; nocase; http.host; content:"global.coachmyresume.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633656; rev:1;) alert tcp $HOME_NET any -> [157.254.167.165] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633657; rev:1;) alert tcp $HOME_NET any -> [81.181.129.13] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633679/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_05; classtype:trojan-activity; sid:91633679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.huaweicloud.help"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633695/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"efu.5b-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7r.s64lr5ok.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vyc.z-x0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lnq.24s6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e7v1n.x625v7.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5ha.n2vr.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3t8p.s64lr5ok.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p6m4q.x625v7.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chu.dc-8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2k8.x625v7.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xqs.8i-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yxb.z2q2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w9c3a.x625v7.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2zs.7-h9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1zd.s64lr5ok.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2z.wo-h3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greatguru1985bk.ydns.eu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"56.03e3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v9k.s64lr5ok.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4q.614lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fx.w8i0h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633673; rev:1;) alert tcp $HOME_NET any -> [196.119.240.164] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"88.oc57y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3.aaty4qdy.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"40.hb0-e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qm8.aaty4qdy.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3d.888-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5j.8b-1d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1x.aaty4qdy.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dp.95tbm.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dc.55-0p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h4.aaty4qdy.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oos.d3-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rg7.5b-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aa9.o4-lq-8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"415.z-x0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633658; rev:1;) alert tcp $HOME_NET any -> [104.145.210.204] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633655; rev:1;) alert tcp $HOME_NET any -> [173.254.215.95] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633654; rev:1;) alert tcp $HOME_NET any -> [125.237.198.243] 6969 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633653; rev:1;) alert tcp $HOME_NET any -> [172.111.169.8] 5671 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wq0.o4-lq-8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5fw.24s6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3dw.n2vr.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633649; rev:1;) alert tcp $HOME_NET any -> [172.245.27.131] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633648/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633648; rev:1;) alert tcp $HOME_NET any -> [213.142.159.116] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633647/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2p1.k5gc56.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"npl.dc-8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7z.o4-lq-8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3xk.k5gc56.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8n.8i-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1i.z2q2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k0ddr"; depth:6; nocase; http.host; content:"telegram.me"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633640/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561198772659493"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633639/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qa9.k5gc56.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b9w.7-h9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n2.o4-lq-8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z7.wo-h3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zv04.k5gc56.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.aliyun-mail.sbs"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633633/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_05; classtype:trojan-activity; sid:91633633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w9.03e3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8q.614lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1m.k5gc56.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1w.p-72h.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2j.w8i0h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g8.k5gc56.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hc.oc57y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.p-72h.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fo.hb0-e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zq9.p-72h.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7b.888-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w6.dae017f.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.p-72h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s9.8b-1d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p3.95tbm.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0t2.dae017f.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i8.55-0p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sgd.d3-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d5.a-4n66k4.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dnb.5b-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7k2.a-4n66k4.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2xe.z-x0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7nb.dae017f.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oka.24s6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0p.a-4n66k4.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pj1.dae017f.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"el4.n2vr.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xq9.dae017f.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iaz.dc-8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.2u-gd2ml.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uqy.8i-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4.dae017f.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ua7.z2q2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633600; rev:1;) alert tcp $HOME_NET any -> [115.190.62.191] 443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633598; rev:1;) alert tcp $HOME_NET any -> [115.190.62.191] 9999 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_05; classtype:trojan-activity; sid:91633599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9y1.j6e-0g-7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ty.2bj82sg.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3vo.7-h9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mn.wo-h3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633594; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 24663 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0m.03e3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a0p2.2bj82sg.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t5.614lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2y.w8i0h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mzr.2bj82sg.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b3.oc57y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.q8-v-4of.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hk.hb0-e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v93.2bj82sg.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oc.888-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633583; rev:1;) alert tcp $HOME_NET any -> [34.232.143.51] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633582; rev:1;) alert tcp $HOME_NET any -> [20.64.238.187] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633580; rev:1;) alert tcp $HOME_NET any -> [195.210.47.158] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633581; rev:1;) alert tcp $HOME_NET any -> [52.220.170.6] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633578; rev:1;) alert tcp $HOME_NET any -> [43.156.11.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633579; rev:1;) alert tcp $HOME_NET any -> [135.235.168.107] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633576; rev:1;) alert tcp $HOME_NET any -> [95.111.236.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633577; rev:1;) alert tcp $HOME_NET any -> [36.133.74.185] 8889 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633574; rev:1;) alert tcp $HOME_NET any -> [31.97.134.73] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633575; rev:1;) alert tcp $HOME_NET any -> [64.227.132.42] 60001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633572; rev:1;) alert tcp $HOME_NET any -> [104.214.177.109] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633573; rev:1;) alert tcp $HOME_NET any -> [172.235.183.122] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633570; rev:1;) alert tcp $HOME_NET any -> [47.98.229.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633571; rev:1;) alert tcp $HOME_NET any -> [116.86.51.247] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633568; rev:1;) alert tcp $HOME_NET any -> [216.252.85.18] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633569; rev:1;) alert tcp $HOME_NET any -> [162.217.6.19] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633565; rev:1;) alert tcp $HOME_NET any -> [92.34.30.21] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633566; rev:1;) alert tcp $HOME_NET any -> [101.127.5.144] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633567; rev:1;) alert tcp $HOME_NET any -> [207.254.246.118] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633562; rev:1;) alert tcp $HOME_NET any -> [103.26.46.241] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633563; rev:1;) alert tcp $HOME_NET any -> [116.87.110.23] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633564; rev:1;) alert tcp $HOME_NET any -> [37.72.168.188] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633561; rev:1;) alert tcp $HOME_NET any -> [37.60.242.208] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633560; rev:1;) alert tcp $HOME_NET any -> [31.56.28.227] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okta.relatec.it.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633558; rev:1;) alert tcp $HOME_NET any -> [154.12.21.69] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sl.8b-1d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7x.95tbm.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9q.q8-v-4of.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1k.2bj82sg.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9q.55-0p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2.q8-v-4of.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4jb.d3-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0fj3.k9-2g8.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7.2bj82sg.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"it4.5b-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r6tva.k9-2g8.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cmk.z-x0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f3n7k.798u-g.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rea.24s6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2dx.n2vr.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1hb.k9-2g8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b5y2q.798u-g.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"umv.dc-8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6vy.8i-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d3zq9.k9-2g8.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z0t8n.798u-g.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ti1.z2q2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7m2.k9-2g8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7l3a.798u-g.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9xy.7-h9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633532; rev:1;) alert tcp $HOME_NET any -> [217.160.186.220] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633531/; target:src_ip; metadata: confidence_level 90, first_seen 2025_11_04; classtype:trojan-activity; sid:91633531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x1r9.798u-g.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jo.wo-h3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hj.03e3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xt.614lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2p6m.798u-g.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0y.w8i0h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wm.oc57y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d8k3a.j0-e-t.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8r1n.9-s-7g.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9e.hb0-e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633516; rev:1;) alert tcp $HOME_NET any -> [163.123.141.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633515; rev:1;) alert tcp $HOME_NET any -> [54.204.244.145] 9142 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633514; rev:1;) alert tcp $HOME_NET any -> [213.174.143.17] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633513; rev:1;) alert tcp $HOME_NET any -> [79.133.46.74] 8080 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633512; rev:1;) alert tcp $HOME_NET any -> [94.74.164.254] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633511; rev:1;) alert tcp $HOME_NET any -> [3.95.65.179] 29662 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633510; rev:1;) alert tcp $HOME_NET any -> [20.250.145.94] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633509; rev:1;) alert tcp $HOME_NET any -> [69.62.75.87] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633507; rev:1;) alert tcp $HOME_NET any -> [82.147.85.24] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633508; rev:1;) alert tcp $HOME_NET any -> [31.222.235.47] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633506; rev:1;) alert tcp $HOME_NET any -> [96.8.122.174] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633505; rev:1;) alert tcp $HOME_NET any -> [8.134.208.211] 8080 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633504; rev:1;) alert tcp $HOME_NET any -> [38.38.251.151] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633503; rev:1;) alert tcp $HOME_NET any -> [120.76.158.8] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633502; rev:1;) alert tcp $HOME_NET any -> [59.110.28.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633501; rev:1;) alert tcp $HOME_NET any -> [47.120.7.76] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633500; rev:1;) alert tcp $HOME_NET any -> [217.114.0.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z5tq.9-s-7g.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y9.888-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m4qwe.j0-e-t.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7h.8b-1d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2w7.9-s-7g.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"74.95tbm.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g5z9.j0-e-t.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fp.55-0p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9akm.9-s-7g.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"648.d3-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7ne.5b-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r6t1x.j0-e-t.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tr8.z-x0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3v2.9-s-7g.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633484; rev:1;) alert tcp $HOME_NET any -> [94.154.35.73] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633483/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633483; rev:1;) alert tcp $HOME_NET any -> [86.126.217.18] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633482/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633482; rev:1;) alert tcp $HOME_NET any -> [8.130.31.166] 8097 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633481/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633481; rev:1;) alert tcp $HOME_NET any -> [40.160.55.224] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633478/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633478; rev:1;) alert tcp $HOME_NET any -> [40.160.58.126] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633479/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633479; rev:1;) alert tcp $HOME_NET any -> [40.160.60.89] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633480/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633480; rev:1;) alert tcp $HOME_NET any -> [189.140.41.47] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633477/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3wa.24s6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633476; rev:1;) alert tcp $HOME_NET any -> [165.22.180.36] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633474/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633474; rev:1;) alert tcp $HOME_NET any -> [165.22.180.36] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633475/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633475; rev:1;) alert tcp $HOME_NET any -> [164.68.120.30] 20300 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633473/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633473; rev:1;) alert tcp $HOME_NET any -> [149.109.127.205] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633472/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0b7n.j0-e-t.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633471; rev:1;) alert tcp $HOME_NET any -> [104.223.84.7] 14641 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633470/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633470; rev:1;) alert tcp $HOME_NET any -> [103.54.153.108] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633469/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5qi.n2vr.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c2m8q.j0-e-t.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w3q0.7mdmu7og.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7xk.dc-8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4es.8i-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n7w3a.t-7-1u.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9.7mdmu7og.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633451; rev:1;) alert tcp $HOME_NET any -> [103.200.6.62] 1943 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onecoder.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633449; rev:1;) alert tcp $HOME_NET any -> [148.66.11.10] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633448; rev:1;) alert tcp $HOME_NET any -> [148.66.11.10] 5555 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.176.79.88"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1633446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fcq.z2q2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633445; rev:1;) alert tcp $HOME_NET any -> [185.196.9.194] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"egodinmaegobundunwoke7523bjfeyfdvkcgddjg.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"privacy2088.ydns.eu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"television-walks.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"academic-suits.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aer.7-h9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4.7mdmu7og.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zl.wo-h3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u4r8c.t-7-1u.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d5.1-b03-1q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ng.03e3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fz.614lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0a3.1-b03-1q.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9z2.t-7-1u.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p5x0d.t-7-1u.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m.1-b03-1q.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gy.oc57y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a1t7m.t-7-1u.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"21.hb0-e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3v9q.t-7-1u.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1.1-b03-1q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bl.888-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m6.8b-1d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kf.95tbm.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a4m2.r0en3ap.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1t.55-0p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2t3.0-xv-3i5.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tt7.r0en3ap.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qfl.d3-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v5q.r0en3ap.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633408; rev:1;) alert tcp $HOME_NET any -> [39.97.51.230] 62443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633407; rev:1;) alert tcp $HOME_NET any -> [45.151.91.98] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633406; rev:1;) alert tcp $HOME_NET any -> [3.145.115.62] 10001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633404; rev:1;) alert tcp $HOME_NET any -> [54.185.244.171] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633405; rev:1;) alert tcp $HOME_NET any -> [105.155.155.123] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633403; rev:1;) alert tcp $HOME_NET any -> [104.194.152.166] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633402; rev:1;) alert tcp $HOME_NET any -> [186.212.30.133] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633401; rev:1;) alert tcp $HOME_NET any -> [94.154.35.73] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633400; rev:1;) alert tcp $HOME_NET any -> [128.90.115.231] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633399; rev:1;) alert tcp $HOME_NET any -> [165.22.180.36] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633398; rev:1;) alert tcp $HOME_NET any -> [80.76.49.77] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633397; rev:1;) alert tcp $HOME_NET any -> [85.208.84.28] 8443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jss.5b-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7h5f.js"; depth:8; nocase; http.host; content:"graffetti.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"javsenpai.pages.dev"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/settings"; depth:9; nocase; http.host; content:"settings-4av.pages.dev"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"javsenpaiii.pages.dev"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/settings"; depth:9; nocase; http.host; content:"settingss.pages.dev"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"settings-4av.pages.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"settingss.pages.dev"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p6.0-xv-3i5.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iru.z-x0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"upstreu.lat"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633385/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"databap.mom"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633384/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633384; rev:1;) alert tcp $HOME_NET any -> [77.110.110.157] 443 (msg:"ThreatFox Rhadamanthys payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0z.r0en3ap.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.366a4362.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aprendaceo.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wijkbuszuidwest.nl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"garudamaskosmetik.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amalgadget.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"88tdtc.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"urs.org.vn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-themes/cloudflare/verification/userid6389452515832/"; depth:55; nocase; http.host; content:"seo-conference.by"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vediclibrary.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633349; rev:1;) alert tcp $HOME_NET any -> [45.151.91.98] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633352/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_04; classtype:trojan-activity; sid:91633352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fxplay.in"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"piworfolo.com.theplatinumguesthouse.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content/plugins/fr3.lim"; depth:24; nocase; http.host; content:"nelees.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chou.osteopathie.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vyt.24s6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zq8.366a4362.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gsj.n2vr.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.366a4362.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ojt.dc-8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j1c5p.7d0re6.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vickitmorrison.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/win64/file/update.zip"; depth:22; nocase; http.host; content:"vickitmorrison.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3rj.r0en3ap.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"infobirdrep.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633367/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4l6erwaw"; depth:9; nocase; http.host; content:"m3p.z2q2.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633365/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bonus33.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633366/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fq2ltnk2"; depth:9; nocase; http.host; content:"m3p.z2q2.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633363/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/best-adc-junglers/"; depth:19; nocase; http.host; content:"leaguetips.gg"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633364/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.loveinbible.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633362/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ubwy2ohx"; depth:9; nocase; http.host; content:"m3p.z2q2.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633361/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etgcs0wg"; depth:9; nocase; http.host; content:"m3p.z2q2.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633359/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dittasistema.it"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633360/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"magiskmodule.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633358/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3u.8i-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633357; rev:1;) alert tcp $HOME_NET any -> [46.246.14.7] 7046 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633355; rev:1;) alert tcp $HOME_NET any -> [46.246.14.7] 44662 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t4x1.7d0re6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ed.tweethost.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ed.bestjacksonvillehotels.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ed.tweethost.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ed.bestjacksonvillehotels.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"knacho.sk"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633344/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0/items/nisibmrl-3997/toumaf.txt"; depth:33; nocase; http.host; content:"dn710107.ca.archive.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633338/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/27/items/toumaf/toumaf.html"; depth:28; nocase; http.host; content:"ia601301.us.archive.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633337/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.momscare.ae.risallanursing.ae"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633336/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3p.z2q2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"touchsol.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/captcha.html"; depth:13; nocase; http.host; content:"www.touchsol.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kp1ketxf..txt"; depth:14; nocase; http.host; content:"www.touchsol.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/host"; depth:5; nocase; http.host; content:"147.124.222.89"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ranchernandez.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/js/cloudflare.txt"; depth:25; nocase; http.host; content:"tema-com-ua-568517.hostingersite.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633321; rev:1;) alert tcp $HOME_NET any -> [194.26.192.61] 2222 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633334/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633334; rev:1;) alert tcp $HOME_NET any -> [20.157.223.57] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633333/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633333; rev:1;) alert tcp $HOME_NET any -> [51.112.54.116] 1023 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633332/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633332; rev:1;) alert tcp $HOME_NET any -> [217.24.173.84] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633331/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633331; rev:1;) alert tcp $HOME_NET any -> [68.183.65.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633330/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633330; rev:1;) alert tcp $HOME_NET any -> [144.124.234.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633329/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633329; rev:1;) alert tcp $HOME_NET any -> [119.45.25.66] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633328/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k8.r0en3ap.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cy6.7-h9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7k.7d0re6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0v.wo-h3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g6.85cu3895.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1c.03e3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3w4.1051lt6.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aw.614lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633318; rev:1;) alert tcp $HOME_NET any -> [196.251.87.218] 8800 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633317/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633317; rev:1;) alert tcp $HOME_NET any -> [95.211.126.187] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633315; rev:1;) alert tcp $HOME_NET any -> [168.245.200.30] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633314; rev:1;) alert tcp $HOME_NET any -> [197.53.226.246] 9090 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633313; rev:1;) alert tcp $HOME_NET any -> [194.87.10.124] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stronpn.courses"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"solemfk.courses"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i4b2.gay"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633309; rev:1;) alert tcp $HOME_NET any -> [213.111.156.121] 44130 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benjaz.ydns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simpleoil.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633306; rev:1;) alert tcp $HOME_NET any -> [172.81.132.221] 6658 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t.ba2q7q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6g.w8i0h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yb.oc57y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7bn.1051lt6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ch.hb0-e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sessionstorexint.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cronapiworkersvc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633297; rev:1;) alert tcp $HOME_NET any -> [94.183.185.245] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"buildtoolsrvcore.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"taskrunnersrvmod.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0t.1051lt6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gw.888-c.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v91.1051lt6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9m2.ba2q7q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633287; rev:1;) alert tcp $HOME_NET any -> [195.210.47.158] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633286; rev:1;) alert tcp $HOME_NET any -> [100.27.206.245] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633284; rev:1;) alert tcp $HOME_NET any -> [162.55.210.79] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633285; rev:1;) alert tcp $HOME_NET any -> [103.173.66.52] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633283; rev:1;) alert tcp $HOME_NET any -> [211.222.135.213] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633280; rev:1;) alert tcp $HOME_NET any -> [184.160.143.31] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633281; rev:1;) alert tcp $HOME_NET any -> [210.6.216.33] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633282; rev:1;) alert tcp $HOME_NET any -> [122.100.247.155] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633276; rev:1;) alert tcp $HOME_NET any -> [27.125.176.115] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633277; rev:1;) alert tcp $HOME_NET any -> [66.172.208.185] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633278; rev:1;) alert tcp $HOME_NET any -> [59.149.80.86] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633279; rev:1;) alert tcp $HOME_NET any -> [220.88.218.214] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633273; rev:1;) alert tcp $HOME_NET any -> [84.74.229.118] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633274; rev:1;) alert tcp $HOME_NET any -> [209.15.64.11] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633275; rev:1;) alert tcp $HOME_NET any -> [119.206.150.128] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633270; rev:1;) alert tcp $HOME_NET any -> [24.212.93.31] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633271; rev:1;) alert tcp $HOME_NET any -> [218.103.167.73] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633272; rev:1;) alert tcp $HOME_NET any -> [182.19.203.159] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633267; rev:1;) alert tcp $HOME_NET any -> [14.40.36.163] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633268; rev:1;) alert tcp $HOME_NET any -> [222.109.213.238] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633269; rev:1;) alert tcp $HOME_NET any -> [121.149.124.128] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633264; rev:1;) alert tcp $HOME_NET any -> [178.174.183.124] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633265; rev:1;) alert tcp $HOME_NET any -> [78.60.175.194] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633266; rev:1;) alert tcp $HOME_NET any -> [24.225.233.184] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633262; rev:1;) alert tcp $HOME_NET any -> [101.127.151.20] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633263; rev:1;) alert tcp $HOME_NET any -> [97.80.249.250] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633259; rev:1;) alert tcp $HOME_NET any -> [206.130.244.74] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633260; rev:1;) alert tcp $HOME_NET any -> [106.104.36.151] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633261; rev:1;) alert tcp $HOME_NET any -> [123.202.104.22] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633256; rev:1;) alert tcp $HOME_NET any -> [185.164.8.89] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633257; rev:1;) alert tcp $HOME_NET any -> [68.98.225.248] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633258; rev:1;) alert tcp $HOME_NET any -> [190.140.74.175] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633253; rev:1;) alert tcp $HOME_NET any -> [101.127.145.133] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633254; rev:1;) alert tcp $HOME_NET any -> [175.156.212.219] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633255; rev:1;) alert tcp $HOME_NET any -> [77.74.132.205] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633250; rev:1;) alert tcp $HOME_NET any -> [175.199.204.190] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633251; rev:1;) alert tcp $HOME_NET any -> [68.69.133.19] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633252; rev:1;) alert tcp $HOME_NET any -> [167.20.38.186] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633248; rev:1;) alert tcp $HOME_NET any -> [211.248.128.172] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633249; rev:1;) alert tcp $HOME_NET any -> [34.135.35.216] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633247; rev:1;) alert tcp $HOME_NET any -> [144.172.93.100] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5d.8b-1d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j0.95tbm.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1.ba2q7q.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2x.1051lt6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2d.55-0p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q5.1051lt6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hw.3u-6.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"663.67tf.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2q3.94e-w8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d2m1.q9-j341.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vo7.v4-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7h.5g-t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7m.94e-w8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"elk.yw9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vqx.q9-j341.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h28.4qo8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633230; rev:1;) alert tcp $HOME_NET any -> [196.251.88.245] 9006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633229/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b0t.94e-w8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hl.oqtx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7n.q9-j341.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633226; rev:1;) alert tcp $HOME_NET any -> [158.94.209.164] 2525 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633225/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/chromeb/commands/test"; depth:26; nocase; http.host; content:"iloveboats9.vip"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.94e-w8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fh0.j935.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elbrone.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633217; rev:1;) alert tcp $HOME_NET any -> [84.32.131.117] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633216/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633216; rev:1;) alert tcp $HOME_NET any -> [69.30.247.233] 3004 (msg:"ThreatFox Unknown Stealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633215/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qfe.znx7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633214; rev:1;) alert tcp $HOME_NET any -> [40.160.52.204] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633212/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633212; rev:1;) alert tcp $HOME_NET any -> [40.160.53.62] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633213/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t19.q9-j341.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"82.j-7m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6zy.l-ly.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633209; rev:1;) alert tcp $HOME_NET any -> [115.187.17.107] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mz4.q9-j341.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"willy.fawkingblodibastard.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9z1.94e-w8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ug0.k7t0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.q9-j341.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"00.0fv1.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"res34tgr.b0ats.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633201; rev:1;) alert tcp $HOME_NET any -> [67.217.57.240] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633200; rev:1;) alert tcp $HOME_NET any -> [168.245.200.28] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633199; rev:1;) alert tcp $HOME_NET any -> [1.52.157.76] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633198; rev:1;) alert tcp $HOME_NET any -> [45.130.229.139] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633197; rev:1;) alert tcp $HOME_NET any -> [79.175.189.207] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633195; rev:1;) alert tcp $HOME_NET any -> [102.117.169.47] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633196; rev:1;) alert tcp $HOME_NET any -> [51.15.8.6] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633194; rev:1;) alert tcp $HOME_NET any -> [212.162.149.196] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633192; rev:1;) alert tcp $HOME_NET any -> [209.54.101.170] 7070 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633193; rev:1;) alert tcp $HOME_NET any -> [105.97.89.224] 5001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633191; rev:1;) alert tcp $HOME_NET any -> [99.81.114.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633190; rev:1;) alert tcp $HOME_NET any -> [101.34.205.214] 20443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.onlinetools99.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newclient"; depth:10; nocase; http.host; content:"loshped.clay.rest"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633187/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"purrinvestasia.sbs"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633186; rev:1;) alert tcp $HOME_NET any -> [8.134.195.179] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633185; rev:1;) alert tcp $HOME_NET any -> [65.49.233.42] 3306 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633184; rev:1;) alert tcp $HOME_NET any -> [52.77.66.67] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633183; rev:1;) alert tcp $HOME_NET any -> [47.97.113.146] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633182; rev:1;) alert tcp $HOME_NET any -> [47.76.220.58] 56789 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633181; rev:1;) alert tcp $HOME_NET any -> [47.109.70.18] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633180; rev:1;) alert tcp $HOME_NET any -> [45.135.118.214] 2086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633178; rev:1;) alert tcp $HOME_NET any -> [45.135.118.214] 8880 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633179; rev:1;) alert tcp $HOME_NET any -> [43.134.181.57] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633177; rev:1;) alert tcp $HOME_NET any -> [39.98.48.153] 8888 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633175; rev:1;) alert tcp $HOME_NET any -> [39.98.48.153] 9999 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633176; rev:1;) alert tcp $HOME_NET any -> [39.98.48.153] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633174; rev:1;) alert tcp $HOME_NET any -> [38.60.157.177] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633171; rev:1;) alert tcp $HOME_NET any -> [39.100.65.211] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633172; rev:1;) alert tcp $HOME_NET any -> [39.104.25.196] 30064 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633173; rev:1;) alert tcp $HOME_NET any -> [38.207.178.252] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633169; rev:1;) alert tcp $HOME_NET any -> [38.38.250.105] 8848 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633170; rev:1;) alert tcp $HOME_NET any -> [38.162.117.244] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633167; rev:1;) alert tcp $HOME_NET any -> [38.190.198.40] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633168; rev:1;) alert tcp $HOME_NET any -> [38.147.170.223] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633166; rev:1;) alert tcp $HOME_NET any -> [208.87.204.7] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633161; rev:1;) alert tcp $HOME_NET any -> [208.87.204.8] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633162; rev:1;) alert tcp $HOME_NET any -> [208.87.204.8] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633163; rev:1;) alert tcp $HOME_NET any -> [208.87.204.9] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633164; rev:1;) alert tcp $HOME_NET any -> [208.87.204.9] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633165; rev:1;) alert tcp $HOME_NET any -> [208.87.204.6] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633158; rev:1;) alert tcp $HOME_NET any -> [208.87.204.6] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633159; rev:1;) alert tcp $HOME_NET any -> [208.87.204.7] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633160; rev:1;) alert tcp $HOME_NET any -> [208.87.204.5] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633156; rev:1;) alert tcp $HOME_NET any -> [208.87.204.5] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633157; rev:1;) alert tcp $HOME_NET any -> [208.87.204.4] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633155; rev:1;) alert tcp $HOME_NET any -> [208.87.204.4] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633154; rev:1;) alert tcp $HOME_NET any -> [198.20.133.15] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633153; rev:1;) alert tcp $HOME_NET any -> [169.239.128.142] 2082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633151; rev:1;) alert tcp $HOME_NET any -> [169.239.128.142] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633152; rev:1;) alert tcp $HOME_NET any -> [152.136.137.115] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633150; rev:1;) alert tcp $HOME_NET any -> [149.104.27.103] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633148; rev:1;) alert tcp $HOME_NET any -> [149.104.29.60] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633149; rev:1;) alert tcp $HOME_NET any -> [140.143.222.88] 18088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633146; rev:1;) alert tcp $HOME_NET any -> [142.171.114.190] 8086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633147; rev:1;) alert tcp $HOME_NET any -> [125.122.27.48] 8090 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633145; rev:1;) alert tcp $HOME_NET any -> [120.76.42.81] 25001 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633144; rev:1;) alert tcp $HOME_NET any -> [118.126.107.202] 18080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633143; rev:1;) alert tcp $HOME_NET any -> [114.55.230.124] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633141; rev:1;) alert tcp $HOME_NET any -> [114.67.98.107] 9999 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633142; rev:1;) alert tcp $HOME_NET any -> [113.45.8.103] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633140; rev:1;) alert tcp $HOME_NET any -> [113.44.78.152] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633139; rev:1;) alert tcp $HOME_NET any -> [111.230.202.188] 18080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633138; rev:1;) alert tcp $HOME_NET any -> [109.206.247.161] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633136; rev:1;) alert tcp $HOME_NET any -> [110.42.232.120] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633137; rev:1;) alert tcp $HOME_NET any -> [107.173.141.241] 81 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633135; rev:1;) alert tcp $HOME_NET any -> [103.197.25.8] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633132; rev:1;) alert tcp $HOME_NET any -> [103.20.220.19] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633133; rev:1;) alert tcp $HOME_NET any -> [104.145.210.130] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633134; rev:1;) alert tcp $HOME_NET any -> [103.197.25.8] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633131; rev:1;) alert tcp $HOME_NET any -> [101.33.208.25] 10001 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"momscare.ae.risallanursing.ae"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"myminicabin.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mames33.wav"; depth:12; nocase; http.host; content:"87.120.126.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"theadventuresbook.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"womensfitnessplans.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"babyboomerlive.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stalbanspostboxes.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"winstarplumbing.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aurorabuildings.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"idanreclub15.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"masazkielce.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"starkeyranchnews.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"healthcareblues.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zenodirect.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"theignitercopywriter.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uwielbienie.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"absorbersafety.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"helpbuildthedream.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lgbtqwebdesign.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lanadelreyoftour2025.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thebitcoinbeachclub.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tomsurtsey.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beatcandidanaturally.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trailkits.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"justiceforaldene.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"homesecuritysystemsideas.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"niebezpieczna.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tenkif.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vaultofsalt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cashmoneysudan.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lagunalodgeecoresort.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ideacatcher.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hankwilliamsjrtour2025.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bokoskystudios.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skpneft.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.dev.ccm.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.thetavernonfourth.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdt.wom.mybluehost.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fateluxurygoods.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"abanquet.bmssolutionz.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lu-marquardt.picassomedia.de"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kaestner-partner.picassomedia.de"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tracking.bubars.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bustaff.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"demo.printincbelize.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mantis.bubars.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i-like-ele-phants-verification.live"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tx88club.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iamchallenge/verification/userid7383526"; depth:40; nocase; http.host; content:"i-like-ele-phants-verification.live"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"poronin.naszemiejsce.eu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"myenerkind.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"themillennialdiyer.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"piccololawoffices.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"turgetuganda.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vpsdevteam.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eventocontaduriafce.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tkagencia.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hxingsoft.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thuysanhoangtrungps.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content/plugins/verification/cloudflare_challenge/not_a_robot/id6362572"; depth:72; nocase; http.host; content:"summerandsilver.co.uk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a09ee3dc53f6a9f461a45bac946c5a09ee3dca09ee3dc53f6a9.pages.dev"; depth:61; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rs.vbs"; depth:7; nocase; http.host; content:"95.164.53.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gvheltkk.msi"; depth:13; nocase; http.host; content:"95.164.53.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/ytasodysodisowqsytesodgsotasotusnjusn2qs"; depth:45; nocase; http.host; content:"94.156.154.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/4xi2fes6.mqd9i"; depth:23; nocase; http.host; content:"94.103.1.71"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/4xi2fes6.mqd9i"; depth:23; nocase; http.host; content:"gwqprwnu.vl"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcvyu.wav"; depth:10; nocase; http.host; content:"elriosella.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/4iqvfcnr.k8w66"; depth:23; nocase; http.host; content:"94.103.1.38"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/4iqvfcnr.k8w66"; depth:23; nocase; http.host; content:"zttfosmo.rm"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632991; rev:1;) alert tcp $HOME_NET any -> [179.61.132.175] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633004/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_04; classtype:trojan-activity; sid:91633004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceptj8d40dcb4cb2.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thesmartboater.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91632680; rev:1;) alert tcp $HOME_NET any -> [1.14.199.57] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633129; rev:1;) alert tcp $HOME_NET any -> [202.155.12.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633127; rev:1;) alert tcp $HOME_NET any -> [202.155.12.105] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633128; rev:1;) alert tcp $HOME_NET any -> [111.228.6.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"intelupates.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633121/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"windowsdns.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633122/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"amsisupport.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633123/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"biossysinternal.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633124/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"widgetservicecenter.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633125/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"bedenefuneralhome.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633120/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633120; rev:1;) alert tcp $HOME_NET any -> [185.29.10.105] 9660 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633118/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633118; rev:1;) alert tcp $HOME_NET any -> [198.46.178.148] 3678 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633119/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rownip.schneidstore.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633114/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rownipbackup.ga"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633115/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rownipbackup.tk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633116/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"u864246.nvpn.so"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633117/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lupend.ga"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633109/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lupendbackup.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633110/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lupendbackup.ga"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633111/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rownip.lupends.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633112/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rownip.mailredirect.ooo"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633113/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lupend.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633108/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"programming-variation.gl.at.ply.gg"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633107/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"chenzx03.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633106/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa1at/https:/salator.es/sa1at/os=windows_ntprocessor_level=6sessionname=consoles"; depth:81; nocase; http.host; content:"salator.es"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633105/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa1at/c"; depth:8; nocase; http.host; content:"salator.es"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633104/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server6.cdneurops.health"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633103/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"inqu-lazarus.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633102/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbjj.nageshks.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633101/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/privatetemporary.php"; depth:21; nocase; http.host; content:"62.109.7.0"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633100/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633100; rev:1;) alert tcp $HOME_NET any -> [105.97.89.224] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633099/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633099; rev:1;) alert tcp $HOME_NET any -> [196.251.71.142] 8889 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633098/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633098; rev:1;) alert tcp $HOME_NET any -> [122.112.246.204] 9955 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633097/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633097; rev:1;) alert tcp $HOME_NET any -> [38.242.197.128] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633095/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633095; rev:1;) alert tcp $HOME_NET any -> [206.237.120.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633096/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633096; rev:1;) alert tcp $HOME_NET any -> [107.173.221.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633094/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633094; rev:1;) alert tcp $HOME_NET any -> [38.12.31.46] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633093/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_04; classtype:trojan-activity; sid:91633093; rev:1;) alert tcp $HOME_NET any -> [213.152.176.152] 18938 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633091; rev:1;) alert tcp $HOME_NET any -> [213.152.176.152] 8056 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633092; rev:1;) alert tcp $HOME_NET any -> [91.92.240.212] 7705 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633090; rev:1;) alert tcp $HOME_NET any -> [3.250.141.115] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633089; rev:1;) alert tcp $HOME_NET any -> [168.245.200.14] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633086; rev:1;) alert tcp $HOME_NET any -> [168.245.200.12] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633087; rev:1;) alert tcp $HOME_NET any -> [168.245.200.7] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633088; rev:1;) alert tcp $HOME_NET any -> [168.245.200.15] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633085; rev:1;) alert tcp $HOME_NET any -> [102.96.215.80] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633084; rev:1;) alert tcp $HOME_NET any -> [45.132.50.107] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633083; rev:1;) alert tcp $HOME_NET any -> [173.249.42.140] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633082; rev:1;) alert tcp $HOME_NET any -> [31.222.235.47] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633081; rev:1;) alert tcp $HOME_NET any -> [164.68.120.30] 2005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633080; rev:1;) alert tcp $HOME_NET any -> [94.154.35.73] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633077; rev:1;) alert tcp $HOME_NET any -> [94.154.35.73] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633078; rev:1;) alert tcp $HOME_NET any -> [94.154.35.73] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633079; rev:1;) alert tcp $HOME_NET any -> [191.101.130.68] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633074; rev:1;) alert tcp $HOME_NET any -> [94.154.35.73] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633075; rev:1;) alert tcp $HOME_NET any -> [94.154.35.73] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633076; rev:1;) alert tcp $HOME_NET any -> [185.100.157.156] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633073; rev:1;) alert tcp $HOME_NET any -> [8.211.9.251] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633072; rev:1;) alert tcp $HOME_NET any -> [109.199.119.43] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633070; rev:1;) alert tcp $HOME_NET any -> [104.250.169.66] 1771 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633071; rev:1;) alert tcp $HOME_NET any -> [196.251.114.23] 2525 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633069; rev:1;) alert tcp $HOME_NET any -> [158.94.208.224] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633068; rev:1;) alert tcp $HOME_NET any -> [38.12.24.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633066; rev:1;) alert tcp $HOME_NET any -> [38.12.31.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633067; rev:1;) alert tcp $HOME_NET any -> [196.251.71.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633065; rev:1;) alert tcp $HOME_NET any -> [38.12.31.11] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633064/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633064; rev:1;) alert tcp $HOME_NET any -> [192.253.227.88] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633063/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633063; rev:1;) alert tcp $HOME_NET any -> [192.252.179.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633062/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633062; rev:1;) alert tcp $HOME_NET any -> [167.88.168.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633061/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.cioudfiore.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633060/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cs.miu24.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633059/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_04; classtype:trojan-activity; sid:91633059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.tyj-4b.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s9.l-ly.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633056; rev:1;) alert tcp $HOME_NET any -> [173.249.42.140] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633055; rev:1;) alert tcp $HOME_NET any -> [36.255.98.59] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633054; rev:1;) alert tcp $HOME_NET any -> [88.125.229.221] 40443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633053; rev:1;) alert tcp $HOME_NET any -> [178.16.53.140] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633052; rev:1;) alert tcp $HOME_NET any -> [205.234.144.107] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633051; rev:1;) alert tcp $HOME_NET any -> [158.94.208.80] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633050; rev:1;) alert tcp $HOME_NET any -> [158.94.208.81] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633049; rev:1;) alert tcp $HOME_NET any -> [158.94.208.89] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633048; rev:1;) alert tcp $HOME_NET any -> [38.12.31.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633047; rev:1;) alert tcp $HOME_NET any -> [49.233.204.250] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_04; classtype:trojan-activity; sid:91633046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x19.k0xx-i4.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mg.k7t0.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ewo.0fv1.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n8r.k0xx-i4.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mz7.tyj-4b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h6.3u-6.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3rd.67tf.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.tyj-4b.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q5.k0xx-i4.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9hb.p8ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633036; rev:1;) alert tcp $HOME_NET any -> [124.156.150.223] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633034; rev:1;) alert tcp $HOME_NET any -> [209.182.233.204] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633035; rev:1;) alert tcp $HOME_NET any -> [20.64.238.187] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633033; rev:1;) alert tcp $HOME_NET any -> [1.52.157.76] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633032; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 7089 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633031; rev:1;) alert tcp $HOME_NET any -> [35.226.112.29] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.relatec.it.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633029; rev:1;) alert tcp $HOME_NET any -> [129.212.186.153] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633028; rev:1;) alert tcp $HOME_NET any -> [64.120.88.36] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633027; rev:1;) alert tcp $HOME_NET any -> [172.104.138.71] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633026/; target:src_ip; metadata: confidence_level 90, first_seen 2025_11_03; classtype:trojan-activity; sid:91633026; rev:1;) alert tcp $HOME_NET any -> [91.92.240.109] 17006 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633024/; target:src_ip; metadata: confidence_level 90, first_seen 2025_11_03; classtype:trojan-activity; sid:91633024; rev:1;) alert tcp $HOME_NET any -> [45.131.46.199] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633025/; target:src_ip; metadata: confidence_level 90, first_seen 2025_11_03; classtype:trojan-activity; sid:91633025; rev:1;) alert tcp $HOME_NET any -> [172.86.70.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633023/; target:src_ip; metadata: confidence_level 90, first_seen 2025_11_03; classtype:trojan-activity; sid:91633023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rk8.pdv4m6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633022; rev:1;) alert tcp $HOME_NET any -> [124.230.180.151] 9999 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633021/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91633021; rev:1;) alert tcp $HOME_NET any -> [38.12.31.92] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633019; rev:1;) alert tcp $HOME_NET any -> [38.12.24.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v0x.do-04d2.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1d.71o9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jo.yldv.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2v.pdv4m6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3h.do-04d2.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8r.ha0m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633013; rev:1;) alert tcp $HOME_NET any -> [128.140.88.216] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1633012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"re.tweethost.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"re.bestjacksonvillehotels.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"re.tweethost.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"re.bestjacksonvillehotels.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1633009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gf.g7ve.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t92.do-04d2.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1fu.si9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ghu.to1j.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0q9.pdv4m6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"izw.mjg1.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1633001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91633001; rev:1;) alert tcp $HOME_NET any -> [148.113.165.11] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gt.yu5k.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7m.pdv4m6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1n.do-04d2.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7f.no4s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ikx.1r55.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4.pdv4m6.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m4q.do-04d2.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j8e.8786.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sc.5x7u.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iw.p8ri.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7.do-04d2.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8mr.71o9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7p2.9m94k8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7hb.yldv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yn.ha0m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"privileged.iranbelaaghnea.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632777; rev:1;) alert tcp $HOME_NET any -> [83.229.126.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w5t.g7ve.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0m3.8j4-5-6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5c5.si9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gn8.8j4-5-6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5j.to1j.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0x.9m94k8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7.8j4-5-6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sp5.mjg1.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2wq.8j4-5-6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632755; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8fz.yu5k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rz1.8j4-5-6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"le.no4s.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/"; depth:7; nocase; http.host; content:"salator.es"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632736/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa1at/s"; depth:8; nocase; http.host; content:"salator.es"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632735/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632735; rev:1;) alert tcp $HOME_NET any -> [182.16.98.88] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632734/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z8q.9m94k8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5h.1r55.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632730; rev:1;) alert tcp $HOME_NET any -> [75.2.11.125] 8117 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632729/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91632729; rev:1;) alert tcp $HOME_NET any -> [64.226.121.55] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632727/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91632727; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 2083 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632726/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632726; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 55443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632724/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632724; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632725/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632725; rev:1;) alert tcp $HOME_NET any -> [198.244.224.75] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632721/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632721; rev:1;) alert tcp $HOME_NET any -> [4.197.222.201] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632722/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632722; rev:1;) alert tcp $HOME_NET any -> [45.154.207.121] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632720/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91632720; rev:1;) alert tcp $HOME_NET any -> [157.245.46.190] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632711/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91632711; rev:1;) alert tcp $HOME_NET any -> [149.202.172.138] 20153 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632710/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91632710; rev:1;) alert tcp $HOME_NET any -> [142.247.189.91] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632708/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91632708; rev:1;) alert tcp $HOME_NET any -> [13.40.151.143] 21 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632707/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91632707; rev:1;) alert tcp $HOME_NET any -> [13.234.100.140] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632705/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91632705; rev:1;) alert tcp $HOME_NET any -> [114.66.58.82] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632704/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91632704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4.8j4-5-6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdg.8786.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.9m94k8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"df.5x7u.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4d3.f-o-9bt.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ip1.p8ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go.71o9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ideas-anniversary.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ithelpdesk.theworkpc.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opaoakkawkbao-52690.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632673; rev:1;) alert tcp $HOME_NET any -> [160.187.246.182] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"line-bears.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hxn.f-o-9bt.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4kw.5g-t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"36.yldv.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ta5.ha0m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p01.f-o-9bt.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9td2.5g-t.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632665; rev:1;) alert tcp $HOME_NET any -> [77.90.39.122] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632641/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_03; classtype:trojan-activity; sid:91632641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4j5.g7ve.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3i7.si9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7qk.f-o-9bt.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rt.to1j.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"id.mjg1.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632656; rev:1;) alert tcp $HOME_NET any -> [158.94.208.219] 54982 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bfb.yu5k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cv8.f-o-9bt.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i6y.no4s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2.f-o-9bt.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2rf.1r55.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tci.8786.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0o3.5x7u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wz3.g6xt-5n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9y.p8ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f1.71o9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q3ha.5g-t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b5k2.g6xt-5n.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w6.yldv.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632640; rev:1;) alert tcp $HOME_NET any -> [46.224.37.190] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632639; rev:1;) alert tcp $HOME_NET any -> [185.137.92.3] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632638; rev:1;) alert tcp $HOME_NET any -> [5.39.223.106] 9999 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632637; rev:1;) alert tcp $HOME_NET any -> [86.105.4.101] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632636; rev:1;) alert tcp $HOME_NET any -> [46.101.120.251] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632635; rev:1;) alert tcp $HOME_NET any -> [45.59.124.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632633; rev:1;) alert tcp $HOME_NET any -> [13.40.163.197] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632634; rev:1;) alert tcp $HOME_NET any -> [146.103.40.242] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632631; rev:1;) alert tcp $HOME_NET any -> [185.22.153.103] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632632; rev:1;) alert tcp $HOME_NET any -> [164.68.120.30] 60 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632630; rev:1;) alert tcp $HOME_NET any -> [38.12.24.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632628; rev:1;) alert tcp $HOME_NET any -> [38.12.24.95] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632629; rev:1;) alert tcp $HOME_NET any -> [38.12.31.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632627; rev:1;) alert tcp $HOME_NET any -> [124.222.218.20] 2345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7rp.5g-t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9m.g6xt-5n.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zts.ha0m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vy6.g7ve.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6s9s.js"; depth:8; nocase; http.host; content:"graffetti.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"graffetti.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"graffetti.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/codebase5533"; depth:13; nocase; http.host; content:"72.5.43.147"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test6633"; depth:9; nocase; http.host; content:"72.5.43.147"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"dotauan.pro"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dotauan.pro"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"dotauan.pro"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"190.2.144.109"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1632452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"dotauan.pro"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"190.2.144.147"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1632453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq0.g6xt-5n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xjh.si9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632620; rev:1;) alert tcp $HOME_NET any -> [84.38.129.67] 1477 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632619/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"whitegoldgivenbestthingsangelbabygirlinm.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632618/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"api.mangawizard.lol"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632617/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yphervra.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632616/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.olgetriggerd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632598/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ollkredits.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632599/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ono-777-app-download.ws"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632600/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.onuloanajency.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632601/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oopbytehq.digital"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632602/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ortunecoins2.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632603/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ourburger.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632604/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.po333-login1.sbs"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632605/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rtprintdeluxestudio.store"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632606/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.sarush.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632607/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.semeetaltoapp.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632608/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.sshy.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632609/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tephschuurman.ca"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632610/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tudiopaznokcibytow.pl"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632611/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uiact.tech"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632612/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.upermagicalvacations.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632613/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uttercleaningpasadenamd.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632614/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wnerstrategyservices.help"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632615/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.heorangesky.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632581/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hytr.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632582/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iaomich.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632583/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ichesitenames.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632584/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iguanzhang.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632585/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ilgikitchenmart.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632586/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.illmarkt.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632587/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.innacle-ese.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632588/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.inoption.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632589/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.klasdcfi.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632590/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.kwsmweb3.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632591/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mmmr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632592/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nchdigitalmedia.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632593/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.noitusd.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632594/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nott.app"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632595/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.num.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632596/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.obbyfigstore.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632597/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bgwekjage.icu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632564/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.btuni.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632565/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dfcpa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632566/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ealastr.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632567/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ecger.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632568/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ech4today.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632569/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ecproject.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632570/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.efime.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632571/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ellovidesh.click"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632572/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.enirelax.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632573/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.entwise.city"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632574/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ext-tamers.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632575/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fiidea.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632576/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fkd-vertriebspartner.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632577/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gacede.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632578/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.grkxrnvnc.tattoo"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632579/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.h0u7k.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632580/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.033betx.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632552/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.0bvisuals.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632553/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.3qor75s.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632554/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.952k.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632555/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aburgeoise.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632556/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.akora.io"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632557/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.alahyamout.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632558/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.amakobet.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632559/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.amilytideshealth.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632560/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ariatrictoilet.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632561/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.atiotechhub.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632562/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.axcivanbank.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632563/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.wnerstrategyservices.help"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632550/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.yphervra.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632551/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.rtprintdeluxestudio.store"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632541/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.sarush.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632542/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.semeetaltoapp.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632543/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.sshy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632544/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.tephschuurman.ca"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632545/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.tudiopaznokcibytow.pl"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632546/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.uiact.tech"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632547/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.upermagicalvacations.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632548/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.uttercleaningpasadenamd.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632549/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.obbyfigstore.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.olgetriggerd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ollkredits.ru"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632534/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ono-777-app-download.ws"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632535/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.onuloanajency.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632536/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.oopbytehq.digital"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632537/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ortunecoins2.online"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632538/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ourburger.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632539/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.po333-login1.sbs"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632540/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.innacle-ese.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.inoption.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.klasdcfi.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.kwsmweb3.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.mmmr.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.nchdigitalmedia.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.noitusd.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.nott.app"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.num.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.grkxrnvnc.tattoo"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632514/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.h0u7k.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632515/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.heorangesky.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632516/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.hytr.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632517/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.iaomich.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632518/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ichesitenames.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.iguanzhang.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632520/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ilgikitchenmart.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632521/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.illmarkt.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ecproject.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632505/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.efime.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632506/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ellovidesh.click"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632507/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.enirelax.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632508/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.entwise.city"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ext-tamers.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.fiidea.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632511/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.fkd-vertriebspartner.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632512/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.gacede.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632513/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ariatrictoilet.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632496/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.atiotechhub.info"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632497/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.axcivanbank.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632498/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.bgwekjage.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632499/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.btuni.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632500/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.dfcpa.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632501/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ealastr.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632502/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ecger.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632503/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.ech4today.store"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632504/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.033betx.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632487/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.0bvisuals.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632488/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.3qor75s.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632489/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.952k.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632490/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.aburgeoise.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632491/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.akora.io"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632492/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.alahyamout.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632493/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.amakobet.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632494/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/te56/"; depth:6; nocase; http.host; content:"www.amilytideshealth.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632495/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632495; rev:1;) alert tcp $HOME_NET any -> [121.89.205.206] 195 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632486/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632486; rev:1;) alert tcp $HOME_NET any -> [185.149.24.121] 11044 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1hi.to1j.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632484; rev:1;) alert tcp $HOME_NET any -> [141.95.10.48] 27015 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632483/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632483; rev:1;) alert tcp $HOME_NET any -> [5.253.86.251] 4434 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632482/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632482; rev:1;) alert tcp $HOME_NET any -> [207.148.70.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632481/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632481; rev:1;) alert tcp $HOME_NET any -> [146.103.11.211] 80 (msg:"ThreatFox KillDisk (Lazarus) botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632479/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632479; rev:1;) alert tcp $HOME_NET any -> [23.95.162.249] 8888 (msg:"ThreatFox KillDisk (Lazarus) botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632480/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632480; rev:1;) alert tcp $HOME_NET any -> [193.151.108.39] 443 (msg:"ThreatFox KillDisk (Lazarus) botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632478/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632478; rev:1;) alert tcp $HOME_NET any -> [144.168.45.46] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632475/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632475; rev:1;) alert tcp $HOME_NET any -> [18.220.52.24] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632476/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632476; rev:1;) alert tcp $HOME_NET any -> [54.177.100.78] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632477/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632477; rev:1;) alert tcp $HOME_NET any -> [199.101.96.51] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632471/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632471; rev:1;) alert tcp $HOME_NET any -> [107.21.81.130] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632472/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632472; rev:1;) alert tcp $HOME_NET any -> [89.150.128.9] 8001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632473/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632473; rev:1;) alert tcp $HOME_NET any -> [194.79.223.66] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632468/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632468; rev:1;) alert tcp $HOME_NET any -> [164.92.163.203] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632469/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632469; rev:1;) alert tcp $HOME_NET any -> [51.210.105.21] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632470/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gxc.mjg1.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xr7.g6xt-5n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9k.yu5k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y6f0.5g-t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a1.no4s.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a1.g6xt-5n.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m5.1r55.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sog.8786.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4w.k8cr-9b.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2.5x7u.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"at.tweethost.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"at.atlantaoralandfacialsurgery.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t9rq3.l-ly.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gy9.p8ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"46.71o9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hp.k8cr-9b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"00x.yldv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8n.ha0m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p2vk.l-ly.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6c.g7ve.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9t1.k8cr-9b.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coming-soon-page/"; depth:18; nocase; http.host; content:"kerasno.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632439/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k/index.php/index.php"; depth:22; nocase; http.host; content:"spolop.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1632440/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91632440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2u8.si9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h8ny.l-ly.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"15.to1j.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632436; rev:1;) alert tcp $HOME_NET any -> [101.32.12.74] 904 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2a.k8cr-9b.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"48.mjg1.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d4xf.3u-6.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mk3.k8cr-9b.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hb.yu5k.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gci.no4s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"54.1r55.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"my.8786.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r7pj2.3u-6.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9j5.5x7u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7.k8cr-9b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cnp.p8ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632418; rev:1;) alert tcp $HOME_NET any -> [83.229.123.240] 61144 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632412; rev:1;) alert tcp $HOME_NET any -> [83.229.127.87] 32417 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632413; rev:1;) alert tcp $HOME_NET any -> [89.117.94.105] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632414; rev:1;) alert tcp $HOME_NET any -> [89.117.94.105] 81 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632415; rev:1;) alert tcp $HOME_NET any -> [89.187.28.33] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632416; rev:1;) alert tcp $HOME_NET any -> [91.222.174.12] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632417; rev:1;) alert tcp $HOME_NET any -> [8.219.90.249] 8848 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632405; rev:1;) alert tcp $HOME_NET any -> [80.78.28.83] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632406; rev:1;) alert tcp $HOME_NET any -> [81.68.216.108] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632407; rev:1;) alert tcp $HOME_NET any -> [81.69.229.149] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632408; rev:1;) alert tcp $HOME_NET any -> [81.69.229.149] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632409; rev:1;) alert tcp $HOME_NET any -> [82.156.90.23] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632410; rev:1;) alert tcp $HOME_NET any -> [82.156.90.23] 8202 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632411; rev:1;) alert tcp $HOME_NET any -> [8.162.1.19] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632398; rev:1;) alert tcp $HOME_NET any -> [8.212.61.168] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632399; rev:1;) alert tcp $HOME_NET any -> [8.217.84.95] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632400; rev:1;) alert tcp $HOME_NET any -> [8.218.211.12] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632401; rev:1;) alert tcp $HOME_NET any -> [8.219.171.47] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632402; rev:1;) alert tcp $HOME_NET any -> [8.219.90.249] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632403; rev:1;) alert tcp $HOME_NET any -> [8.219.90.249] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632404; rev:1;) alert tcp $HOME_NET any -> [74.119.193.253] 9200 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632390; rev:1;) alert tcp $HOME_NET any -> [77.37.44.6] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632391; rev:1;) alert tcp $HOME_NET any -> [8.130.190.133] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632392; rev:1;) alert tcp $HOME_NET any -> [8.136.56.202] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632393; rev:1;) alert tcp $HOME_NET any -> [8.138.101.146] 3022 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632394; rev:1;) alert tcp $HOME_NET any -> [8.140.29.89] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632395; rev:1;) alert tcp $HOME_NET any -> [8.152.98.250] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632396; rev:1;) alert tcp $HOME_NET any -> [8.152.98.250] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632397; rev:1;) alert tcp $HOME_NET any -> [64.112.43.97] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632384; rev:1;) alert tcp $HOME_NET any -> [66.103.223.68] 8082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632385; rev:1;) alert tcp $HOME_NET any -> [68.64.176.125] 10001 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632386; rev:1;) alert tcp $HOME_NET any -> [68.64.176.141] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632387; rev:1;) alert tcp $HOME_NET any -> [68.64.176.181] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632388; rev:1;) alert tcp $HOME_NET any -> [68.64.176.182] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632389; rev:1;) alert tcp $HOME_NET any -> [62.182.80.147] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632380; rev:1;) alert tcp $HOME_NET any -> [62.182.80.169] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632381; rev:1;) alert tcp $HOME_NET any -> [62.234.97.159] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632382; rev:1;) alert tcp $HOME_NET any -> [64.112.43.97] 2082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632383; rev:1;) alert tcp $HOME_NET any -> [51.79.248.199] 8848 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632376; rev:1;) alert tcp $HOME_NET any -> [59.110.162.216] 10000 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632377; rev:1;) alert tcp $HOME_NET any -> [59.110.47.206] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632378; rev:1;) alert tcp $HOME_NET any -> [62.182.80.140] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632379; rev:1;) alert tcp $HOME_NET any -> [47.96.175.34] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632366; rev:1;) alert tcp $HOME_NET any -> [47.97.0.198] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632367; rev:1;) alert tcp $HOME_NET any -> [47.97.46.118] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632368; rev:1;) alert tcp $HOME_NET any -> [47.97.46.118] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632369; rev:1;) alert tcp $HOME_NET any -> [49.232.102.63] 10222 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632370; rev:1;) alert tcp $HOME_NET any -> [49.232.102.63] 22322 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632371; rev:1;) alert tcp $HOME_NET any -> [49.232.236.39] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632372; rev:1;) alert tcp $HOME_NET any -> [49.232.70.27] 49952 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632373; rev:1;) alert tcp $HOME_NET any -> [49.234.9.184] 10000 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632374; rev:1;) alert tcp $HOME_NET any -> [49.235.159.185] 18084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632375; rev:1;) alert tcp $HOME_NET any -> [47.76.237.133] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632358; rev:1;) alert tcp $HOME_NET any -> [47.76.245.121] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632359; rev:1;) alert tcp $HOME_NET any -> [47.82.101.184] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632360; rev:1;) alert tcp $HOME_NET any -> [47.92.133.35] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632361; rev:1;) alert tcp $HOME_NET any -> [47.92.232.28] 6379 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632362; rev:1;) alert tcp $HOME_NET any -> [47.92.232.28] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632363; rev:1;) alert tcp $HOME_NET any -> [47.94.8.197] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632364; rev:1;) alert tcp $HOME_NET any -> [47.94.8.197] 8090 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632365; rev:1;) alert tcp $HOME_NET any -> [47.121.130.60] 10086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632350; rev:1;) alert tcp $HOME_NET any -> [47.122.125.91] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632351; rev:1;) alert tcp $HOME_NET any -> [47.122.144.43] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632352; rev:1;) alert tcp $HOME_NET any -> [47.122.144.43] 8091 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632353; rev:1;) alert tcp $HOME_NET any -> [47.129.128.140] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632354; rev:1;) alert tcp $HOME_NET any -> [47.243.241.78] 60607 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632355; rev:1;) alert tcp $HOME_NET any -> [47.243.241.78] 60608 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632356; rev:1;) alert tcp $HOME_NET any -> [47.76.108.54] 8880 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632357; rev:1;) alert tcp $HOME_NET any -> [47.103.27.212] 5432 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632341; rev:1;) alert tcp $HOME_NET any -> [47.103.27.212] 8083 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632342; rev:1;) alert tcp $HOME_NET any -> [47.109.158.85] 9080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632343; rev:1;) alert tcp $HOME_NET any -> [47.109.96.127] 18080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632344; rev:1;) alert tcp $HOME_NET any -> [47.109.96.127] 18088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632345; rev:1;) alert tcp $HOME_NET any -> [47.116.23.8] 8081 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632346; rev:1;) alert tcp $HOME_NET any -> [47.116.23.8] 9094 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632347; rev:1;) alert tcp $HOME_NET any -> [47.120.42.92] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632348; rev:1;) alert tcp $HOME_NET any -> [47.121.130.232] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632349; rev:1;) alert tcp $HOME_NET any -> [45.221.97.104] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632333; rev:1;) alert tcp $HOME_NET any -> [45.32.99.90] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632334; rev:1;) alert tcp $HOME_NET any -> [45.32.99.90] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632335; rev:1;) alert tcp $HOME_NET any -> [45.61.136.39] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632336; rev:1;) alert tcp $HOME_NET any -> [45.63.120.124] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632337; rev:1;) alert tcp $HOME_NET any -> [45.82.252.165] 48084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632338; rev:1;) alert tcp $HOME_NET any -> [47.100.137.246] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632339; rev:1;) alert tcp $HOME_NET any -> [47.101.61.246] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632340; rev:1;) alert tcp $HOME_NET any -> [43.251.102.129] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632324; rev:1;) alert tcp $HOME_NET any -> [43.251.102.129] 8089 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632325; rev:1;) alert tcp $HOME_NET any -> [43.251.102.129] 8090 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632326; rev:1;) alert tcp $HOME_NET any -> [45.125.32.193] 2083 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632327; rev:1;) alert tcp $HOME_NET any -> [45.144.137.227] 2345 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632328; rev:1;) alert tcp $HOME_NET any -> [45.144.137.235] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632329; rev:1;) alert tcp $HOME_NET any -> [45.152.65.232] 28844 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632330; rev:1;) alert tcp $HOME_NET any -> [45.152.67.128] 8568 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632331; rev:1;) alert tcp $HOME_NET any -> [45.152.67.129] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632332; rev:1;) alert tcp $HOME_NET any -> [43.138.186.236] 8888 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632316; rev:1;) alert tcp $HOME_NET any -> [43.139.208.225] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632317; rev:1;) alert tcp $HOME_NET any -> [43.139.67.72] 9090 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632318; rev:1;) alert tcp $HOME_NET any -> [43.207.90.226] 10443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632319; rev:1;) alert tcp $HOME_NET any -> [43.207.90.226] 7443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632320; rev:1;) alert tcp $HOME_NET any -> [43.207.90.226] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632321; rev:1;) alert tcp $HOME_NET any -> [43.207.90.226] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632322; rev:1;) alert tcp $HOME_NET any -> [43.224.227.197] 1433 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632323; rev:1;) alert tcp $HOME_NET any -> [42.192.60.49] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632306; rev:1;) alert tcp $HOME_NET any -> [43.100.87.224] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632307; rev:1;) alert tcp $HOME_NET any -> [43.128.111.202] 8001 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632308; rev:1;) alert tcp $HOME_NET any -> [43.128.85.19] 6677 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632309; rev:1;) alert tcp $HOME_NET any -> [43.130.69.135] 18083 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632310; rev:1;) alert tcp $HOME_NET any -> [43.136.130.177] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632311; rev:1;) alert tcp $HOME_NET any -> [43.136.42.5] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632312; rev:1;) alert tcp $HOME_NET any -> [43.136.58.181] 9090 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632313; rev:1;) alert tcp $HOME_NET any -> [43.137.17.160] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632314; rev:1;) alert tcp $HOME_NET any -> [43.137.2.72] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632315; rev:1;) alert tcp $HOME_NET any -> [38.54.82.222] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632296; rev:1;) alert tcp $HOME_NET any -> [38.55.194.74] 10004 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632297; rev:1;) alert tcp $HOME_NET any -> [38.60.200.217] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632298; rev:1;) alert tcp $HOME_NET any -> [38.60.200.217] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632299; rev:1;) alert tcp $HOME_NET any -> [39.105.201.242] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632300; rev:1;) alert tcp $HOME_NET any -> [39.105.201.242] 9999 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632301; rev:1;) alert tcp $HOME_NET any -> [39.106.253.209] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632302; rev:1;) alert tcp $HOME_NET any -> [39.107.90.187] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632303; rev:1;) alert tcp $HOME_NET any -> [39.96.125.213] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632304; rev:1;) alert tcp $HOME_NET any -> [42.192.203.122] 10010 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632305; rev:1;) alert tcp $HOME_NET any -> [38.45.124.197] 8174 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632287; rev:1;) alert tcp $HOME_NET any -> [38.45.124.197] 8414 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632288; rev:1;) alert tcp $HOME_NET any -> [38.45.124.198] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632289; rev:1;) alert tcp $HOME_NET any -> [38.45.124.198] 8174 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632290; rev:1;) alert tcp $HOME_NET any -> [38.45.124.198] 8414 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632291; rev:1;) alert tcp $HOME_NET any -> [38.47.102.195] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632292; rev:1;) alert tcp $HOME_NET any -> [38.54.115.111] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632293; rev:1;) alert tcp $HOME_NET any -> [38.54.13.44] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632294; rev:1;) alert tcp $HOME_NET any -> [38.54.16.76] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632295; rev:1;) alert tcp $HOME_NET any -> [38.45.124.194] 8414 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632279; rev:1;) alert tcp $HOME_NET any -> [38.45.124.195] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632280; rev:1;) alert tcp $HOME_NET any -> [38.45.124.195] 8174 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632281; rev:1;) alert tcp $HOME_NET any -> [38.45.124.195] 8414 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632282; rev:1;) alert tcp $HOME_NET any -> [38.45.124.196] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632283; rev:1;) alert tcp $HOME_NET any -> [38.45.124.196] 8174 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632284; rev:1;) alert tcp $HOME_NET any -> [38.45.124.196] 8414 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632285; rev:1;) alert tcp $HOME_NET any -> [38.45.124.197] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632286; rev:1;) alert tcp $HOME_NET any -> [38.147.173.88] 6868 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632269; rev:1;) alert tcp $HOME_NET any -> [38.147.190.239] 8081 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632270; rev:1;) alert tcp $HOME_NET any -> [38.165.22.110] 14443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632271; rev:1;) alert tcp $HOME_NET any -> [38.181.219.116] 54412 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632272; rev:1;) alert tcp $HOME_NET any -> [38.207.178.19] 18082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632273; rev:1;) alert tcp $HOME_NET any -> [38.207.178.44] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632274; rev:1;) alert tcp $HOME_NET any -> [38.38.251.151] 39001 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632275; rev:1;) alert tcp $HOME_NET any -> [38.38.251.244] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632276; rev:1;) alert tcp $HOME_NET any -> [38.45.124.194] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632277; rev:1;) alert tcp $HOME_NET any -> [38.45.124.194] 8174 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632278; rev:1;) alert tcp $HOME_NET any -> [23.94.99.229] 40003 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632260; rev:1;) alert tcp $HOME_NET any -> [23.95.107.162] 55555 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632261; rev:1;) alert tcp $HOME_NET any -> [23.95.193.221] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632262; rev:1;) alert tcp $HOME_NET any -> [23.95.193.221] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632263; rev:1;) alert tcp $HOME_NET any -> [23.95.229.128] 11211 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632264; rev:1;) alert tcp $HOME_NET any -> [23.95.229.128] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632265; rev:1;) alert tcp $HOME_NET any -> [27.102.130.132] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632266; rev:1;) alert tcp $HOME_NET any -> [27.124.40.170] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632267; rev:1;) alert tcp $HOME_NET any -> [38.147.171.129] 5432 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632268; rev:1;) alert tcp $HOME_NET any -> [212.232.23.231] 88 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632251; rev:1;) alert tcp $HOME_NET any -> [212.64.26.62] 38084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632252; rev:1;) alert tcp $HOME_NET any -> [223.254.128.15] 4433 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632253; rev:1;) alert tcp $HOME_NET any -> [223.254.128.15] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632254; rev:1;) alert tcp $HOME_NET any -> [23.105.211.168] 2443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632255; rev:1;) alert tcp $HOME_NET any -> [23.94.137.134] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632256; rev:1;) alert tcp $HOME_NET any -> [23.94.66.124] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632257; rev:1;) alert tcp $HOME_NET any -> [23.94.70.197] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632258; rev:1;) alert tcp $HOME_NET any -> [23.94.99.229] 40002 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632259; rev:1;) alert tcp $HOME_NET any -> [208.87.204.58] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632240; rev:1;) alert tcp $HOME_NET any -> [208.87.204.59] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632241; rev:1;) alert tcp $HOME_NET any -> [208.87.204.59] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632242; rev:1;) alert tcp $HOME_NET any -> [208.87.204.60] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632243; rev:1;) alert tcp $HOME_NET any -> [208.87.204.60] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"parserapiprocess.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1632245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632245; rev:1;) alert tcp $HOME_NET any -> [208.87.204.61] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632246; rev:1;) alert tcp $HOME_NET any -> [208.87.204.61] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632247; rev:1;) alert tcp $HOME_NET any -> [208.87.204.62] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632248; rev:1;) alert tcp $HOME_NET any -> [208.87.204.62] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632249; rev:1;) alert tcp $HOME_NET any -> [212.232.23.231] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632250; rev:1;) alert tcp $HOME_NET any -> [208.87.204.53] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632230; rev:1;) alert tcp $HOME_NET any -> [208.87.204.54] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632231; rev:1;) alert tcp $HOME_NET any -> [208.87.204.54] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632232; rev:1;) alert tcp $HOME_NET any -> [208.87.204.55] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632233; rev:1;) alert tcp $HOME_NET any -> [208.87.204.55] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632234; rev:1;) alert tcp $HOME_NET any -> [208.87.204.56] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632235; rev:1;) alert tcp $HOME_NET any -> [208.87.204.56] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632236; rev:1;) alert tcp $HOME_NET any -> [208.87.204.57] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632237; rev:1;) alert tcp $HOME_NET any -> [208.87.204.57] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632238; rev:1;) alert tcp $HOME_NET any -> [208.87.204.58] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632239; rev:1;) alert tcp $HOME_NET any -> [208.87.204.48] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632219; rev:1;) alert tcp $HOME_NET any -> [208.87.204.48] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632220; rev:1;) alert tcp $HOME_NET any -> [208.87.204.49] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632221; rev:1;) alert tcp $HOME_NET any -> [208.87.204.49] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632222; rev:1;) alert tcp $HOME_NET any -> [208.87.204.50] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632223; rev:1;) alert tcp $HOME_NET any -> [208.87.204.50] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632224; rev:1;) alert tcp $HOME_NET any -> [208.87.204.51] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632225; rev:1;) alert tcp $HOME_NET any -> [208.87.204.51] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632226; rev:1;) alert tcp $HOME_NET any -> [208.87.204.52] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632227; rev:1;) alert tcp $HOME_NET any -> [208.87.204.52] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632228; rev:1;) alert tcp $HOME_NET any -> [208.87.204.53] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632229; rev:1;) alert tcp $HOME_NET any -> [208.87.204.43] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632209; rev:1;) alert tcp $HOME_NET any -> [208.87.204.43] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632210; rev:1;) alert tcp $HOME_NET any -> [208.87.204.44] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632211; rev:1;) alert tcp $HOME_NET any -> [208.87.204.44] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632212; rev:1;) alert tcp $HOME_NET any -> [208.87.204.45] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632213; rev:1;) alert tcp $HOME_NET any -> [208.87.204.45] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632214; rev:1;) alert tcp $HOME_NET any -> [208.87.204.46] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632215; rev:1;) alert tcp $HOME_NET any -> [208.87.204.46] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632216; rev:1;) alert tcp $HOME_NET any -> [208.87.204.47] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632217; rev:1;) alert tcp $HOME_NET any -> [208.87.204.47] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632218; rev:1;) alert tcp $HOME_NET any -> [208.87.204.38] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632198; rev:1;) alert tcp $HOME_NET any -> [208.87.204.39] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632199; rev:1;) alert tcp $HOME_NET any -> [208.87.204.39] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632200; rev:1;) alert tcp $HOME_NET any -> [208.87.204.3] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632201; rev:1;) alert tcp $HOME_NET any -> [208.87.204.3] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632202; rev:1;) alert tcp $HOME_NET any -> [208.87.204.40] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632203; rev:1;) alert tcp $HOME_NET any -> [208.87.204.40] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632204; rev:1;) alert tcp $HOME_NET any -> [208.87.204.41] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632205; rev:1;) alert tcp $HOME_NET any -> [208.87.204.41] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632206; rev:1;) alert tcp $HOME_NET any -> [208.87.204.42] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632207; rev:1;) alert tcp $HOME_NET any -> [208.87.204.42] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632208; rev:1;) alert tcp $HOME_NET any -> [208.87.204.34] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632189; rev:1;) alert tcp $HOME_NET any -> [208.87.204.34] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632190; rev:1;) alert tcp $HOME_NET any -> [208.87.204.35] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632191; rev:1;) alert tcp $HOME_NET any -> [208.87.204.35] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632192; rev:1;) alert tcp $HOME_NET any -> [208.87.204.36] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632193; rev:1;) alert tcp $HOME_NET any -> [208.87.204.36] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632194; rev:1;) alert tcp $HOME_NET any -> [208.87.204.37] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632195; rev:1;) alert tcp $HOME_NET any -> [208.87.204.37] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632196; rev:1;) alert tcp $HOME_NET any -> [208.87.204.38] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632197; rev:1;) alert tcp $HOME_NET any -> [208.87.204.29] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632178; rev:1;) alert tcp $HOME_NET any -> [208.87.204.2] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632179; rev:1;) alert tcp $HOME_NET any -> [208.87.204.2] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632180; rev:1;) alert tcp $HOME_NET any -> [208.87.204.30] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632181; rev:1;) alert tcp $HOME_NET any -> [208.87.204.30] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632182; rev:1;) alert tcp $HOME_NET any -> [208.87.204.31] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632183; rev:1;) alert tcp $HOME_NET any -> [208.87.204.31] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632184; rev:1;) alert tcp $HOME_NET any -> [208.87.204.32] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632185; rev:1;) alert tcp $HOME_NET any -> [208.87.204.32] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632186; rev:1;) alert tcp $HOME_NET any -> [208.87.204.33] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632187; rev:1;) alert tcp $HOME_NET any -> [208.87.204.33] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632188; rev:1;) alert tcp $HOME_NET any -> [208.87.204.24] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632168; rev:1;) alert tcp $HOME_NET any -> [208.87.204.25] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632169; rev:1;) alert tcp $HOME_NET any -> [208.87.204.25] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632170; rev:1;) alert tcp $HOME_NET any -> [208.87.204.26] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632171; rev:1;) alert tcp $HOME_NET any -> [208.87.204.26] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632172; rev:1;) alert tcp $HOME_NET any -> [208.87.204.27] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632173; rev:1;) alert tcp $HOME_NET any -> [208.87.204.27] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632174; rev:1;) alert tcp $HOME_NET any -> [208.87.204.28] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632175; rev:1;) alert tcp $HOME_NET any -> [208.87.204.28] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632176; rev:1;) alert tcp $HOME_NET any -> [208.87.204.29] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632177; rev:1;) alert tcp $HOME_NET any -> [208.87.204.1] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632157; rev:1;) alert tcp $HOME_NET any -> [208.87.204.1] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632158; rev:1;) alert tcp $HOME_NET any -> [208.87.204.20] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632159; rev:1;) alert tcp $HOME_NET any -> [208.87.204.20] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632160; rev:1;) alert tcp $HOME_NET any -> [208.87.204.21] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632161; rev:1;) alert tcp $HOME_NET any -> [208.87.204.21] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632162; rev:1;) alert tcp $HOME_NET any -> [208.87.204.22] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632163; rev:1;) alert tcp $HOME_NET any -> [208.87.204.22] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632164; rev:1;) alert tcp $HOME_NET any -> [208.87.204.23] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632165; rev:1;) alert tcp $HOME_NET any -> [208.87.204.23] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632166; rev:1;) alert tcp $HOME_NET any -> [208.87.204.24] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632167; rev:1;) alert tcp $HOME_NET any -> [208.87.204.15] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632147; rev:1;) alert tcp $HOME_NET any -> [208.87.204.15] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632148; rev:1;) alert tcp $HOME_NET any -> [208.87.204.16] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632149; rev:1;) alert tcp $HOME_NET any -> [208.87.204.16] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632150; rev:1;) alert tcp $HOME_NET any -> [208.87.204.17] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632151; rev:1;) alert tcp $HOME_NET any -> [208.87.204.17] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632152; rev:1;) alert tcp $HOME_NET any -> [208.87.204.18] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632153; rev:1;) alert tcp $HOME_NET any -> [208.87.204.18] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632154; rev:1;) alert tcp $HOME_NET any -> [208.87.204.19] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632155; rev:1;) alert tcp $HOME_NET any -> [208.87.204.19] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632156; rev:1;) alert tcp $HOME_NET any -> [208.87.203.62] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632136; rev:1;) alert tcp $HOME_NET any -> [208.87.204.10] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632137; rev:1;) alert tcp $HOME_NET any -> [208.87.204.10] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632138; rev:1;) alert tcp $HOME_NET any -> [208.87.204.11] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632139; rev:1;) alert tcp $HOME_NET any -> [208.87.204.11] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632140; rev:1;) alert tcp $HOME_NET any -> [208.87.204.12] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632141; rev:1;) alert tcp $HOME_NET any -> [208.87.204.12] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632142; rev:1;) alert tcp $HOME_NET any -> [208.87.204.13] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632143; rev:1;) alert tcp $HOME_NET any -> [208.87.204.13] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632144; rev:1;) alert tcp $HOME_NET any -> [208.87.204.14] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632145; rev:1;) alert tcp $HOME_NET any -> [208.87.204.14] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632146; rev:1;) alert tcp $HOME_NET any -> [208.87.203.57] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632126; rev:1;) alert tcp $HOME_NET any -> [208.87.203.58] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632127; rev:1;) alert tcp $HOME_NET any -> [208.87.203.58] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632128; rev:1;) alert tcp $HOME_NET any -> [208.87.203.59] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632129; rev:1;) alert tcp $HOME_NET any -> [208.87.203.59] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632130; rev:1;) alert tcp $HOME_NET any -> [208.87.203.60] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632131; rev:1;) alert tcp $HOME_NET any -> [208.87.203.60] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632132; rev:1;) alert tcp $HOME_NET any -> [208.87.203.61] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632133; rev:1;) alert tcp $HOME_NET any -> [208.87.203.61] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632134; rev:1;) alert tcp $HOME_NET any -> [208.87.203.62] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632135; rev:1;) alert tcp $HOME_NET any -> [208.87.203.52] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632115; rev:1;) alert tcp $HOME_NET any -> [208.87.203.52] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632116; rev:1;) alert tcp $HOME_NET any -> [208.87.203.53] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632117; rev:1;) alert tcp $HOME_NET any -> [208.87.203.53] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632118; rev:1;) alert tcp $HOME_NET any -> [208.87.203.54] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632119; rev:1;) alert tcp $HOME_NET any -> [208.87.203.54] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632120; rev:1;) alert tcp $HOME_NET any -> [208.87.203.55] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632121; rev:1;) alert tcp $HOME_NET any -> [208.87.203.55] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632122; rev:1;) alert tcp $HOME_NET any -> [208.87.203.56] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632123; rev:1;) alert tcp $HOME_NET any -> [208.87.203.56] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632124; rev:1;) alert tcp $HOME_NET any -> [208.87.203.57] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632125; rev:1;) alert tcp $HOME_NET any -> [208.87.203.47] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632105; rev:1;) alert tcp $HOME_NET any -> [208.87.203.47] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632106; rev:1;) alert tcp $HOME_NET any -> [208.87.203.48] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632107; rev:1;) alert tcp $HOME_NET any -> [208.87.203.48] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632108; rev:1;) alert tcp $HOME_NET any -> [208.87.203.49] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632109; rev:1;) alert tcp $HOME_NET any -> [208.87.203.49] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632110; rev:1;) alert tcp $HOME_NET any -> [208.87.203.50] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632111; rev:1;) alert tcp $HOME_NET any -> [208.87.203.50] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632112; rev:1;) alert tcp $HOME_NET any -> [208.87.203.51] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632113; rev:1;) alert tcp $HOME_NET any -> [208.87.203.51] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632114; rev:1;) alert tcp $HOME_NET any -> [208.87.203.41] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632094; rev:1;) alert tcp $HOME_NET any -> [208.87.203.42] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632095; rev:1;) alert tcp $HOME_NET any -> [208.87.203.42] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632096; rev:1;) alert tcp $HOME_NET any -> [208.87.203.43] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632097; rev:1;) alert tcp $HOME_NET any -> [208.87.203.43] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632098; rev:1;) alert tcp $HOME_NET any -> [208.87.203.44] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632099; rev:1;) alert tcp $HOME_NET any -> [208.87.203.44] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632100; rev:1;) alert tcp $HOME_NET any -> [208.87.203.45] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632101; rev:1;) alert tcp $HOME_NET any -> [208.87.203.45] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632102; rev:1;) alert tcp $HOME_NET any -> [208.87.203.46] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632103; rev:1;) alert tcp $HOME_NET any -> [208.87.203.46] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632104; rev:1;) alert tcp $HOME_NET any -> [208.87.203.36] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632084; rev:1;) alert tcp $HOME_NET any -> [208.87.203.37] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632085; rev:1;) alert tcp $HOME_NET any -> [208.87.203.37] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632086; rev:1;) alert tcp $HOME_NET any -> [208.87.203.38] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632087; rev:1;) alert tcp $HOME_NET any -> [208.87.203.38] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632088; rev:1;) alert tcp $HOME_NET any -> [208.87.203.39] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632089; rev:1;) alert tcp $HOME_NET any -> [208.87.203.39] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632090; rev:1;) alert tcp $HOME_NET any -> [208.87.203.40] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632091; rev:1;) alert tcp $HOME_NET any -> [208.87.203.40] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632092; rev:1;) alert tcp $HOME_NET any -> [208.87.203.41] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632093; rev:1;) alert tcp $HOME_NET any -> [208.87.203.31] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632073; rev:1;) alert tcp $HOME_NET any -> [208.87.203.31] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632074; rev:1;) alert tcp $HOME_NET any -> [208.87.203.32] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632075; rev:1;) alert tcp $HOME_NET any -> [208.87.203.32] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632076; rev:1;) alert tcp $HOME_NET any -> [208.87.203.33] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632077; rev:1;) alert tcp $HOME_NET any -> [208.87.203.33] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632078; rev:1;) alert tcp $HOME_NET any -> [208.87.203.34] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632079; rev:1;) alert tcp $HOME_NET any -> [208.87.203.34] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632080; rev:1;) alert tcp $HOME_NET any -> [208.87.203.35] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632081; rev:1;) alert tcp $HOME_NET any -> [208.87.203.35] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632082; rev:1;) alert tcp $HOME_NET any -> [208.87.203.36] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632083; rev:1;) alert tcp $HOME_NET any -> [208.87.203.26] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632063; rev:1;) alert tcp $HOME_NET any -> [208.87.203.26] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632064; rev:1;) alert tcp $HOME_NET any -> [208.87.203.27] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632065; rev:1;) alert tcp $HOME_NET any -> [208.87.203.27] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632066; rev:1;) alert tcp $HOME_NET any -> [208.87.203.28] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632067; rev:1;) alert tcp $HOME_NET any -> [208.87.203.28] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632068; rev:1;) alert tcp $HOME_NET any -> [208.87.203.29] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632069; rev:1;) alert tcp $HOME_NET any -> [208.87.203.29] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632070; rev:1;) alert tcp $HOME_NET any -> [208.87.203.30] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632071; rev:1;) alert tcp $HOME_NET any -> [208.87.203.30] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632072; rev:1;) alert tcp $HOME_NET any -> [208.87.203.21] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632053; rev:1;) alert tcp $HOME_NET any -> [208.87.203.21] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632054; rev:1;) alert tcp $HOME_NET any -> [208.87.203.22] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632055; rev:1;) alert tcp $HOME_NET any -> [208.87.203.22] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632056; rev:1;) alert tcp $HOME_NET any -> [208.87.203.23] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632057; rev:1;) alert tcp $HOME_NET any -> [208.87.203.23] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632058; rev:1;) alert tcp $HOME_NET any -> [208.87.203.24] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632059; rev:1;) alert tcp $HOME_NET any -> [208.87.203.24] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632060; rev:1;) alert tcp $HOME_NET any -> [208.87.203.25] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632061; rev:1;) alert tcp $HOME_NET any -> [208.87.203.25] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632062; rev:1;) alert tcp $HOME_NET any -> [208.87.203.15] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632041; rev:1;) alert tcp $HOME_NET any -> [208.87.203.15] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632042; rev:1;) alert tcp $HOME_NET any -> [208.87.203.16] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632043; rev:1;) alert tcp $HOME_NET any -> [208.87.203.16] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632044; rev:1;) alert tcp $HOME_NET any -> [208.87.203.17] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632045; rev:1;) alert tcp $HOME_NET any -> [208.87.203.17] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632046; rev:1;) alert tcp $HOME_NET any -> [208.87.203.18] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632047; rev:1;) alert tcp $HOME_NET any -> [208.87.203.18] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632048; rev:1;) alert tcp $HOME_NET any -> [208.87.203.19] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632049; rev:1;) alert tcp $HOME_NET any -> [208.87.203.19] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632050; rev:1;) alert tcp $HOME_NET any -> [208.87.203.20] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632051; rev:1;) alert tcp $HOME_NET any -> [208.87.203.20] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632052; rev:1;) alert tcp $HOME_NET any -> [208.87.201.17] 18084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632030; rev:1;) alert tcp $HOME_NET any -> [208.87.203.10] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632031; rev:1;) alert tcp $HOME_NET any -> [208.87.203.10] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632032; rev:1;) alert tcp $HOME_NET any -> [208.87.203.11] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632033; rev:1;) alert tcp $HOME_NET any -> [208.87.203.11] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632034; rev:1;) alert tcp $HOME_NET any -> [208.87.203.12] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632035; rev:1;) alert tcp $HOME_NET any -> [208.87.203.12] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632036; rev:1;) alert tcp $HOME_NET any -> [208.87.203.13] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632037; rev:1;) alert tcp $HOME_NET any -> [208.87.203.13] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632038; rev:1;) alert tcp $HOME_NET any -> [208.87.203.14] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632039; rev:1;) alert tcp $HOME_NET any -> [208.87.203.14] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632040; rev:1;) alert tcp $HOME_NET any -> [206.206.76.110] 2082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632020; rev:1;) alert tcp $HOME_NET any -> [206.206.76.110] 2086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632021; rev:1;) alert tcp $HOME_NET any -> [206.206.76.110] 2095 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632022; rev:1;) alert tcp $HOME_NET any -> [207.148.72.117] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632023; rev:1;) alert tcp $HOME_NET any -> [207.148.72.117] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632024; rev:1;) alert tcp $HOME_NET any -> [207.246.82.44] 56358 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632025; rev:1;) alert tcp $HOME_NET any -> [207.246.82.44] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632026; rev:1;) alert tcp $HOME_NET any -> [208.73.204.38] 2086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632027; rev:1;) alert tcp $HOME_NET any -> [208.73.204.38] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632028; rev:1;) alert tcp $HOME_NET any -> [208.73.204.38] 8880 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632029; rev:1;) alert tcp $HOME_NET any -> [202.179.155.59] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632010; rev:1;) alert tcp $HOME_NET any -> [204.152.192.54] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632011; rev:1;) alert tcp $HOME_NET any -> [204.9.187.115] 83 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632012; rev:1;) alert tcp $HOME_NET any -> [206.119.175.148] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632013; rev:1;) alert tcp $HOME_NET any -> [206.119.190.78] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632014; rev:1;) alert tcp $HOME_NET any -> [206.119.190.78] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632015; rev:1;) alert tcp $HOME_NET any -> [206.188.196.221] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632016; rev:1;) alert tcp $HOME_NET any -> [206.188.196.221] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632017; rev:1;) alert tcp $HOME_NET any -> [206.190.233.182] 18082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632018; rev:1;) alert tcp $HOME_NET any -> [206.206.76.110] 2052 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632019; rev:1;) alert tcp $HOME_NET any -> [192.3.249.105] 8081 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632001; rev:1;) alert tcp $HOME_NET any -> [193.3.168.201] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632002; rev:1;) alert tcp $HOME_NET any -> [193.3.168.201] 9443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632003; rev:1;) alert tcp $HOME_NET any -> [193.42.25.64] 58084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632004; rev:1;) alert tcp $HOME_NET any -> [198.12.73.140] 19003 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632005; rev:1;) alert tcp $HOME_NET any -> [198.252.107.249] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632006; rev:1;) alert tcp $HOME_NET any -> [198.98.54.209] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632007; rev:1;) alert tcp $HOME_NET any -> [2.59.219.43] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632008; rev:1;) alert tcp $HOME_NET any -> [20.255.96.154] 28080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632009; rev:1;) alert tcp $HOME_NET any -> [185.196.10.130] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631992; rev:1;) alert tcp $HOME_NET any -> [185.74.222.206] 20001 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631993; rev:1;) alert tcp $HOME_NET any -> [188.166.210.146] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631994; rev:1;) alert tcp $HOME_NET any -> [192.131.142.174] 30 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631995; rev:1;) alert tcp $HOME_NET any -> [192.144.185.134] 8082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631996; rev:1;) alert tcp $HOME_NET any -> [192.227.167.156] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631997; rev:1;) alert tcp $HOME_NET any -> [192.238.133.156] 8888 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631998; rev:1;) alert tcp $HOME_NET any -> [192.252.179.18] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631999; rev:1;) alert tcp $HOME_NET any -> [192.252.179.60] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1632000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91632000; rev:1;) alert tcp $HOME_NET any -> [172.245.59.249] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631984; rev:1;) alert tcp $HOME_NET any -> [172.247.244.46] 52514 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631985; rev:1;) alert tcp $HOME_NET any -> [175.24.205.160] 28089 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631986; rev:1;) alert tcp $HOME_NET any -> [18.143.149.105] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631987; rev:1;) alert tcp $HOME_NET any -> [18.143.149.105] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631988; rev:1;) alert tcp $HOME_NET any -> [18.163.126.218] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631989; rev:1;) alert tcp $HOME_NET any -> [18.163.126.218] 9000 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631990; rev:1;) alert tcp $HOME_NET any -> [180.76.248.85] 8083 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631991; rev:1;) alert tcp $HOME_NET any -> [157.230.34.45] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631974; rev:1;) alert tcp $HOME_NET any -> [157.230.34.45] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631975; rev:1;) alert tcp $HOME_NET any -> [158.247.237.190] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631976; rev:1;) alert tcp $HOME_NET any -> [158.247.237.190] 8880 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631977; rev:1;) alert tcp $HOME_NET any -> [159.75.211.175] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631978; rev:1;) alert tcp $HOME_NET any -> [16.162.137.95] 8000 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631979; rev:1;) alert tcp $HOME_NET any -> [16.163.147.182] 5672 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631980; rev:1;) alert tcp $HOME_NET any -> [160.202.230.113] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631981; rev:1;) alert tcp $HOME_NET any -> [166.88.61.58] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631982; rev:1;) alert tcp $HOME_NET any -> [172.245.126.122] 2082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631983; rev:1;) alert tcp $HOME_NET any -> [154.37.155.101] 61252 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631965; rev:1;) alert tcp $HOME_NET any -> [154.37.155.101] 8090 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631966; rev:1;) alert tcp $HOME_NET any -> [154.86.22.112] 16388 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631967; rev:1;) alert tcp $HOME_NET any -> [154.86.22.189] 16388 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631968; rev:1;) alert tcp $HOME_NET any -> [154.86.22.47] 16388 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631969; rev:1;) alert tcp $HOME_NET any -> [155.94.157.212] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631970; rev:1;) alert tcp $HOME_NET any -> [155.94.170.238] 50001 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631971; rev:1;) alert tcp $HOME_NET any -> [156.234.201.70] 54321 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631972; rev:1;) alert tcp $HOME_NET any -> [156.247.40.80] 8023 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631973; rev:1;) alert tcp $HOME_NET any -> [154.198.53.145] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631956; rev:1;) alert tcp $HOME_NET any -> [154.198.53.145] 8888 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631957; rev:1;) alert tcp $HOME_NET any -> [154.198.53.154] 8888 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631958; rev:1;) alert tcp $HOME_NET any -> [154.198.53.176] 8888 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631959; rev:1;) alert tcp $HOME_NET any -> [154.212.113.32] 8083 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631960; rev:1;) alert tcp $HOME_NET any -> [154.212.113.32] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631961; rev:1;) alert tcp $HOME_NET any -> [154.212.113.33] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631962; rev:1;) alert tcp $HOME_NET any -> [154.222.24.78] 9001 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631963; rev:1;) alert tcp $HOME_NET any -> [154.223.16.184] 4388 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631964; rev:1;) alert tcp $HOME_NET any -> [149.30.248.8] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631945; rev:1;) alert tcp $HOME_NET any -> [149.30.248.9] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631946; rev:1;) alert tcp $HOME_NET any -> [149.30.248.9] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631947; rev:1;) alert tcp $HOME_NET any -> [150.136.112.184] 2095 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631948; rev:1;) alert tcp $HOME_NET any -> [150.158.172.49] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631949; rev:1;) alert tcp $HOME_NET any -> [151.106.112.208] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631950; rev:1;) alert tcp $HOME_NET any -> [151.106.112.208] 8086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631951; rev:1;) alert tcp $HOME_NET any -> [152.136.137.115] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631952; rev:1;) alert tcp $HOME_NET any -> [152.53.197.247] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631953; rev:1;) alert tcp $HOME_NET any -> [152.53.197.247] 8081 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631954; rev:1;) alert tcp $HOME_NET any -> [152.53.197.247] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631955; rev:1;) alert tcp $HOME_NET any -> [149.30.248.60] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631934; rev:1;) alert tcp $HOME_NET any -> [149.30.248.60] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631935; rev:1;) alert tcp $HOME_NET any -> [149.30.248.61] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631936; rev:1;) alert tcp $HOME_NET any -> [149.30.248.61] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631937; rev:1;) alert tcp $HOME_NET any -> [149.30.248.62] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631938; rev:1;) alert tcp $HOME_NET any -> [149.30.248.62] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631939; rev:1;) alert tcp $HOME_NET any -> [149.30.248.6] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631940; rev:1;) alert tcp $HOME_NET any -> [149.30.248.6] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631941; rev:1;) alert tcp $HOME_NET any -> [149.30.248.7] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631942; rev:1;) alert tcp $HOME_NET any -> [149.30.248.7] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631943; rev:1;) alert tcp $HOME_NET any -> [149.30.248.8] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631944; rev:1;) alert tcp $HOME_NET any -> [149.30.248.55] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631923; rev:1;) alert tcp $HOME_NET any -> [149.30.248.56] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631924; rev:1;) alert tcp $HOME_NET any -> [149.30.248.56] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631925; rev:1;) alert tcp $HOME_NET any -> [149.30.248.57] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631926; rev:1;) alert tcp $HOME_NET any -> [149.30.248.57] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631927; rev:1;) alert tcp $HOME_NET any -> [149.30.248.58] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631928; rev:1;) alert tcp $HOME_NET any -> [149.30.248.58] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631929; rev:1;) alert tcp $HOME_NET any -> [149.30.248.59] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631930; rev:1;) alert tcp $HOME_NET any -> [149.30.248.59] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631931; rev:1;) alert tcp $HOME_NET any -> [149.30.248.5] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631932; rev:1;) alert tcp $HOME_NET any -> [149.30.248.5] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631933; rev:1;) alert tcp $HOME_NET any -> [149.30.248.50] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631913; rev:1;) alert tcp $HOME_NET any -> [149.30.248.51] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631914; rev:1;) alert tcp $HOME_NET any -> [149.30.248.51] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631915; rev:1;) alert tcp $HOME_NET any -> [149.30.248.52] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631916; rev:1;) alert tcp $HOME_NET any -> [149.30.248.52] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631917; rev:1;) alert tcp $HOME_NET any -> [149.30.248.53] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631918; rev:1;) alert tcp $HOME_NET any -> [149.30.248.53] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631919; rev:1;) alert tcp $HOME_NET any -> [149.30.248.54] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631920; rev:1;) alert tcp $HOME_NET any -> [149.30.248.54] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631921; rev:1;) alert tcp $HOME_NET any -> [149.30.248.55] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631922; rev:1;) alert tcp $HOME_NET any -> [149.30.248.45] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631903; rev:1;) alert tcp $HOME_NET any -> [149.30.248.46] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631904; rev:1;) alert tcp $HOME_NET any -> [149.30.248.46] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631905; rev:1;) alert tcp $HOME_NET any -> [149.30.248.47] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631906; rev:1;) alert tcp $HOME_NET any -> [149.30.248.47] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631907; rev:1;) alert tcp $HOME_NET any -> [149.30.248.48] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631908; rev:1;) alert tcp $HOME_NET any -> [149.30.248.48] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631909; rev:1;) alert tcp $HOME_NET any -> [149.30.248.49] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631910; rev:1;) alert tcp $HOME_NET any -> [149.30.248.49] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631911; rev:1;) alert tcp $HOME_NET any -> [149.30.248.50] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631912; rev:1;) alert tcp $HOME_NET any -> [149.30.248.40] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631893; rev:1;) alert tcp $HOME_NET any -> [149.30.248.41] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631894; rev:1;) alert tcp $HOME_NET any -> [149.30.248.41] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631895; rev:1;) alert tcp $HOME_NET any -> [149.30.248.42] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631896; rev:1;) alert tcp $HOME_NET any -> [149.30.248.42] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631897; rev:1;) alert tcp $HOME_NET any -> [149.30.248.43] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631898; rev:1;) alert tcp $HOME_NET any -> [149.30.248.43] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631899; rev:1;) alert tcp $HOME_NET any -> [149.30.248.44] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631900; rev:1;) alert tcp $HOME_NET any -> [149.30.248.44] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631901; rev:1;) alert tcp $HOME_NET any -> [149.30.248.45] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631902; rev:1;) alert tcp $HOME_NET any -> [149.30.248.36] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631882; rev:1;) alert tcp $HOME_NET any -> [149.30.248.36] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631883; rev:1;) alert tcp $HOME_NET any -> [149.30.248.37] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631884; rev:1;) alert tcp $HOME_NET any -> [149.30.248.37] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631885; rev:1;) alert tcp $HOME_NET any -> [149.30.248.38] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631886; rev:1;) alert tcp $HOME_NET any -> [149.30.248.38] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631887; rev:1;) alert tcp $HOME_NET any -> [149.30.248.39] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631888; rev:1;) alert tcp $HOME_NET any -> [149.30.248.39] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631889; rev:1;) alert tcp $HOME_NET any -> [149.30.248.3] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631890; rev:1;) alert tcp $HOME_NET any -> [149.30.248.3] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631891; rev:1;) alert tcp $HOME_NET any -> [149.30.248.40] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631892; rev:1;) alert tcp $HOME_NET any -> [149.30.248.31] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631872; rev:1;) alert tcp $HOME_NET any -> [149.30.248.31] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631873; rev:1;) alert tcp $HOME_NET any -> [149.30.248.32] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631874; rev:1;) alert tcp $HOME_NET any -> [149.30.248.32] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631875; rev:1;) alert tcp $HOME_NET any -> [149.30.248.33] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631876; rev:1;) alert tcp $HOME_NET any -> [149.30.248.33] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631877; rev:1;) alert tcp $HOME_NET any -> [149.30.248.34] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631878; rev:1;) alert tcp $HOME_NET any -> [149.30.248.34] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631879; rev:1;) alert tcp $HOME_NET any -> [149.30.248.35] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631880; rev:1;) alert tcp $HOME_NET any -> [149.30.248.35] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631881; rev:1;) alert tcp $HOME_NET any -> [149.30.248.26] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631861; rev:1;) alert tcp $HOME_NET any -> [149.30.248.27] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631862; rev:1;) alert tcp $HOME_NET any -> [149.30.248.27] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631863; rev:1;) alert tcp $HOME_NET any -> [149.30.248.28] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631864; rev:1;) alert tcp $HOME_NET any -> [149.30.248.28] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631865; rev:1;) alert tcp $HOME_NET any -> [149.30.248.29] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631866; rev:1;) alert tcp $HOME_NET any -> [149.30.248.29] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631867; rev:1;) alert tcp $HOME_NET any -> [149.30.248.2] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631868; rev:1;) alert tcp $HOME_NET any -> [149.30.248.2] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631869; rev:1;) alert tcp $HOME_NET any -> [149.30.248.30] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631870; rev:1;) alert tcp $HOME_NET any -> [149.30.248.30] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631871; rev:1;) alert tcp $HOME_NET any -> [149.30.248.20] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631849; rev:1;) alert tcp $HOME_NET any -> [149.30.248.21] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631850; rev:1;) alert tcp $HOME_NET any -> [149.30.248.21] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631851; rev:1;) alert tcp $HOME_NET any -> [149.30.248.22] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631852; rev:1;) alert tcp $HOME_NET any -> [149.30.248.22] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631853; rev:1;) alert tcp $HOME_NET any -> [149.30.248.23] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631854; rev:1;) alert tcp $HOME_NET any -> [149.30.248.23] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631855; rev:1;) alert tcp $HOME_NET any -> [149.30.248.24] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631856; rev:1;) alert tcp $HOME_NET any -> [149.30.248.24] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631857; rev:1;) alert tcp $HOME_NET any -> [149.30.248.25] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631858; rev:1;) alert tcp $HOME_NET any -> [149.30.248.25] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631859; rev:1;) alert tcp $HOME_NET any -> [149.30.248.26] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631860; rev:1;) alert tcp $HOME_NET any -> [149.30.248.16] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631839; rev:1;) alert tcp $HOME_NET any -> [149.30.248.17] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631840; rev:1;) alert tcp $HOME_NET any -> [149.30.248.17] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631841; rev:1;) alert tcp $HOME_NET any -> [149.30.248.18] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631842; rev:1;) alert tcp $HOME_NET any -> [149.30.248.18] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631843; rev:1;) alert tcp $HOME_NET any -> [149.30.248.19] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631844; rev:1;) alert tcp $HOME_NET any -> [149.30.248.19] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631845; rev:1;) alert tcp $HOME_NET any -> [149.30.248.1] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631846; rev:1;) alert tcp $HOME_NET any -> [149.30.248.1] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631847; rev:1;) alert tcp $HOME_NET any -> [149.30.248.20] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631848; rev:1;) alert tcp $HOME_NET any -> [149.30.248.11] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631828; rev:1;) alert tcp $HOME_NET any -> [149.30.248.11] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631829; rev:1;) alert tcp $HOME_NET any -> [149.30.248.12] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631830; rev:1;) alert tcp $HOME_NET any -> [149.30.248.12] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631831; rev:1;) alert tcp $HOME_NET any -> [149.30.248.13] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631832; rev:1;) alert tcp $HOME_NET any -> [149.30.248.13] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631833; rev:1;) alert tcp $HOME_NET any -> [149.30.248.14] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631834; rev:1;) alert tcp $HOME_NET any -> [149.30.248.14] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631835; rev:1;) alert tcp $HOME_NET any -> [149.30.248.15] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631836; rev:1;) alert tcp $HOME_NET any -> [149.30.248.15] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631837; rev:1;) alert tcp $HOME_NET any -> [149.30.248.16] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631838; rev:1;) alert tcp $HOME_NET any -> [139.9.191.30] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631817; rev:1;) alert tcp $HOME_NET any -> [14.103.136.198] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631818; rev:1;) alert tcp $HOME_NET any -> [141.98.199.247] 2095 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631819; rev:1;) alert tcp $HOME_NET any -> [142.171.114.190] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631820; rev:1;) alert tcp $HOME_NET any -> [142.171.114.190] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631821; rev:1;) alert tcp $HOME_NET any -> [142.171.20.222] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631822; rev:1;) alert tcp $HOME_NET any -> [142.171.20.222] 8086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631823; rev:1;) alert tcp $HOME_NET any -> [144.172.122.30] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631824; rev:1;) alert tcp $HOME_NET any -> [149.30.242.73] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631825; rev:1;) alert tcp $HOME_NET any -> [149.30.248.10] 28576 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631826; rev:1;) alert tcp $HOME_NET any -> [149.30.248.10] 60578 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631827; rev:1;) alert tcp $HOME_NET any -> [132.145.54.83] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631808; rev:1;) alert tcp $HOME_NET any -> [132.232.141.206] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631809; rev:1;) alert tcp $HOME_NET any -> [132.232.141.206] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631810; rev:1;) alert tcp $HOME_NET any -> [139.129.192.65] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631811; rev:1;) alert tcp $HOME_NET any -> [139.159.138.64] 55883 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631812; rev:1;) alert tcp $HOME_NET any -> [139.162.80.182] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631813; rev:1;) alert tcp $HOME_NET any -> [139.180.209.17] 8888 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631814; rev:1;) alert tcp $HOME_NET any -> [139.186.136.232] 4433 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631815; rev:1;) alert tcp $HOME_NET any -> [139.196.76.92] 8083 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631816; rev:1;) alert tcp $HOME_NET any -> [124.70.148.71] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631798; rev:1;) alert tcp $HOME_NET any -> [124.70.151.248] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631799; rev:1;) alert tcp $HOME_NET any -> [124.70.65.157] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631800; rev:1;) alert tcp $HOME_NET any -> [129.211.13.156] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631801; rev:1;) alert tcp $HOME_NET any -> [129.211.13.156] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631802; rev:1;) alert tcp $HOME_NET any -> [129.226.209.21] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631803; rev:1;) alert tcp $HOME_NET any -> [129.226.209.21] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631804; rev:1;) alert tcp $HOME_NET any -> [129.226.210.240] 23451 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631805; rev:1;) alert tcp $HOME_NET any -> [129.28.56.180] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631806; rev:1;) alert tcp $HOME_NET any -> [13.229.231.0] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631807; rev:1;) alert tcp $HOME_NET any -> [123.60.178.166] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631788; rev:1;) alert tcp $HOME_NET any -> [123.60.214.58] 9001 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631789; rev:1;) alert tcp $HOME_NET any -> [123.60.219.97] 5566 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631790; rev:1;) alert tcp $HOME_NET any -> [124.220.16.198] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631791; rev:1;) alert tcp $HOME_NET any -> [124.220.50.56] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631792; rev:1;) alert tcp $HOME_NET any -> [124.220.80.206] 60626 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631793; rev:1;) alert tcp $HOME_NET any -> [124.221.255.78] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631794; rev:1;) alert tcp $HOME_NET any -> [124.221.32.87] 9090 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631795; rev:1;) alert tcp $HOME_NET any -> [124.222.74.146] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631796; rev:1;) alert tcp $HOME_NET any -> [124.70.142.36] 8020 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631797; rev:1;) alert tcp $HOME_NET any -> [122.10.5.218] 8003 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631778; rev:1;) alert tcp $HOME_NET any -> [122.10.5.218] 8007 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631779; rev:1;) alert tcp $HOME_NET any -> [123.206.229.121] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631780; rev:1;) alert tcp $HOME_NET any -> [123.206.229.121] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631781; rev:1;) alert tcp $HOME_NET any -> [123.249.127.133] 8082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631782; rev:1;) alert tcp $HOME_NET any -> [123.249.17.235] 11000 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631783; rev:1;) alert tcp $HOME_NET any -> [123.56.102.177] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631784; rev:1;) alert tcp $HOME_NET any -> [123.57.79.94] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631785; rev:1;) alert tcp $HOME_NET any -> [123.60.145.2] 5555 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631786; rev:1;) alert tcp $HOME_NET any -> [123.60.177.229] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631787; rev:1;) alert tcp $HOME_NET any -> [120.48.21.184] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631769; rev:1;) alert tcp $HOME_NET any -> [120.55.84.149] 8082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631770; rev:1;) alert tcp $HOME_NET any -> [120.78.127.57] 10443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631771; rev:1;) alert tcp $HOME_NET any -> [120.79.87.224] 3389 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631772; rev:1;) alert tcp $HOME_NET any -> [121.196.245.40] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631773; rev:1;) alert tcp $HOME_NET any -> [121.196.245.40] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631774; rev:1;) alert tcp $HOME_NET any -> [121.37.160.115] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631775; rev:1;) alert tcp $HOME_NET any -> [121.41.1.158] 60086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631776; rev:1;) alert tcp $HOME_NET any -> [121.41.131.112] 58084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631777; rev:1;) alert tcp $HOME_NET any -> [118.31.165.46] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631760; rev:1;) alert tcp $HOME_NET any -> [118.89.104.195] 28082 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631761; rev:1;) alert tcp $HOME_NET any -> [118.89.173.244] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631762; rev:1;) alert tcp $HOME_NET any -> [118.89.173.244] 8083 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631763; rev:1;) alert tcp $HOME_NET any -> [118.89.88.183] 58084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631764; rev:1;) alert tcp $HOME_NET any -> [119.45.160.160] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631765; rev:1;) alert tcp $HOME_NET any -> [119.45.23.116] 4433 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631766; rev:1;) alert tcp $HOME_NET any -> [119.45.23.116] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631767; rev:1;) alert tcp $HOME_NET any -> [119.45.23.116] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631768; rev:1;) alert tcp $HOME_NET any -> [117.50.21.64] 18084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631749; rev:1;) alert tcp $HOME_NET any -> [117.72.148.131] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631750; rev:1;) alert tcp $HOME_NET any -> [117.72.159.96] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631751; rev:1;) alert tcp $HOME_NET any -> [117.72.170.55] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631752; rev:1;) alert tcp $HOME_NET any -> [117.72.175.125] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631753; rev:1;) alert tcp $HOME_NET any -> [117.72.175.125] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631754; rev:1;) alert tcp $HOME_NET any -> [117.72.210.195] 10002 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631755; rev:1;) alert tcp $HOME_NET any -> [118.107.21.101] 9999 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631756; rev:1;) alert tcp $HOME_NET any -> [118.24.46.114] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631757; rev:1;) alert tcp $HOME_NET any -> [118.25.192.79] 16379 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631758; rev:1;) alert tcp $HOME_NET any -> [118.25.26.93] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631759; rev:1;) alert tcp $HOME_NET any -> [113.45.236.40] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631737; rev:1;) alert tcp $HOME_NET any -> [114.132.125.10] 12345 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631738; rev:1;) alert tcp $HOME_NET any -> [114.132.178.196] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631739; rev:1;) alert tcp $HOME_NET any -> [114.132.192.25] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631740; rev:1;) alert tcp $HOME_NET any -> [114.67.202.90] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631741; rev:1;) alert tcp $HOME_NET any -> [115.120.214.145] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631742; rev:1;) alert tcp $HOME_NET any -> [115.159.103.198] 18084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631743; rev:1;) alert tcp $HOME_NET any -> [115.175.28.107] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631744; rev:1;) alert tcp $HOME_NET any -> [115.190.147.158] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631745; rev:1;) alert tcp $HOME_NET any -> [115.190.147.158] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631746; rev:1;) alert tcp $HOME_NET any -> [115.190.178.137] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631747; rev:1;) alert tcp $HOME_NET any -> [116.62.247.150] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631748; rev:1;) alert tcp $HOME_NET any -> [113.44.136.127] 8848 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631727; rev:1;) alert tcp $HOME_NET any -> [113.44.37.24] 8090 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631728; rev:1;) alert tcp $HOME_NET any -> [113.44.89.84] 8888 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631729; rev:1;) alert tcp $HOME_NET any -> [113.44.90.0] 23333 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631730; rev:1;) alert tcp $HOME_NET any -> [113.44.90.0] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631731; rev:1;) alert tcp $HOME_NET any -> [113.45.185.225] 18084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631732; rev:1;) alert tcp $HOME_NET any -> [113.45.196.228] 222 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631733; rev:1;) alert tcp $HOME_NET any -> [113.45.206.160] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631734; rev:1;) alert tcp $HOME_NET any -> [113.45.227.85] 8848 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631735; rev:1;) alert tcp $HOME_NET any -> [113.45.236.40] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631736; rev:1;) alert tcp $HOME_NET any -> [110.40.157.86] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631717; rev:1;) alert tcp $HOME_NET any -> [110.40.167.191] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631718; rev:1;) alert tcp $HOME_NET any -> [110.40.167.191] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631719; rev:1;) alert tcp $HOME_NET any -> [110.40.176.194] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631720; rev:1;) alert tcp $HOME_NET any -> [110.41.87.119] 18085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631721; rev:1;) alert tcp $HOME_NET any -> [111.229.217.32] 10000 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631722; rev:1;) alert tcp $HOME_NET any -> [111.231.11.61] 10011 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631723; rev:1;) alert tcp $HOME_NET any -> [111.231.59.28] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631724; rev:1;) alert tcp $HOME_NET any -> [112.125.88.176] 12345 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631725; rev:1;) alert tcp $HOME_NET any -> [113.44.136.127] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631726; rev:1;) alert tcp $HOME_NET any -> [106.52.188.212] 81 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631707; rev:1;) alert tcp $HOME_NET any -> [106.75.141.4] 1311 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631708; rev:1;) alert tcp $HOME_NET any -> [106.75.141.4] 1322 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631709; rev:1;) alert tcp $HOME_NET any -> [106.75.141.4] 2002 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631710; rev:1;) alert tcp $HOME_NET any -> [107.148.239.243] 8089 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631711; rev:1;) alert tcp $HOME_NET any -> [107.173.13.108] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631712; rev:1;) alert tcp $HOME_NET any -> [107.173.71.25] 4433 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631713; rev:1;) alert tcp $HOME_NET any -> [107.174.35.39] 18776 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631714; rev:1;) alert tcp $HOME_NET any -> [107.175.62.11] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631715; rev:1;) alert tcp $HOME_NET any -> [107.175.83.194] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631716; rev:1;) alert tcp $HOME_NET any -> [103.159.206.136] 60024 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631698; rev:1;) alert tcp $HOME_NET any -> [103.171.35.40] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631699; rev:1;) alert tcp $HOME_NET any -> [103.42.214.19] 15667 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631700; rev:1;) alert tcp $HOME_NET any -> [103.47.80.2] 18084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631701; rev:1;) alert tcp $HOME_NET any -> [103.47.80.2] 8083 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631702; rev:1;) alert tcp $HOME_NET any -> [104.168.95.4] 8888 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631703; rev:1;) alert tcp $HOME_NET any -> [104.223.108.107] 46775 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631704; rev:1;) alert tcp $HOME_NET any -> [104.223.25.217] 10000 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631705; rev:1;) alert tcp $HOME_NET any -> [104.223.25.217] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631706; rev:1;) alert tcp $HOME_NET any -> [101.43.26.13] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631688; rev:1;) alert tcp $HOME_NET any -> [101.43.27.138] 1234 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631689; rev:1;) alert tcp $HOME_NET any -> [102.134.35.184] 80 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631690; rev:1;) alert tcp $HOME_NET any -> [103.100.61.249] 1922 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631691; rev:1;) alert tcp $HOME_NET any -> [103.100.63.249] 1922 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631692; rev:1;) alert tcp $HOME_NET any -> [103.144.29.232] 1922 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631693; rev:1;) alert tcp $HOME_NET any -> [103.144.29.253] 1922 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631694; rev:1;) alert tcp $HOME_NET any -> [103.149.93.106] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631695; rev:1;) alert tcp $HOME_NET any -> [103.149.93.210] 8088 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631696; rev:1;) alert tcp $HOME_NET any -> [103.159.206.136] 2086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631697; rev:1;) alert tcp $HOME_NET any -> [101.126.54.210] 8086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631678; rev:1;) alert tcp $HOME_NET any -> [101.132.34.211] 8083 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631679; rev:1;) alert tcp $HOME_NET any -> [101.132.34.211] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631680; rev:1;) alert tcp $HOME_NET any -> [101.33.196.11] 50002 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631681; rev:1;) alert tcp $HOME_NET any -> [101.34.65.131] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631682; rev:1;) alert tcp $HOME_NET any -> [101.34.71.169] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631683; rev:1;) alert tcp $HOME_NET any -> [101.35.235.124] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631684; rev:1;) alert tcp $HOME_NET any -> [101.36.108.230] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631685; rev:1;) alert tcp $HOME_NET any -> [101.42.34.250] 8086 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631686; rev:1;) alert tcp $HOME_NET any -> [101.43.136.183] 8013 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631687; rev:1;) alert tcp $HOME_NET any -> [1.116.196.153] 9999 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631674; rev:1;) alert tcp $HOME_NET any -> [1.13.91.59] 5432 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631675; rev:1;) alert tcp $HOME_NET any -> [1.14.199.139] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631676; rev:1;) alert tcp $HOME_NET any -> [1.94.166.13] 1234 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631677; rev:1;) alert tcp $HOME_NET any -> [124.156.143.183] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631673; rev:1;) alert tcp $HOME_NET any -> [124.156.143.183] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4s.71o9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631671; rev:1;) alert tcp $HOME_NET any -> [104.54.56.131] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631670; rev:1;) alert tcp $HOME_NET any -> [52.79.165.82] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631669; rev:1;) alert tcp $HOME_NET any -> [168.231.108.58] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631668; rev:1;) alert tcp $HOME_NET any -> [46.224.37.190] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631667; rev:1;) alert tcp $HOME_NET any -> [102.117.162.197] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b3yln.4qo8.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631665; rev:1;) alert tcp $HOME_NET any -> [192.30.241.124] 24044 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agriifeed.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a1mz.3u-6.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7g.yldv.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631661; rev:1;) alert tcp $HOME_NET any -> [1.13.160.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631645; rev:1;) alert tcp $HOME_NET any -> [115.175.29.42] 10443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631647; rev:1;) alert tcp $HOME_NET any -> [213.111.148.80] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631648; rev:1;) alert tcp $HOME_NET any -> [1.52.157.76] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631649; rev:1;) alert tcp $HOME_NET any -> [91.92.240.188] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631650; rev:1;) alert tcp $HOME_NET any -> [13.234.18.89] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s9k2.4qo8.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6yi.ha0m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v9q3.3u-6.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qki.g7ve.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l9.si9a.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w6r0a.4qo8.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0.to1j.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j2vb.u4-r-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yw0.mjg1.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e1tvd.4qo8.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ccd.yu5k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0df5.u4-r-o.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vdn.no4s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p7x3.4qo8.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e0s.1r55.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2m9q.4qo8.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4hx.u4-r-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5nu.8786.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d4wce.67tf.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"17m.5x7u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g8z1.67tf.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9u.p8ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r6wt2.u4-r-o.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cr.71o9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beastdositadvtofm.site"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"missionim.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.yldv.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9mj.u4-r-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6rv.ha0m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n5t3a.67tf.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"22k.g7ve.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v5qp3.u4-r-o.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"83.si9a.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0bq9.67tf.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lj.to1j.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ou.mjg1.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gtop.sh"; depth:8; nocase; http.host; content:"196.251.115.19"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631361/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631361; rev:1;) alert tcp $HOME_NET any -> [117.72.242.9] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631367; rev:1;) alert tcp $HOME_NET any -> [197.246.235.228] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631368; rev:1;) alert tcp $HOME_NET any -> [198.23.227.140] 6262 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631369; rev:1;) alert tcp $HOME_NET any -> [31.56.28.227] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631370; rev:1;) alert tcp $HOME_NET any -> [173.249.1.63] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbjj.nageshks.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bakersfieldrealtyinvestment.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mosenego.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631374; rev:1;) alert tcp $HOME_NET any -> [178.236.252.229] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631375; rev:1;) alert tcp $HOME_NET any -> [89.32.41.109] 1995 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fofatot.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631416; rev:1;) alert tcp $HOME_NET any -> [82.27.2.229] 13471 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631424/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_03; classtype:trojan-activity; sid:91631424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/aarch64"; depth:10; nocase; http.host; content:"42.112.26.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; nocase; http.host; content:"213.232.114.169"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/aarch64"; depth:13; nocase; http.host; content:"45.144.174.2"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r1p6.67tf.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631614; rev:1;) alert tcp $HOME_NET any -> [194.87.10.124] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631613; rev:1;) alert tcp $HOME_NET any -> [149.104.26.16] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631612; rev:1;) alert tcp $HOME_NET any -> [107.174.250.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vdx.yu5k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y8kz.u4-r-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631609; rev:1;) alert tcp $HOME_NET any -> [99.83.143.158] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631608/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631608; rev:1;) alert tcp $HOME_NET any -> [78.141.220.195] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631607/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631607; rev:1;) alert tcp $HOME_NET any -> [54.85.238.89] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631606/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631606; rev:1;) alert tcp $HOME_NET any -> [185.43.141.44] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631605/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631605; rev:1;) alert tcp $HOME_NET any -> [185.177.239.252] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631604/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631604; rev:1;) alert tcp $HOME_NET any -> [108.61.207.127] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631603/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631603; rev:1;) alert tcp $HOME_NET any -> [107.174.232.94] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631600/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631600; rev:1;) alert tcp $HOME_NET any -> [107.174.232.95] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631601/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631601; rev:1;) alert tcp $HOME_NET any -> [107.174.82.199] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631602/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631602; rev:1;) alert tcp $HOME_NET any -> [106.41.204.33] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631599/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hehua.cookielive.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631598/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cya.no4s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2k7m.67tf.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7c.1r55.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7x0.j-7m.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7u.8786.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qy.5x7u.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1nr.432b47.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9r2a.j-7m.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"123.11.79.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631582/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"42.236.220.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631583/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"182.117.126.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631584/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"123.11.2.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631585/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"42.230.219.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631586/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"112.248.31.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631587/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"222.136.42.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631588/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"222.137.78.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631589/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"182.114.33.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631574/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"222.141.184.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631575/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"123.8.174.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631576/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"42.227.239.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631577/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"196.188.80.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631578/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"42.178.29.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631579/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"27.207.39.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631580/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"42.7.120.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631581/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8p.p8ri.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"de.atlantaoralandfacialsurgery.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"de.atlantaoralandfacialsurgery.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"de.tweethost.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631569; rev:1;) alert tcp $HOME_NET any -> [144.48.180.16] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631566; rev:1;) alert tcp $HOME_NET any -> [31.57.187.119] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631567/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631567; rev:1;) alert tcp $HOME_NET any -> [31.57.187.119] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631564/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631564; rev:1;) alert tcp $HOME_NET any -> [31.57.187.119] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631565/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_03; classtype:trojan-activity; sid:91631565; rev:1;) alert tcp $HOME_NET any -> [176.65.132.149] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631563; rev:1;) alert tcp $HOME_NET any -> [185.22.153.103] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631562; rev:1;) alert tcp $HOME_NET any -> [91.92.242.95] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631561; rev:1;) alert tcp $HOME_NET any -> [179.43.145.34] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631560; rev:1;) alert tcp $HOME_NET any -> [193.23.126.73] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631559; rev:1;) alert tcp $HOME_NET any -> [176.100.36.88] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631558; rev:1;) alert tcp $HOME_NET any -> [47.239.10.143] 8443 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631556; rev:1;) alert tcp $HOME_NET any -> [47.76.149.63] 8443 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631557; rev:1;) alert tcp $HOME_NET any -> [192.227.152.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631553; rev:1;) alert tcp $HOME_NET any -> [192.227.152.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631554; rev:1;) alert tcp $HOME_NET any -> [8.130.22.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631555; rev:1;) alert tcp $HOME_NET any -> [172.96.10.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631551; rev:1;) alert tcp $HOME_NET any -> [47.109.201.85] 3000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631552; rev:1;) alert tcp $HOME_NET any -> [38.207.176.138] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fwi.71o9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nqi.yldv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1v8.j-7m.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631547; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 9299 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631546/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"approved-liability.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631541/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"idkegobruh-44949.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631542/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"positive-significantly.gl.at.ply.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631543/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"song-shepherd.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631544/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cure2x-54076.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631545/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/4svuav59"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631537/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/e1d43ys7"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631538/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/lh68ycn5"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631539/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/gyppvfhm"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631540/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p3q6y.432b47.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631536; rev:1;) alert tcp $HOME_NET any -> [80.64.19.173] 5001 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631535/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"galaxyprojectontop.con-ip.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631534/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nigganazi61-42359.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sophos1997.camdvr.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v3.darktide.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v3.xoilaczzzhz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"medellin12345.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2.8services2point0.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2.antiracistusa.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2.darktide.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2.xoilaczzzhz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v3.8services2point0.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631528/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v3.antiracistusa.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631529/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/dsgrhe3c"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"caiunofake.ddns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631521/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631521; rev:1;) alert tcp $HOME_NET any -> [94.154.35.111] 21001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631520/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631520; rev:1;) alert tcp $HOME_NET any -> [157.66.81.239] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"8services2point0.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631513/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"caiunotrojan.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631514/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"darktide.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631515/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gatex.antiracistusa.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631516/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gatex.xoilaczzzhz.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631517/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nopirate1990.dynuddns.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631518/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fr.ha0m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zhixilang.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631511/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server2.cdneurops.buzz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server11.cdneurops.buzz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ww25.2d847db8-2aaf-4f1d-a00c-6e52213c062d.server4.ninhaine.com"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631508/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"68.210.136.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631507/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"43.246.210.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631506/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"101.xmm.asia"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631505/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mcz.g7ve.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/login.php"; depth:16; nocase; http.host; content:"cloud-verificator.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631503/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.231.116.237"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631502/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u83mfds2/index.php"; depth:19; nocase; http.host; content:"79.137.192.6"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631501/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4.si9a.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4p9q.j-7m.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lm.to1j.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t9jw4.432b47.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"4.230.24.119"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631496/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"axm.mjg1.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631495; rev:1;) alert tcp $HOME_NET any -> [105.101.126.12] 5001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631494/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631494; rev:1;) alert tcp $HOME_NET any -> [187.55.64.202] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631493/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631493; rev:1;) alert tcp $HOME_NET any -> [160.30.204.203] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631492/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631492; rev:1;) alert tcp $HOME_NET any -> [5.89.185.234] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631491/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631491; rev:1;) alert tcp $HOME_NET any -> [213.209.143.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631490/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631490; rev:1;) alert tcp $HOME_NET any -> [185.247.224.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631486/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631486; rev:1;) alert tcp $HOME_NET any -> [62.106.66.143] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631487/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631487; rev:1;) alert tcp $HOME_NET any -> [23.111.126.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631488/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631488; rev:1;) alert tcp $HOME_NET any -> [45.94.31.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631489/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631489; rev:1;) alert tcp $HOME_NET any -> [176.82.190.187] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631485/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631485; rev:1;) alert tcp $HOME_NET any -> [216.144.234.251] 16400 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631481/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631481; rev:1;) alert tcp $HOME_NET any -> [35.183.62.71] 7634 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631482/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631482; rev:1;) alert tcp $HOME_NET any -> [54.228.126.197] 16025 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631483/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631483; rev:1;) alert tcp $HOME_NET any -> [34.202.160.77] 2154 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631484/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631484; rev:1;) alert tcp $HOME_NET any -> [31.57.228.83] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631479/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631479; rev:1;) alert tcp $HOME_NET any -> [210.243.90.35] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631480/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631480; rev:1;) alert tcp $HOME_NET any -> [192.140.163.165] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631476/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631476; rev:1;) alert tcp $HOME_NET any -> [43.139.146.100] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631477/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631477; rev:1;) alert tcp $HOME_NET any -> [47.92.78.31] 12587 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631478/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1zs.yu5k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631475; rev:1;) alert tcp $HOME_NET any -> [84.21.189.30] 4437 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631473/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631473; rev:1;) alert tcp $HOME_NET any -> [156.234.203.156] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631474/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631474; rev:1;) alert tcp $HOME_NET any -> [119.42.148.186] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631472/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631472; rev:1;) alert tcp $HOME_NET any -> [119.42.148.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631471/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_03; classtype:trojan-activity; sid:91631471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0yg.0fv1.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0kd.no4s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f0v2.432b47.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2d4.1r55.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tbd9.0fv1.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wp.8786.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m5x8r.432b47.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z83n.0fv1.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0k.5x7u.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rl.q3lo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1kpa.0fv1.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7dz.432b47.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sd.77-6.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anyone-recover.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631457; rev:1;) alert tcp $HOME_NET any -> [216.250.252.227] 7719 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"until-slope.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631455; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 15904 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minecraftmemesmp-55927.portmap.host"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2pk3.432b47.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m2x.0fv1.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ob1.wi7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631450; rev:1;) alert tcp $HOME_NET any -> [45.74.46.6] 20251 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e2kj.ru7x.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t7.ru7x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631447; rev:1;) alert tcp $HOME_NET any -> [82.23.246.12] 8880 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631444; rev:1;) alert tcp $HOME_NET any -> [1.52.157.76] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631443; rev:1;) alert tcp $HOME_NET any -> [36.255.98.38] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631442; rev:1;) alert tcp $HOME_NET any -> [191.101.130.68] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631441; rev:1;) alert tcp $HOME_NET any -> [43.138.38.26] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631440; rev:1;) alert tcp $HOME_NET any -> [185.177.239.252] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631439; rev:1;) alert tcp $HOME_NET any -> [193.23.126.73] 8081 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631438; rev:1;) alert tcp $HOME_NET any -> [193.23.126.73] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631435; rev:1;) alert tcp $HOME_NET any -> [193.23.126.73] 587 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631436; rev:1;) alert tcp $HOME_NET any -> [193.23.126.73] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631437; rev:1;) alert tcp $HOME_NET any -> [93.127.132.225] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"byv.q3lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631433; rev:1;) alert tcp $HOME_NET any -> [172.245.25.169] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p8ny.ru7x.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0ma.77-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ab.wi7e.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3g.m2la.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h4v7.ru7x.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"atd.e-dx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n00.ki8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q6k.t4mo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5u2.u-v9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"byf.33b2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m1ct.ru7x.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bg.xa9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4p.zo6r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xi.1z57.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j8wz.xa9t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ii.1yjp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l2hq.xa9t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sbx.op76.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hr.crju.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xe.y8-8.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vp.5-rt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s4ym.xa9t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t5h.da5y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vef.ve1p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o11.18yk.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7xpa.si9a.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qa.fe9v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m4t9.si9a.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kfy.be3q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b0zq.si9a.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uvd.3-5y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x5wk.ve1p.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fx.ru7x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1c8.si9a.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gw3.q3lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n6ta.ve1p.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631392; rev:1;) alert tcp $HOME_NET any -> [54.90.68.125] 9600 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631391; rev:1;) alert tcp $HOME_NET any -> [139.212.61.49] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631390; rev:1;) alert tcp $HOME_NET any -> [155.94.144.226] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631389; rev:1;) alert tcp $HOME_NET any -> [105.156.11.21] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631388; rev:1;) alert tcp $HOME_NET any -> [193.23.126.73] 22 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631387; rev:1;) alert tcp $HOME_NET any -> [151.243.254.175] 1337 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_03; classtype:trojan-activity; sid:91631386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e3h7n.si9a.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jk.77-6.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b3x8.ve1p.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jqp.wi7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"94f.m2la.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f9r2.ve1p.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9pwa.ha0m.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iso.e-dx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6y3.ha0m.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wzu.ki8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xb.t4mo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z0tb.ha0m.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jq.u-v9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7je.ve1p.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervideosecuregeneratoruniversal.php"; depth:42; nocase; http.host; content:"aaaaakkkkkii.life"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ent.33b2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r1m8q.ha0m.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9ht.xa9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c5n3.m2la.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2k7.ha0m.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lj.zo6r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o9.1z57.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uvu.1yjp.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p6dv.m2la.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7m.op76.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ew3.crju.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"53.y8-8.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1wb.m2la.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vc.5-rt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t3xq.m2la.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ivs.da5y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rd7.ve1p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a8vd.no4s.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ph.18yk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e9rm2.9-88.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"de7.fe9v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kzg.be3q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3qla.no4s.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3.3-5y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/packetgeoprocessuploads.php"; depth:28; nocase; http.host; content:"939870cm.nyash.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"91u.ru7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g5t9.no4s.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631334; rev:1;) alert tcp $HOME_NET any -> [38.89.139.179] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631333; rev:1;) alert tcp $HOME_NET any -> [47.104.158.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631332; rev:1;) alert tcp $HOME_NET any -> [43.138.15.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rl1.q3lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u4j9.9-88.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"10f.77-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0s3n.no4s.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7ny.9-88.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"obi.wi7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631325; rev:1;) alert tcp $HOME_NET any -> [212.68.34.175] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631259/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_02; classtype:trojan-activity; sid:91631259; rev:1;) alert tcp $HOME_NET any -> [103.163.118.111] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631260/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_02; classtype:trojan-activity; sid:91631260; rev:1;) alert tcp $HOME_NET any -> [144.31.72.240] 1543 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/ytasodasodasytisytasodmsogqsotysnjusodis"; depth:45; nocase; http.host; content:"64.188.98.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2hf.9-88.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631324; rev:1;) alert tcp $HOME_NET any -> [157.20.182.18] 2002 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631323; rev:1;) alert tcp $HOME_NET any -> [157.20.182.18] 1990 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oz.m2la.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2w8.no4s.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"80n.e-dx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p3kqa.q3lo.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gd.ki8n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u4r9.q3lo.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9.t4mo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mcb.u-v9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631314; rev:1;) alert tcp $HOME_NET any -> [52.86.100.145] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631313/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_02; classtype:trojan-activity; sid:91631313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d7m0.q3lo.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1n.33b2.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631311; rev:1;) alert tcp $HOME_NET any -> [129.21.38.217] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631310/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_02; classtype:trojan-activity; sid:91631310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2ro.xa9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dd.zo6r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x1zpn.q3lo.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g5zx.9-88.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u7.1z57.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arkanix.pw"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nf.1yjp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"below-artificial.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631301; rev:1;) alert tcp $HOME_NET any -> [87.106.28.161] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mi.huffproofs.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1631299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"99898nffa.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631298; rev:1;) alert tcp $HOME_NET any -> [170.205.31.236] 4222 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hair-gale.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pop-experimental.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virtual-conjunction.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cash-mae.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cash-clearly.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631292; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 4770 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y3kx.j935.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8b.op76.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8v2.q3lo.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a0.crju.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anunnbj.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pressot.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"affairu.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comtedo.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1v9.j935.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xo.y8-8.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r5yd.b6je.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bz.5-rt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d4.da5y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9qla.b6je.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j68.ve1p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b4tr.j935.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iq.18yk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631273; rev:1;) alert tcp $HOME_NET any -> [91.92.242.81] 43658 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631269; rev:1;) alert tcp $HOME_NET any -> [194.156.79.79] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631270; rev:1;) alert tcp $HOME_NET any -> [178.22.24.175] 4449 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631271; rev:1;) alert tcp $HOME_NET any -> [194.163.136.13] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ki.fe9v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0k3.b6je.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cjq.be3q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z6n4.b6je.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gg6.3-5y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d6qa.j935.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dqb.ru7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j1p7q.b6je.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rw.q3lo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631258; rev:1;) alert tcp $HOME_NET any -> [98.84.133.213] 37146 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631257; rev:1;) alert tcp $HOME_NET any -> [196.75.164.238] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631256; rev:1;) alert tcp $HOME_NET any -> [51.85.32.254] 4444 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.srv1061577.hstgr.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631254; rev:1;) alert tcp $HOME_NET any -> [191.101.130.68] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b3x9.h-3t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fs.77-6.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9p.wi7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e9tva.h-3t.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6a.m2la.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j5aw9.9r3s.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ng.e-dx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w7r0.h-3t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3l8.9r3s.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2on.ki8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y1.t4mo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tc.u-v9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631241; rev:1;) alert tcp $HOME_NET any -> [139.9.66.46] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631240; rev:1;) alert tcp $HOME_NET any -> [107.149.142.35] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91630996; rev:1;) alert tcp $HOME_NET any -> [196.251.88.188] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91630997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.relatec.it.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91630998; rev:1;) alert tcp $HOME_NET any -> [197.5.192.204] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91630999; rev:1;) alert tcp $HOME_NET any -> [168.231.116.237] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631000; rev:1;) alert tcp $HOME_NET any -> [172.245.253.163] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccpwnews.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631001; rev:1;) alert tcp $HOME_NET any -> [116.49.85.177] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631002; rev:1;) alert tcp $HOME_NET any -> [45.77.246.213] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631004; rev:1;) alert tcp $HOME_NET any -> [89.35.130.116] 35769 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631053; rev:1;) alert tcp $HOME_NET any -> [193.111.248.202] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631148/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_02; classtype:trojan-activity; sid:91631148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"check-here.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631054; rev:1;) alert tcp $HOME_NET any -> [41.143.6.3] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631159; rev:1;) alert tcp $HOME_NET any -> [45.42.141.135] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631160; rev:1;) alert tcp $HOME_NET any -> [5.129.26.33] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631161; rev:1;) alert tcp $HOME_NET any -> [93.127.200.245] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631162; rev:1;) alert tcp $HOME_NET any -> [113.45.252.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631163; rev:1;) alert tcp $HOME_NET any -> [72.61.145.143] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0fp.9r3s.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s2q1n.h-3t.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"py.33b2.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4m8.h-3t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631236; rev:1;) alert tcp $HOME_NET any -> [91.92.241.235] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r4yq.9r3s.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631234; rev:1;) alert tcp $HOME_NET any -> [64.188.91.232] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631233; rev:1;) alert tcp $HOME_NET any -> [217.156.67.140] 5888 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qb.xa9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631231; rev:1;) alert tcp $HOME_NET any -> [23.26.237.237] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n6tr.139z.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631229; rev:1;) alert tcp $HOME_NET any -> [217.154.249.35] 2323 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631228; rev:1;) alert tcp $HOME_NET any -> [185.254.99.174] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631227; rev:1;) alert tcp $HOME_NET any -> [112.213.110.204] 1586 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631225; rev:1;) alert tcp $HOME_NET any -> [160.30.45.246] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2iw.zo6r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631224; rev:1;) alert tcp $HOME_NET any -> [103.75.183.233] 1177 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631223; rev:1;) alert tcp $HOME_NET any -> [5.78.65.60] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631216; rev:1;) alert tcp $HOME_NET any -> [27.124.9.40] 5000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631217; rev:1;) alert tcp $HOME_NET any -> [31.57.147.229] 63000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631218; rev:1;) alert tcp $HOME_NET any -> [45.141.215.68] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631219; rev:1;) alert tcp $HOME_NET any -> [45.149.153.218] 100 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631220; rev:1;) alert tcp $HOME_NET any -> [62.72.45.68] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631221; rev:1;) alert tcp $HOME_NET any -> [103.42.30.157] 8899 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631222; rev:1;) alert tcp $HOME_NET any -> [31.40.204.127] 1671 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631214; rev:1;) alert tcp $HOME_NET any -> [84.38.129.67] 6976 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pozsonz.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loadupm.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scapev.mom"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genusal.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grownuc.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secondp.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backchv.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manualc.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feathej.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genuslu.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cadujb.lat"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"extermz.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newmadp.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mexicaq.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lethali.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"penstjn.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"penstjn.lat"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1631197/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_02; classtype:trojan-activity; sid:91631197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g0sqa.139z.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"17.1z57.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mm.1yjp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0.op76.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0n.crju.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1me4.yw9a.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nn.y8-8.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3d7.yw9a.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amo.5-rt.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ygz.da5y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9kr.yw9a.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1l.ve1p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eo.18yk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f2x8m.yw9a.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lz.fe9v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"42.be3q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p3q.6x-3z.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631180; rev:1;) alert tcp $HOME_NET any -> [137.175.73.149] 3878 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631179; rev:1;) alert tcp $HOME_NET any -> [13.53.40.179] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631178; rev:1;) alert tcp $HOME_NET any -> [102.96.149.50] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"administration-montreal.gl.at.ply.gg"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631176; rev:1;) alert tcp $HOME_NET any -> [43.139.231.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"20.3-5y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0.ru7x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7v1.6x-3z.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2x7.q3lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0b9.6x-3z.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pf4.77-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g4m.6x-3z.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4p2.wi7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y9bm.139z.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9yg.m2la.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3vnt.139z.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1.e-dx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pzk6.139z.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xc.ki8n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n.k-8ip.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7t.t4mo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0z7.k-8ip.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8v.u-v9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wy.33b2.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h4qpn.v4-z.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sw.xa9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1.k-8ip.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gle.zo6r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7c7.1z57.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9la.v4-z.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8s.1yjp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m5we2.v4-z.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tp.op76.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q.tgmop.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"60.crju.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h0w4.98g-bj.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dl.y8-8.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2fr.5-rt.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2w0.tgmop.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g2x7m.98g-bj.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bo.da5y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631132; rev:1;) alert tcp $HOME_NET any -> [182.30.30.154] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631131/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_02; classtype:trojan-activity; sid:91631131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3z.tgmop.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mde.ve1p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n5rqa.98g-bj.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sh.18yk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"88.fe9v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v0g.be3q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631125; rev:1;) alert tcp $HOME_NET any -> [168.245.201.68] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631124; rev:1;) alert tcp $HOME_NET any -> [13.201.46.83] 2761 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631123; rev:1;) alert tcp $HOME_NET any -> [101.99.76.21] 7000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6n.3-5y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y9t3.98g-bj.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b0.ru7x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b3m.q3lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jjl.77-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m4n.89atr.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1pze.98g-bj.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m5n.wi7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zq1.89atr.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m4ny.p0k61h.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0.m2la.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hi.e-dx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t5bx0.p0k61h.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p6.89atr.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v0s.ki8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z8r1d.p0k61h.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7.t4mo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2k.4-4gy.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3ch.u-v9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2k9.p0k61h.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dn.33b2.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1kl.xa9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m3a.p0k61h.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"based-ratios.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631098; rev:1;) alert tcp $HOME_NET any -> [176.65.148.254] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hosting-concepts.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"park-cayman.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uq.zo6r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8ls.1z57.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ak.1yjp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0y6.op-76.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ttz.op76.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qh.crju.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e9n4k.op-76.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2q.y8-8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2q8.op-76.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2.5-rt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0w.da5y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631084; rev:1;) alert tcp $HOME_NET any -> [2.57.241.239] 993 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631083; rev:1;) alert tcp $HOME_NET any -> [18.212.228.47] 1098 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631082; rev:1;) alert tcp $HOME_NET any -> [103.236.72.41] 88 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631080; rev:1;) alert tcp $HOME_NET any -> [3.135.204.155] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a5w9t.op-76.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631078; rev:1;) alert tcp $HOME_NET any -> [68.218.67.213] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631077; rev:1;) alert tcp $HOME_NET any -> [129.212.186.153] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631076; rev:1;) alert tcp $HOME_NET any -> [108.174.199.100] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631075; rev:1;) alert tcp $HOME_NET any -> [149.104.26.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u5.ve1p.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0k.18yk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3h1.op-76.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7yb.1yjp.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ih.fe9v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2l.be3q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0t5n.8786.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s11.3-5y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631066; rev:1;) alert tcp $HOME_NET any -> [182.16.98.83] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631065/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_02; classtype:trojan-activity; sid:91631065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0h.ru7x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1q0.1yjp.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q8x.q3lo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w8j3.8786.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3r7.77-6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zny.wi7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k1s7.8786.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g6u.m2la.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6c.e-dx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2kc.1yjp.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d4m9q.8786.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cqi.ki8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"se3.t4mo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8a.u-v9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b2y6.8786.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rr.33b2.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h5c7.mjg1.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.wlh84.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0aq.y8-8.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2.wlh84.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d.wlh84.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q8m2.y8-8.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0v4t.mjg1.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1m.595-1.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8.595-1.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j8q2.mjg1.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p.595-1.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3.zms-u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1.zms-u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p3zy.y8-8.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.zms-u.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r1n8k.mjg1.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1.7n28r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631030; rev:1;) alert tcp $HOME_NET any -> [41.38.104.163] 8081 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631029; rev:1;) alert tcp $HOME_NET any -> [196.74.207.31] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631027; rev:1;) alert tcp $HOME_NET any -> [154.19.37.38] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631028; rev:1;) alert tcp $HOME_NET any -> [79.241.96.82] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631026; rev:1;) alert tcp $HOME_NET any -> [86.54.42.245] 11371 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631025; rev:1;) alert tcp $HOME_NET any -> [181.162.147.189] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631024; rev:1;) alert tcp $HOME_NET any -> [93.113.98.22] 80 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631023; rev:1;) alert tcp $HOME_NET any -> [196.251.116.2] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1631022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_02; classtype:trojan-activity; sid:91631022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p6z3.mjg1.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9.7n28r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s4k1.5x7u.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l5tj.e-dx.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.7n28r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9he.e-dx.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g2t9w.5x7u.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.b8c90.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3.b8c90.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0pw.e-dx.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n5r3.5x7u.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e.b8c90.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0p6.5x7u.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9.4kl-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1.4kl-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b6ru.e-dx.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1m8q.5x7u.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1631005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91631005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.4kl-9.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e1xb.e-dx.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8.13-yz.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4.13-yz.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g.13-yz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7p0d.u-v9.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7.259ox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.259ox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p.259ox.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j4da.18yk.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a8t1.u-v9.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3.kuq5g.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2.kuq5g.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2qm.18yk.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9r2q.u-v9.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.kuq5g.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.u-na5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z6c4p.1r55.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w8nz.18yk.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9.u-na5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.u-na5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0p3.18yk.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sp.t1va.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l0t8.1r55.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9x7.crju.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s9n.zo8k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f5e.qo1s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x3b5n.1r55.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2i.da6v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k5h2.crju.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vkf.yq2r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630965; rev:1;) alert tcp $HOME_NET any -> [62.60.226.201] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e7v1.1r55.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3z6.bo8y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d3yl.crju.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mnp.mi9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xue.re7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2q9m.1r55.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v8jd.crju.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qa.wi7o.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gh.gi0x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w7p2g.yldv.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jyn.va4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630953; rev:1;) alert tcp $HOME_NET any -> [45.87.247.55] 40000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630952/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630952; rev:1;) alert tcp $HOME_NET any -> [202.129.236.216] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630951/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hd.zo4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4l.ve5l.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n9k3.3-5y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f0k4.yldv.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qqc.lo2p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ei.je9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y4tn.3-5y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d3tzn.yldv.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7jp.fi0m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"core-allowing.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hope-atlas.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"designed-outsourcing.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lou.pe8d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1v8.3-5y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7v7.ha5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s8j1.yldv.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8n.n6ri.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hnz.x3le.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l2c7.5-rt.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6d.m2jo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x5pw.5-rt.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r6mqa.yldv.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fr.t1va.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mbc.zo8k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1.qo1s.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fjd.da6v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1wy.71o9.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tz.yq2r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s2t4.33b2.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y8h.bo8y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b9h2x.71o9.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a1.mi9q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b5mx.33b2.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1p2.re7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ayx.wi7o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g4zt.71o9.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4q.gi0x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630914; rev:1;) alert tcp $HOME_NET any -> [178.16.53.211] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630913; rev:1;) alert tcp $HOME_NET any -> [196.251.84.127] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630912; rev:1;) alert tcp $HOME_NET any -> [191.13.60.202] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630910; rev:1;) alert tcp $HOME_NET any -> [86.54.42.94] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630911; rev:1;) alert tcp $HOME_NET any -> [118.195.163.146] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630909; rev:1;) alert tcp $HOME_NET any -> [68.210.136.253] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630908; rev:1;) alert tcp $HOME_NET any -> [185.208.156.190] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hzr.va4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w3d.33b2.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n2v5m.71o9.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bs.zo4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dr5.ve5l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7q3.71o9.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sxw.lo2p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h6p4t.1z57.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u9ped.op76.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gz.je9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7g.fi0m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"167.160.191.178"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630653; rev:1;) alert tcp $HOME_NET any -> [167.160.191.178] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630654; rev:1;) alert tcp $HOME_NET any -> [43.203.120.27] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630667; rev:1;) alert tcp $HOME_NET any -> [185.196.9.231] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thankyou.insources.edu.au"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630669; rev:1;) alert tcp $HOME_NET any -> [52.220.198.188] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630670; rev:1;) alert tcp $HOME_NET any -> [120.124.14.171] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630672; rev:1;) alert tcp $HOME_NET any -> [218.212.134.148] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630671; rev:1;) alert tcp $HOME_NET any -> [106.107.146.9] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630673; rev:1;) alert tcp $HOME_NET any -> [175.156.150.64] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630674; rev:1;) alert tcp $HOME_NET any -> [195.24.236.8] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630675; rev:1;) alert tcp $HOME_NET any -> [37.49.148.60] 12121 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630680/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_01; classtype:trojan-activity; sid:91630680; rev:1;) alert tcp $HOME_NET any -> [203.154.83.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyesurgeryguide.icu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6r8.pe8d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j0xk.op76.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zq3.1z57.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lc.ha5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"976.n6ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x64.x3le.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8m2t.op76.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f0x8.1z57.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ck3.m2jo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wz.t1va.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0bl.zo8k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fc.qo1s.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/excel/now/windows/invite.php"; depth:29; nocase; http.host; content:"revisedcontract.us.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630882/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd/0/get/c0x3hnbxahkuyaoigihwdw3br5r6zl3fhtyjwumcnugw11q52vae-0hxsvef9tgzn35r0nsi5vyjukwjthg2ud9jayhatvx1iya718qjgp7-tmxm15r_qg5cdtsifh7qehpptqyp7hiblrjizbiiyocl/file"; depth:167; nocase; http.host; content:"uc93a70a7b58d6bd35bb8007e3b9.dl.dropboxusercontent.com"; depth:54; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630883/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y5rb.op76.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"voluntarydasd.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630880/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"954.da6v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgyy.wav"; depth:9; nocase; http.host; content:"spaasturias.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630878/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"circleebuildings.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630877/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lr.yq2r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7b2.1z57.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ch.bo8y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"18.mi9q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630872/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/95eo4746"; depth:9; nocase; http.host; content:"18.mi9q.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630871/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"18.mi9q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2hzn.op76.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vvx.re7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2c.wi7o.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630867; rev:1;) alert tcp $HOME_NET any -> [185.52.55.227] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630864/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630864; rev:1;) alert tcp $HOME_NET any -> [80.64.19.173] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630865/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630865; rev:1;) alert tcp $HOME_NET any -> [91.92.240.17] 9333 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630866/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"brille.kozow.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630857/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"camerun738.ydns.eu"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630858/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"inglostad.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630859/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"olympiacos345.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630860/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sufficientblessings132.duckdns.org"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630861/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"winner999.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630862/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"winner999.gleeze.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630863/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lolzzmortex.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630855/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"viba.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630856/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630856; rev:1;) alert tcp $HOME_NET any -> [37.49.148.102] 1443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630854/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"janarch.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630853/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zheng11.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630852/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server1.filesdumpplace.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630850/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"2d847db8-2aaf-4f1d-a00c-6e52213c062d.server4.ninhaine.com"; depth:57; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630851/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"107.20.200.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630849/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nyc.batchsize.tech"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630848/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a11.money188.online"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630847/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ai.chinesepd.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630846/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630846; rev:1;) alert tcp $HOME_NET any -> [49.235.43.89] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630845/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630845; rev:1;) alert tcp $HOME_NET any -> [181.174.164.116] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630844/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ia.gi0x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630843; rev:1;) alert tcp $HOME_NET any -> [151.59.118.175] 8080 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630842/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630842; rev:1;) alert tcp $HOME_NET any -> [180.76.118.219] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630841/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630841; rev:1;) alert tcp $HOME_NET any -> [103.149.93.66] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630840/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630840; rev:1;) alert tcp $HOME_NET any -> [41.99.101.50] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630839/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630839; rev:1;) alert tcp $HOME_NET any -> [102.117.171.138] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630838/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630838; rev:1;) alert tcp $HOME_NET any -> [85.117.239.116] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630835/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630835; rev:1;) alert tcp $HOME_NET any -> [79.100.80.211] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630836/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630836; rev:1;) alert tcp $HOME_NET any -> [105.102.137.34] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630833/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630833; rev:1;) alert tcp $HOME_NET any -> [136.243.131.240] 443 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630834/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630834; rev:1;) alert tcp $HOME_NET any -> [157.20.182.9] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630831/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630831; rev:1;) alert tcp $HOME_NET any -> [157.20.182.18] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630832/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630832; rev:1;) alert tcp $HOME_NET any -> [14.194.135.197] 161 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630829/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630829; rev:1;) alert tcp $HOME_NET any -> [206.189.144.176] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630830/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630830; rev:1;) alert tcp $HOME_NET any -> [59.94.65.220] 51003 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630826/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630826; rev:1;) alert tcp $HOME_NET any -> [117.235.109.148] 33060 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630827/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630827; rev:1;) alert tcp $HOME_NET any -> [59.98.237.157] 55470 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630828/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630828; rev:1;) alert tcp $HOME_NET any -> [115.48.148.146] 33060 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630825/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630825; rev:1;) alert tcp $HOME_NET any -> [18.61.27.152] 11300 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630821/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630821; rev:1;) alert tcp $HOME_NET any -> [13.232.245.240] 8879 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630822/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630822; rev:1;) alert tcp $HOME_NET any -> [54.180.136.176] 25001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630823/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630823; rev:1;) alert tcp $HOME_NET any -> [40.192.119.123] 55554 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630824/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630824; rev:1;) alert tcp $HOME_NET any -> [65.2.144.73] 1023 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630816/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630816; rev:1;) alert tcp $HOME_NET any -> [13.232.37.108] 55554 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630817/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630817; rev:1;) alert tcp $HOME_NET any -> [16.28.47.151] 1099 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630818/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630818; rev:1;) alert tcp $HOME_NET any -> [121.141.178.175] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630819/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630819; rev:1;) alert tcp $HOME_NET any -> [51.48.49.239] 9999 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630820/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630820; rev:1;) alert tcp $HOME_NET any -> [91.228.113.199] 9025 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630812/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630812; rev:1;) alert tcp $HOME_NET any -> [88.31.60.40] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630813/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630813; rev:1;) alert tcp $HOME_NET any -> [54.238.197.82] 9189 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630814/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630814; rev:1;) alert tcp $HOME_NET any -> [83.48.178.79] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630815/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630815; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630808/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630808; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 47990 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630809/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630809; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 10911 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630810/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630810; rev:1;) alert tcp $HOME_NET any -> [167.58.244.0] 9001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630811/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630811; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 7434 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630802/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630802; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 10909 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630803/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630803; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 8085 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630804/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630804; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 8181 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630805/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630805; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630806/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630806; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 8089 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630807/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630807; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 10443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630796/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630796; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 6697 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630797/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630797; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 9898 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630798/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630798; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630799/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630799; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 4443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630800/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630800; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 6443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630801/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630801; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 8139 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630794/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630794; rev:1;) alert tcp $HOME_NET any -> [102.205.170.10] 9095 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630795/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630795; rev:1;) alert tcp $HOME_NET any -> [207.244.226.60] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630793/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630793; rev:1;) alert tcp $HOME_NET any -> [38.56.209.142] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630788/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630788; rev:1;) alert tcp $HOME_NET any -> [38.56.209.142] 9443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630789/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630789; rev:1;) alert tcp $HOME_NET any -> [54.180.153.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630790/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630790; rev:1;) alert tcp $HOME_NET any -> [144.124.240.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630791/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630791; rev:1;) alert tcp $HOME_NET any -> [94.101.227.78] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630792/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630792; rev:1;) alert tcp $HOME_NET any -> [169.239.105.7] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630785/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630785; rev:1;) alert tcp $HOME_NET any -> [34.29.87.80] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630786/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630786; rev:1;) alert tcp $HOME_NET any -> [135.222.142.94] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630787/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630787; rev:1;) alert tcp $HOME_NET any -> [37.59.112.102] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630782/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630782; rev:1;) alert tcp $HOME_NET any -> [47.250.112.192] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630783/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630783; rev:1;) alert tcp $HOME_NET any -> [64.20.56.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630784/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630784; rev:1;) alert tcp $HOME_NET any -> [20.41.107.167] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630779/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630779; rev:1;) alert tcp $HOME_NET any -> [20.213.217.227] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630780/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630780; rev:1;) alert tcp $HOME_NET any -> [217.154.68.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630781/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630781; rev:1;) alert tcp $HOME_NET any -> [43.134.166.201] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630778/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630778; rev:1;) alert tcp $HOME_NET any -> [188.120.242.143] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630777/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630777; rev:1;) alert tcp $HOME_NET any -> [160.202.247.176] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630771/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630771; rev:1;) alert tcp $HOME_NET any -> [47.101.209.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630772/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630772; rev:1;) alert tcp $HOME_NET any -> [206.188.197.37] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630773/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630773; rev:1;) alert tcp $HOME_NET any -> [38.147.162.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630774/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630774; rev:1;) alert tcp $HOME_NET any -> [167.179.93.163] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630775/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630775; rev:1;) alert tcp $HOME_NET any -> [171.22.183.123] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630776/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630776; rev:1;) alert tcp $HOME_NET any -> [45.154.207.121] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630766/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630766; rev:1;) alert tcp $HOME_NET any -> [159.223.0.103] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630767/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630767; rev:1;) alert tcp $HOME_NET any -> [139.59.162.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630768/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630768; rev:1;) alert tcp $HOME_NET any -> [35.220.199.172] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630769/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630769; rev:1;) alert tcp $HOME_NET any -> [165.22.21.102] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630770/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630770; rev:1;) alert tcp $HOME_NET any -> [103.110.221.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630762/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630762; rev:1;) alert tcp $HOME_NET any -> [64.7.198.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630763/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630763; rev:1;) alert tcp $HOME_NET any -> [172.238.111.254] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630764/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630764; rev:1;) alert tcp $HOME_NET any -> [124.243.150.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630765/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630765; rev:1;) alert tcp $HOME_NET any -> [23.111.126.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630757/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630757; rev:1;) alert tcp $HOME_NET any -> [157.245.46.190] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630758/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630758; rev:1;) alert tcp $HOME_NET any -> [165.227.47.194] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630759/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630759; rev:1;) alert tcp $HOME_NET any -> [45.9.148.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630760/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630760; rev:1;) alert tcp $HOME_NET any -> [185.220.71.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630761/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630761; rev:1;) alert tcp $HOME_NET any -> [45.150.108.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630753/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630753; rev:1;) alert tcp $HOME_NET any -> [107.174.82.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630754/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630754; rev:1;) alert tcp $HOME_NET any -> [91.132.162.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630755/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630755; rev:1;) alert tcp $HOME_NET any -> [192.142.54.142] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630756/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630756; rev:1;) alert tcp $HOME_NET any -> [196.251.83.192] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630749/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630749; rev:1;) alert tcp $HOME_NET any -> [178.128.213.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630750/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630750; rev:1;) alert tcp $HOME_NET any -> [193.201.185.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630751/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630751; rev:1;) alert tcp $HOME_NET any -> [148.113.205.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630752/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630752; rev:1;) alert tcp $HOME_NET any -> [121.127.232.63] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630743/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630743; rev:1;) alert tcp $HOME_NET any -> [65.21.229.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630744/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630744; rev:1;) alert tcp $HOME_NET any -> [64.226.121.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630745/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630745; rev:1;) alert tcp $HOME_NET any -> [107.174.232.94] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630746/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630746; rev:1;) alert tcp $HOME_NET any -> [202.112.51.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630747/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630747; rev:1;) alert tcp $HOME_NET any -> [185.112.144.245] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630748/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630748; rev:1;) alert tcp $HOME_NET any -> [135.125.244.21] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630738/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630738; rev:1;) alert tcp $HOME_NET any -> [51.250.107.234] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630739/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630739; rev:1;) alert tcp $HOME_NET any -> [88.218.0.8] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630740/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630740; rev:1;) alert tcp $HOME_NET any -> [78.141.220.195] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630741/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630741; rev:1;) alert tcp $HOME_NET any -> [51.161.35.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630742/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630742; rev:1;) alert tcp $HOME_NET any -> [104.248.182.81] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630733/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630733; rev:1;) alert tcp $HOME_NET any -> [107.174.232.95] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630734/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630734; rev:1;) alert tcp $HOME_NET any -> [106.14.126.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630735/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630735; rev:1;) alert tcp $HOME_NET any -> [93.127.222.27] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630736/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630736; rev:1;) alert tcp $HOME_NET any -> [139.59.135.3] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630737/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630737; rev:1;) alert tcp $HOME_NET any -> [172.245.82.84] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630728/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630728; rev:1;) alert tcp $HOME_NET any -> [64.112.42.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630729/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630729; rev:1;) alert tcp $HOME_NET any -> [208.69.78.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630730/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630730; rev:1;) alert tcp $HOME_NET any -> [165.22.80.231] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630731/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630731; rev:1;) alert tcp $HOME_NET any -> [46.224.28.128] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630732/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630732; rev:1;) alert tcp $HOME_NET any -> [184.94.215.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630727/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630727; rev:1;) alert tcp $HOME_NET any -> [108.61.207.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630725/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630725; rev:1;) alert tcp $HOME_NET any -> [142.171.173.248] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630726/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630726; rev:1;) alert tcp $HOME_NET any -> [82.156.2.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630723/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630723; rev:1;) alert tcp $HOME_NET any -> [93.95.97.102] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630724/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630724; rev:1;) alert tcp $HOME_NET any -> [49.235.177.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630721/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630721; rev:1;) alert tcp $HOME_NET any -> [39.105.165.37] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630722/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630722; rev:1;) alert tcp $HOME_NET any -> [18.168.199.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630716/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630716; rev:1;) alert tcp $HOME_NET any -> [85.158.108.190] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630717/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630717; rev:1;) alert tcp $HOME_NET any -> [124.223.47.219] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630718/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630718; rev:1;) alert tcp $HOME_NET any -> [185.241.208.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630719/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630719; rev:1;) alert tcp $HOME_NET any -> [202.56.160.188] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630720/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630720; rev:1;) alert tcp $HOME_NET any -> [172.167.21.213] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630712/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630712; rev:1;) alert tcp $HOME_NET any -> [5.181.181.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630713/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630713; rev:1;) alert tcp $HOME_NET any -> [39.97.48.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630714/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630714; rev:1;) alert tcp $HOME_NET any -> [3.23.159.153] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630715/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630715; rev:1;) alert tcp $HOME_NET any -> [15.228.3.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630710/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630710; rev:1;) alert tcp $HOME_NET any -> [134.122.140.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630711/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630711; rev:1;) alert tcp $HOME_NET any -> [106.38.201.207] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630707/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630707; rev:1;) alert tcp $HOME_NET any -> [47.97.118.238] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630708/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630708; rev:1;) alert tcp $HOME_NET any -> [165.154.125.212] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630709/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630709; rev:1;) alert tcp $HOME_NET any -> [60.204.169.16] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630706/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630706; rev:1;) alert tcp $HOME_NET any -> [8.136.50.233] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630705/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630705; rev:1;) alert tcp $HOME_NET any -> [117.72.175.125] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630704/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630704; rev:1;) alert tcp $HOME_NET any -> [59.110.7.32] 8999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630703/; target:src_ip; metadata: confidence_level 50, first_seen 2025_11_01; classtype:trojan-activity; sid:91630703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"evo.va4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0wz.u-v-9.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4i.zo4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"so.ve5l.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y1r5.u-v-9.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxxxyuanko.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"158.94.209.172"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1630696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630696; rev:1;) alert tcp $HOME_NET any -> [69.169.97.118] 1912 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630695; rev:1;) alert tcp $HOME_NET any -> [198.44.185.246] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630694; rev:1;) alert tcp $HOME_NET any -> [178.16.53.234] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"121637121.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630692; rev:1;) alert tcp $HOME_NET any -> [196.251.116.206] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"field-accessing.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5vt.lo2p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bcq.je9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t7pqm.77-6.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qz8hd.mjg-1.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5d.fi0m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3k9.77-6.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9a.mjg-1.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nq.pe8d.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d2xm.mjg-1.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y9bm.5-sy77.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"67.ha5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7k3q.mjg-1.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j0e.n6ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i2.x3le.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3vnt.5-sy77.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rk8.64198.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0y.m2jo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2v.64198.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5e.t1va.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.64198.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pzk6.5-sy77.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o3n.zo8k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hbr.qo1s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0q9.64198.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aa.da6v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1rg3.5-sy77.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ay.yq2r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9x.bo8y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d2x7.5-sy77.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r9q.f42u6.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"veu.mi9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h4qpn.5-sy77.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cx.re7x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ioy.wi7o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fl.gi0x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9la.w-8z35.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4jf.va4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630640; rev:1;) alert tcp $HOME_NET any -> [63.32.164.138] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630639/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630639; rev:1;) alert tcp $HOME_NET any -> [43.163.26.62] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630638; rev:1;) alert tcp $HOME_NET any -> [18.154.66.122] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630637/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.f42u6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq.zo4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m5we2.w-8z35.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9u.ve5l.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0yg.w-8z35.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l2v.lo2p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7p2.i-m22.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lh.je9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tbd9.w-8z35.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630628; rev:1;) alert tcp $HOME_NET any -> [212.227.28.64] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630627; rev:1;) alert tcp $HOME_NET any -> [44.207.5.94] 6002 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630625; rev:1;) alert tcp $HOME_NET any -> [58.244.45.147] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630626; rev:1;) alert tcp $HOME_NET any -> [45.153.34.95] 8080 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630624; rev:1;) alert tcp $HOME_NET any -> [180.93.42.18] 55555 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630623; rev:1;) alert tcp $HOME_NET any -> [82.23.246.111] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630621; rev:1;) alert tcp $HOME_NET any -> [156.247.40.119] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630622; rev:1;) alert tcp $HOME_NET any -> [178.16.53.234] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630619; rev:1;) alert tcp $HOME_NET any -> [158.94.209.59] 8080 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630620; rev:1;) alert tcp $HOME_NET any -> [109.199.98.37] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630618; rev:1;) alert tcp $HOME_NET any -> [4.221.211.80] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630617; rev:1;) alert tcp $HOME_NET any -> [190.102.41.216] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630615; rev:1;) alert tcp $HOME_NET any -> [194.164.33.16] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630616; rev:1;) alert tcp $HOME_NET any -> [186.169.48.188] 5060 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630614; rev:1;) alert tcp $HOME_NET any -> [176.46.152.38] 43155 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630613; rev:1;) alert tcp $HOME_NET any -> [82.157.184.143] 21848 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3f.fi0m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0x.i-m22.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f5.pe8d.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z83n.w-8z35.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6c.sa3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"register.toastmasters86.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m6.ha5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1kpa.w-8z35.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zf.n6ri.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1.x3le.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630603; rev:1;) alert tcp $HOME_NET any -> [157.180.85.216] 80 (msg:"ThreatFox KongTuke botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630427/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630427; rev:1;) alert tcp $HOME_NET any -> [168.119.155.85] 80 (msg:"ThreatFox KongTuke botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630429/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630429; rev:1;) alert tcp $HOME_NET any -> [216.245.184.56] 80 (msg:"ThreatFox KongTuke botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630428/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accomplish-suppose-val-ensure.trycloudflare.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630431/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stress-substance-mall-corrections.trycloudflare.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630432/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rider-february-thorough-decades.trycloudflare.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630433/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"termination-str-north-cool.trycloudflare.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630434/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"castle-fifth-print-metallic.trycloudflare.com"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630435/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"librarian-alabama-iowa-vegetables.trycloudflare.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630436/; target:src_ip; metadata: confidence_level 75, first_seen 2025_11_01; classtype:trojan-activity; sid:91630436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"190.2.145.187"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1630442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"190.2.150.186"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1630443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.185.49.77"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1630444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"190.2.150.101"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1630445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.185.49.73"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1630446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.180.223.155"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1630447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"190.2.145.188"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1630448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"190.2.143.54"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1630449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"techwebi.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630450; rev:1;) alert tcp $HOME_NET any -> [157.250.202.224] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630584/; target:src_ip; metadata: confidence_level 80, first_seen 2025_11_01; classtype:trojan-activity; sid:91630584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jwr.m2jo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1vf4.lu2p.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m2x.w-8z35.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bj.t1va.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9l.zo8k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1i7.qo1s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c6pz.lu2p.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oql.da6v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v2.yq2r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"genuslu.lat"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e9tk3.lu2p.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630592; rev:1;) alert tcp $HOME_NET any -> [63.250.61.89] 4782 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abmtwphx4.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5m.bo8y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nw.mi9q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f7q2.q7jt-0k.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wa.re7x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y8m2.lu2p.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0r.q7jt-0k.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l8q.gi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9az.q7jt-0k.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a5rl.lu2p.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sr7.va4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630579; rev:1;) alert tcp $HOME_NET any -> [185.24.55.37] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630578; rev:1;) alert tcp $HOME_NET any -> [193.108.113.14] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630577; rev:1;) alert tcp $HOME_NET any -> [47.76.144.218] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630576; rev:1;) alert tcp $HOME_NET any -> [111.231.11.61] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wq1.q7jt-0k.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w9hd3.mi9q.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n6k.q7jt-0k.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ahh.ve5l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lj.lo2p.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g2.q7jt-0k.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f7zn0.mi9q.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4hp.je9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e15.fi0m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x4d2.w7tx-3t.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mt.pe8d.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t4j2.mi9q.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2b7.w7tx-3t.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9y.sa3x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s8lp.mi9q.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"80.ha5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tkm.w7tx-3t.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vsm.n6ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ug8.x3le.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x3wr.mi9q.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r09.w7tx-3t.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"un.m2jo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l1t.t1va.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ftb.zo8k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h5x.w7tx-3t.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"410.qo1s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ud.da6v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p2hk.fi0m.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qv.w7tx-3t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2n4.yq2r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4u.bo8y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4t5.fi0m.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d4m1.i3-42s.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ocx.mi9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a92.i3-42s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p4p.re7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qt.wi7o.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a2.gi0x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1n.i3-42s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j9m3z.fi0m.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xj.va4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7qx.fi0m.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq8.i3-42s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"29.zo4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630531; rev:1;) alert tcp $HOME_NET any -> [83.136.250.244] 8000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630530; rev:1;) alert tcp $HOME_NET any -> [158.69.199.68] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630529; rev:1;) alert tcp $HOME_NET any -> [157.66.81.166] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630528; rev:1;) alert tcp $HOME_NET any -> [111.229.187.190] 8444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_11_01; classtype:trojan-activity; sid:91630527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kn5.ve5l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wx.lo2p.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v6r2.fi0m.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mv3.i3-42s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pl.je9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d1ys4.zo4n.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z4.fi0m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5pi.pe8d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7.i3-42s.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q3v2.zo4n.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ma4.sa3x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630516; rev:1;) alert tcp $HOME_NET any -> [34.61.225.9] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630515; rev:1;) alert tcp $HOME_NET any -> [194.32.149.168] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630514; rev:1;) alert tcp $HOME_NET any -> [58.182.120.103] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630512; rev:1;) alert tcp $HOME_NET any -> [76.90.148.119] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630513; rev:1;) alert tcp $HOME_NET any -> [49.245.47.207] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630510; rev:1;) alert tcp $HOME_NET any -> [37.204.144.79] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630511; rev:1;) alert tcp $HOME_NET any -> [36.224.193.88] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630507; rev:1;) alert tcp $HOME_NET any -> [61.239.128.132] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630508; rev:1;) alert tcp $HOME_NET any -> [14.136.51.219] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630509; rev:1;) alert tcp $HOME_NET any -> [93.127.135.193] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.m365.1drive.zip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vzh.ha5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r3j5.bo8y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nj.n6ri.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9fw.zo4n.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ab.x3le.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g3.m2jo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1kz8.bo8y.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qvc.t1va.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n2v4.bo8y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1a1.zo8k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r9b5m.da6v.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yw.qo1s.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d9y7w.bo8y.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"382.da6v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l2x7.da6v.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qg8.yq2r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cs.bo8y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2x9.mi9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p6b3q.bo8y.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"70.re7x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630484; rev:1;) alert tcp $HOME_NET any -> [185.252.144.141] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630483/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_31; classtype:trojan-activity; sid:91630483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nd.wi7o.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3j9h.da6v.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ylu.gi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630480; rev:1;) alert tcp $HOME_NET any -> [181.134.216.5] 7015 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c2.va4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9f.zo4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630477; rev:1;) alert tcp $HOME_NET any -> [185.208.156.169] 7706 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1k4p.ve5l.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kk.ve5l.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"46.lo2p.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630473; rev:1;) alert tcp $HOME_NET any -> [91.219.151.74] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630472; rev:1;) alert tcp $HOME_NET any -> [102.96.148.47] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630471; rev:1;) alert tcp $HOME_NET any -> [52.77.62.221] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630470; rev:1;) alert tcp $HOME_NET any -> [139.59.41.71] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630468; rev:1;) alert tcp $HOME_NET any -> [195.24.67.11] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630469; rev:1;) alert tcp $HOME_NET any -> [129.212.186.153] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630467; rev:1;) alert tcp $HOME_NET any -> [149.28.108.40] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vu.je9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3y8n.ve5l.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630464; rev:1;) alert tcp $HOME_NET any -> [157.20.182.47] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630463/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o9.fi0m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630462; rev:1;) alert tcp $HOME_NET any -> [157.20.182.47] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ds.pe8d.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0r9.yq2r.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y5n4.da6v.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ri.sa3x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1z3k.x3le.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wl.ha5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a4g2t.yq2r.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ah.n6ri.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4xc.x3le.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b4tqm.x3le.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630451; rev:1;) alert tcp $HOME_NET any -> [16.64.62.229] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630441/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630441; rev:1;) alert tcp $HOME_NET any -> [129.212.186.153] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630440/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630440; rev:1;) alert tcp $HOME_NET any -> [121.127.34.125] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630439/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9nh3.yq2r.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iid.t1va.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z6c8q.yq2r.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t9f.zo8k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630426; rev:1;) alert tcp $HOME_NET any -> [198.46.142.210] 7705 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dydnspriv.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"systeam.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630423; rev:1;) alert tcp $HOME_NET any -> [169.224.33.101] 8658 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dosscloud.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loganwolverin2028.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e8f5p.x3le.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7y.qo1s.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k1p4v.yq2r.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mmw.da6v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s2j7.x3le.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r8jkc.qo1s.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"238.yq2r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xgdk7bk3iowvycdpeqrfhcfvecfd1czgxvbb1ol3tsdd7bkqkw=="; depth:53; nocase; http.host; content:"register.toastmasters86.org"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kitty.onthewifi.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630411; rev:1;) alert tcp $HOME_NET any -> [69.5.189.168] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630410/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2.bo8y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d2m4.qo1s.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5ai.mi9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmr.exe"; depth:8; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6i4.re7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mahmoud9pos.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630405/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fk6.wi7o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9kq.x3le.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7fzp.qo1s.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630402; rev:1;) alert tcp $HOME_NET any -> [46.43.90.174] 27005 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bb7.gi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e3ytn.qo1s.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tr.tweethost.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tr.aidexcel.co.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tr.aidexcel.co.uk"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tr.tweethost.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qzz.va4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630394; rev:1;) alert tcp $HOME_NET any -> [88.214.27.75] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630393; rev:1;) alert tcp $HOME_NET any -> [85.215.57.133] 8080 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630391; rev:1;) alert tcp $HOME_NET any -> [104.234.174.28] 22222 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l4k9w.qo1s.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630390; rev:1;) alert tcp $HOME_NET any -> [196.251.87.18] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630389; rev:1;) alert tcp $HOME_NET any -> [103.232.243.235] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630388; rev:1;) alert tcp $HOME_NET any -> [87.248.157.30] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630387; rev:1;) alert tcp $HOME_NET any -> [45.86.162.95] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630386; rev:1;) alert tcp $HOME_NET any -> [216.250.252.227] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630385; rev:1;) alert tcp $HOME_NET any -> [196.251.116.206] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1h.zo4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630382; rev:1;) alert tcp $HOME_NET any -> [62.60.159.159] 5022 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pf.ve5l.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c3ytx.ha5r.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v6t3x.pe8d.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vq.lo2p.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vf.je9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u9.fi0m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j9r2.pe8d.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"62.pe8d.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v0m4.ha5r.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630372; rev:1;) alert tcp $HOME_NET any -> [5.181.156.244] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ubrogap.zip"; depth:12; nocase; http.host; content:"southerngun.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/strbte.php"; depth:11; nocase; http.host; content:"zerocostclub.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"holonimjs.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"holonimjs.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"holonimjs.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"holonimjs.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"df.sa3x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vv.ha5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent.ashx"; depth:11; nocase; http.host; content:"kids.redroomclub.online"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630362/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8ql.n6ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a0gqv.pe8d.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eg.x3le.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9s.m2jo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s3nzk.pe8d.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8.71290.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630356; rev:1;) alert tcp $HOME_NET any -> [138.124.113.66] 5003 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0.71290.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"are-fifteen.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630353/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1.8oryn.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b5yhr.pe8d.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t5v3.t1va.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.8oryn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8.9-ck6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.9-ck6.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wz.25qx7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.25qx7.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/self-propagating-worm-present-in-marketplaces-for-visible-studio-code-extensions/"; depth:82; nocase; http.host; content:"analyticscampus.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630341/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqbgz81s"; depth:9; nocase; http.host; content:"g.9715w.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630342/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"optimatrade.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630343/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloudflare"; depth:11; nocase; http.host; content:"206.71.149.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630344/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n5.9715w.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9f4.wi7o.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"auth.factionwarfare.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630337/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"guiasexo.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.92.242.95"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630335/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"guiasexo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"relay.smallurls.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630333/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4r6h.js"; depth:8; nocase; http.host; content:"guiasexo.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"smallurls.cc"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630332/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r4mzt.t1va.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g.9715w.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630330; rev:1;) alert tcp $HOME_NET any -> [103.49.92.35] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630329/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.017fk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"do92r.t1va.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n2t8k.wi7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7.017fk.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7fx.t1va.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.dl3zd.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p7lrd.wi7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p.dl3zd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4x3m.wi7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h.t-nin.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"note-road.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630318; rev:1;) alert tcp $HOME_NET any -> [206.245.159.119] 8080 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630317; rev:1;) alert tcp $HOME_NET any -> [4.210.219.156] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630316; rev:1;) alert tcp $HOME_NET any -> [135.181.182.96] 2004 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630315; rev:1;) alert tcp $HOME_NET any -> [157.254.164.43] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630314; rev:1;) alert tcp $HOME_NET any -> [38.60.220.150] 80 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disnotavalidmeantocommunicatemkidlydothe.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basic-fan.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lower-mem.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3.t-nin.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3yhu.t1va.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g0bn9.wi7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2.91-7l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.91-7l.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9.6vwj8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j1de9.re7x.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.6vwj8.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w6j2.sa3x.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2v.ty9a.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r1m3k.sa3x.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630299; rev:1;) alert tcp $HOME_NET any -> [200.41.209.251] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630298; rev:1;) alert tcp $HOME_NET any -> [13.49.246.172] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630297; rev:1;) alert tcp $HOME_NET any -> [40.233.78.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630295; rev:1;) alert tcp $HOME_NET any -> [202.10.36.170] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630296; rev:1;) alert tcp $HOME_NET any -> [20.193.252.70] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630294; rev:1;) alert tcp $HOME_NET any -> [154.37.221.217] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630292; rev:1;) alert tcp $HOME_NET any -> [13.233.199.110] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630293; rev:1;) alert tcp $HOME_NET any -> [185.194.141.222] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630290; rev:1;) alert tcp $HOME_NET any -> [124.71.222.207] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630291; rev:1;) alert tcp $HOME_NET any -> [184.62.130.45] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630289; rev:1;) alert tcp $HOME_NET any -> [218.212.100.213] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630287; rev:1;) alert tcp $HOME_NET any -> [82.156.51.253] 12042 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630288; rev:1;) alert tcp $HOME_NET any -> [175.180.157.5] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630285; rev:1;) alert tcp $HOME_NET any -> [114.32.210.98] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630286; rev:1;) alert tcp $HOME_NET any -> [5.145.65.196] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630284; rev:1;) alert tcp $HOME_NET any -> [122.199.13.118] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630282; rev:1;) alert tcp $HOME_NET any -> [5.145.77.121] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630283; rev:1;) alert tcp $HOME_NET any -> [42.192.4.88] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630280; rev:1;) alert tcp $HOME_NET any -> [204.144.177.65] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630281; rev:1;) alert tcp $HOME_NET any -> [47.220.63.244] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630279; rev:1;) alert tcp $HOME_NET any -> [154.44.10.42] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"live.m365.1drive.zip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office365.m365.1drive.zip"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aad.m365.1drive.zip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"res.cdn.m365.1drive.zip"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630274; rev:1;) alert tcp $HOME_NET any -> [101.251.176.176] 1000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630273/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630273; rev:1;) alert tcp $HOME_NET any -> [8.148.85.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630272; rev:1;) alert tcp $HOME_NET any -> [107.174.142.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630271; rev:1;) alert tcp $HOME_NET any -> [106.38.201.207] 8042 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p5wz0.re7x.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"46.fa3y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f5bqh.sa3x.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630267; rev:1;) alert tcp $HOME_NET any -> [116.62.34.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630266/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jk.q4zi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u7z9n.sa3x.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fg.ru6q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2cvg.sa3x.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"70.b9sa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ui.tweethost.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ui.aidexcel.co.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ui.tweethost.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ui.aidexcel.co.uk"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ddc.j3ve.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7.der14i.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630255; rev:1;) alert tcp $HOME_NET any -> [89.187.28.175] 54128 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630254/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rp9a.je9t.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2.xo3v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gtop.sh"; depth:8; nocase; http.host; content:"45.156.87.83"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630153/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630153; rev:1;) alert tcp $HOME_NET any -> [114.66.63.237] 8012 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630197/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630197; rev:1;) alert tcp $HOME_NET any -> [192.252.187.60] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630198/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630198; rev:1;) alert tcp $HOME_NET any -> [124.221.78.241] 5009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630199/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630199; rev:1;) alert tcp $HOME_NET any -> [8.129.31.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630200/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630200; rev:1;) alert tcp $HOME_NET any -> [172.167.21.213] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630201/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630201; rev:1;) alert tcp $HOME_NET any -> [18.168.199.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630202/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hpd.di5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7dqw.je9t.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kp.se5m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; nocase; http.host; content:"188.147.175.18"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630248/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630243/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630244/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; nocase; http.host; content:"14stirling.dyndns.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630245/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; nocase; http.host; content:"14stirling.dyndns.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630246/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; nocase; http.host; content:"188.147.175.18"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630247/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"182.112.214.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630239/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"182.112.214.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630240/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"200.59.88.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630241/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"200.59.88.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630242/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"218.60.176.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630237/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"218.60.176.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630238/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uq1.ke9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2gh5.je9t.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuwrdjyexsof5m"; depth:15; nocase; http.host; content:"demo-public-6ez8c3xnb-place.s3.ap-southeast-2.amazonaws.com"; depth:59; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630233/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medicare-plans/"; depth:16; nocase; http.host; content:"www.unitedhealthcare-group.browse-medicare-plan.uhc-com.generalsolution.top"; depth:75; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630234/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630234; rev:1;) alert tcp $HOME_NET any -> [147.185.221.223] 44999 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630231/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630231; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 39113 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630232/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630232; rev:1;) alert tcp $HOME_NET any -> [103.61.224.181] 11234 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630230/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"intelligencedns.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630229/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630229; rev:1;) alert tcp $HOME_NET any -> [45.141.215.127] 2626 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630228/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630228; rev:1;) alert tcp $HOME_NET any -> [216.9.225.19] 24049 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630227/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630227; rev:1;) alert tcp $HOME_NET any -> [216.9.225.19] 24046 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630226/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.kolklokjkj.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630222/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ozkeplancarpet.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630223/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.siegania.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630224/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tjxh-internetional.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630225/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"arusicucloud.es"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630220/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"westy.ydns.eu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630221/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dot9-30205.portmap.host"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630219/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630219; rev:1;) alert tcp $HOME_NET any -> [45.90.98.57] 1881 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630218/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2.kallisti.uk.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630216/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v3.kallisti.uk.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630217/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630217; rev:1;) alert tcp $HOME_NET any -> [79.110.63.178] 6751 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630215/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gatex.kallisti.uk.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630214/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/xza7q3zr"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630213/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8476312908:aaev383sfeuipgcvw_uxmv2f0njkow0qnvk/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630212/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lvo.w1um.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xiaolitoxue.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630210/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zhengege09.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630209/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"20.189.122.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630208/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.92.242.95"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630207/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e5f9db40aa1d5c5c.php"; depth:21; nocase; http.host; content:"193.233.232.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630206/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sm.ty9a.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6h.fa3y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k8zm4.je9t.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3r.ha7e.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630196; rev:1;) alert tcp $HOME_NET any -> [124.223.178.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630195/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630195; rev:1;) alert tcp $HOME_NET any -> [101.71.100.220] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630192/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630192; rev:1;) alert tcp $HOME_NET any -> [101.71.100.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630193/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630193; rev:1;) alert tcp $HOME_NET any -> [101.71.100.27] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630194/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630194; rev:1;) alert tcp $HOME_NET any -> [101.71.100.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630190/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630190; rev:1;) alert tcp $HOME_NET any -> [101.71.100.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630191/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"factsec.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630189/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630189; rev:1;) alert tcp $HOME_NET any -> [91.92.242.88] 443 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630187/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630187; rev:1;) alert tcp $HOME_NET any -> [91.92.242.89] 443 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630188/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t9x4.der14i.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630186; rev:1;) alert tcp $HOME_NET any -> [47.246.8.74] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630185/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0lj.te8x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630184; rev:1;) alert tcp $HOME_NET any -> [216.189.149.69] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630183/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630183; rev:1;) alert tcp $HOME_NET any -> [189.146.227.153] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630182/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630182; rev:1;) alert tcp $HOME_NET any -> [18.204.135.188] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630181/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y3rfx.je9t.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c45.q4zi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7a.p7li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mz1.der14i.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"py.ru6q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hpa.i4-27k.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k5h.b9sa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630174; rev:1;) alert tcp $HOME_NET any -> [159.223.224.60] 6379 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630172; rev:1;) alert tcp $HOME_NET any -> [137.184.192.8] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630173; rev:1;) alert tcp $HOME_NET any -> [18.231.111.192] 18100 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630170; rev:1;) alert tcp $HOME_NET any -> [130.164.175.119] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630171; rev:1;) alert tcp $HOME_NET any -> [45.156.87.40] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630169; rev:1;) alert tcp $HOME_NET any -> [91.92.242.95] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630168; rev:1;) alert tcp $HOME_NET any -> [128.90.115.223] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630167; rev:1;) alert tcp $HOME_NET any -> [85.209.155.7] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630166; rev:1;) alert tcp $HOME_NET any -> [45.133.180.162] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630165; rev:1;) alert tcp $HOME_NET any -> [38.60.220.150] 443 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q3.der14i.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"25.j3ve.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z7x5.i4-27k.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630161; rev:1;) alert tcp $HOME_NET any -> [154.198.50.44] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630160; rev:1;) alert tcp $HOME_NET any -> [72.146.224.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630159; rev:1;) alert tcp $HOME_NET any -> [149.104.68.105] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630158; rev:1;) alert tcp $HOME_NET any -> [117.72.164.143] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630157; rev:1;) alert tcp $HOME_NET any -> [124.220.76.69] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z6u.xo3v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9r2.lej75a.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"97.di5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m11.i4-27k.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9.se5m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ux.ke9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3qv.i4-27k.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fh6.w1um.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"119.29.4.226"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"119.91.52.117"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"117.72.107.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cq.vbs"; depth:7; nocase; http.host; content:"95.164.55.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629760; rev:1;) alert tcp $HOME_NET any -> [185.200.243.207] 14228 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629756/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91629756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/izhhanxe.msi"; depth:13; nocase; http.host; content:"95.164.55.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629759; rev:1;) alert tcp $HOME_NET any -> [45.132.50.107] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629742; rev:1;) alert tcp $HOME_NET any -> [51.210.106.249] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629743; rev:1;) alert tcp $HOME_NET any -> [35.185.181.125] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629744; rev:1;) alert tcp $HOME_NET any -> [47.121.137.203] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prototype.tapmycard.work"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629701; rev:1;) alert tcp $HOME_NET any -> [62.60.158.10] 54433 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ug0.ty9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gk9.i4-27k.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4o.fa3y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0b.lej75a.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"birmatrabiloktrabvel.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gs.ha7e.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snappis.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d2.i4-27k.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7.lej75a.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8i.te8x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9y1.lej75a.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jw.q4zi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cmv2.y3-68c.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l8.p7li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630133; rev:1;) alert tcp $HOME_NET any -> [107.172.44.153] 1278 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630132/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"snappis.lat"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1630131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t08.y3-68c.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuesdaymandatesss.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hvg.ru6q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xr.b9sa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1l.j3ve.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9az.y3-68c.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6y.hab77u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"js.xo3v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3.di5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wq7.y3-68c.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g70.se5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cm.ke9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xla.w1um.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nj.ty9a.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r3k.fa3y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r1m.y3-68c.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lk.ha7e.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i21.te8x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b9k2.hab77u.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4.y3-68c.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630111; rev:1;) alert tcp $HOME_NET any -> [52.79.165.82] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630110; rev:1;) alert tcp $HOME_NET any -> [199.231.188.247] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630109; rev:1;) alert tcp $HOME_NET any -> [79.241.96.161] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630108; rev:1;) alert tcp $HOME_NET any -> [95.179.171.93] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630107; rev:1;) alert tcp $HOME_NET any -> [35.180.207.220] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630106; rev:1;) alert tcp $HOME_NET any -> [36.255.98.40] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630105; rev:1;) alert tcp $HOME_NET any -> [165.22.109.63] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630104; rev:1;) alert tcp $HOME_NET any -> [188.214.39.243] 80 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630103; rev:1;) alert tcp $HOME_NET any -> [91.92.242.64] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630102; rev:1;) alert tcp $HOME_NET any -> [109.172.39.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630100; rev:1;) alert tcp $HOME_NET any -> [8.130.102.69] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630101; rev:1;) alert tcp $HOME_NET any -> [119.91.32.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630099; rev:1;) alert tcp $HOME_NET any -> [39.184.227.96] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m1.q4zi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"75.p7li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0p.hab77u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0p.ey-m5t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dv.ru6q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.b9sa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2zq4.ey-m5t.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lq.j3ve.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m.hab77u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pq.xo3v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bvt.ey-m5t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bnd.di5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h91.ey-m5t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630082; rev:1;) alert tcp $HOME_NET any -> [149.88.69.118] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630081/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fx.doubao.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630080/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_31; classtype:trojan-activity; sid:91630080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aws.se5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"op.ke9t.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1.hab77u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3d.ey-m5t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.w1um.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wnf.ty9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q6.ey-m5t.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630073; rev:1;) alert tcp $HOME_NET any -> [13.245.149.81] 22122 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630072/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630072; rev:1;) alert tcp $HOME_NET any -> [43.201.57.67] 41441 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630071/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630071; rev:1;) alert tcp $HOME_NET any -> [43.201.57.67] 36691 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630070/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630070; rev:1;) alert tcp $HOME_NET any -> [43.201.57.67] 29841 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630069/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630069; rev:1;) alert tcp $HOME_NET any -> [43.201.57.67] 4841 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630068/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630068; rev:1;) alert tcp $HOME_NET any -> [43.198.187.94] 34558 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630067/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630067; rev:1;) alert tcp $HOME_NET any -> [43.198.187.94] 28658 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630066/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630066; rev:1;) alert tcp $HOME_NET any -> [43.198.187.94] 21708 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630065/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630065; rev:1;) alert tcp $HOME_NET any -> [43.198.187.94] 6008 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630064/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630064; rev:1;) alert tcp $HOME_NET any -> [3.26.59.145] 50580 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630063/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630063; rev:1;) alert tcp $HOME_NET any -> [3.26.59.145] 18080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630062/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630062; rev:1;) alert tcp $HOME_NET any -> [3.39.236.169] 50080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630061/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630061; rev:1;) alert tcp $HOME_NET any -> [3.39.236.169] 50030 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630060/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630060; rev:1;) alert tcp $HOME_NET any -> [3.39.236.169] 28080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630059/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630059; rev:1;) alert tcp $HOME_NET any -> [3.39.236.169] 4730 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630058/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630058; rev:1;) alert tcp $HOME_NET any -> [15.168.235.4] 60000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630057/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630057; rev:1;) alert tcp $HOME_NET any -> [15.168.235.4] 40000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630056/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630056; rev:1;) alert tcp $HOME_NET any -> [15.168.235.4] 12000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630055/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630055; rev:1;) alert tcp $HOME_NET any -> [15.168.235.4] 5000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630054/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630054; rev:1;) alert tcp $HOME_NET any -> [15.168.235.4] 3000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630053/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630053; rev:1;) alert tcp $HOME_NET any -> [13.231.17.10] 2762 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630052/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630052; rev:1;) alert tcp $HOME_NET any -> [15.228.185.238] 7170 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630051/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630051; rev:1;) alert tcp $HOME_NET any -> [16.50.175.194] 2078 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630050/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2w9.kat31o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1630049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91630049; rev:1;) alert tcp $HOME_NET any -> [16.24.140.192] 1282 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630048/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630048; rev:1;) alert tcp $HOME_NET any -> [43.210.9.45] 27163 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630047/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630047; rev:1;) alert tcp $HOME_NET any -> [43.210.9.45] 1963 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630046/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630046; rev:1;) alert tcp $HOME_NET any -> [51.17.225.41] 19999 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630045/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630045; rev:1;) alert tcp $HOME_NET any -> [16.50.233.145] 9599 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630044/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630044; rev:1;) alert tcp $HOME_NET any -> [18.201.206.191] 55039 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630043/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630043; rev:1;) alert tcp $HOME_NET any -> [18.201.206.191] 33389 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630042/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630042; rev:1;) alert tcp $HOME_NET any -> [51.48.106.31] 59428 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630041/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630041; rev:1;) alert tcp $HOME_NET any -> [16.78.253.17] 1468 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630040/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630040; rev:1;) alert tcp $HOME_NET any -> [40.192.16.2] 45266 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630039/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630039; rev:1;) alert tcp $HOME_NET any -> [40.192.16.2] 32766 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630038/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630038; rev:1;) alert tcp $HOME_NET any -> [3.147.66.225] 33150 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630037/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630037; rev:1;) alert tcp $HOME_NET any -> [3.147.66.225] 5000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630036/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630036; rev:1;) alert tcp $HOME_NET any -> [3.147.66.225] 3000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630035/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630035; rev:1;) alert tcp $HOME_NET any -> [3.147.66.225] 1800 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630034/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630034; rev:1;) alert tcp $HOME_NET any -> [51.21.254.57] 50805 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630033/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630033; rev:1;) alert tcp $HOME_NET any -> [54.93.92.48] 104 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630032/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630032; rev:1;) alert tcp $HOME_NET any -> [3.26.46.168] 15496 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630031/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630031; rev:1;) alert tcp $HOME_NET any -> [43.216.5.127] 30005 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630030/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630030; rev:1;) alert tcp $HOME_NET any -> [35.177.112.17] 2079 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630029/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630029; rev:1;) alert tcp $HOME_NET any -> [16.163.95.17] 43862 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630028/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630028; rev:1;) alert tcp $HOME_NET any -> [16.163.95.17] 6362 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630027/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630027; rev:1;) alert tcp $HOME_NET any -> [3.110.127.156] 33389 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630026/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630026; rev:1;) alert tcp $HOME_NET any -> [35.180.22.143] 5832 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630025/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630025; rev:1;) alert tcp $HOME_NET any -> [35.158.123.89] 52200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630024/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630024; rev:1;) alert tcp $HOME_NET any -> [35.158.123.89] 2000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630023/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630023; rev:1;) alert tcp $HOME_NET any -> [16.51.57.120] 2086 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630022/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630022; rev:1;) alert tcp $HOME_NET any -> [13.247.238.5] 32764 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630021/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630021; rev:1;) alert tcp $HOME_NET any -> [40.172.121.232] 18080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630020/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630020; rev:1;) alert tcp $HOME_NET any -> [40.172.121.232] 8880 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630019/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630019; rev:1;) alert tcp $HOME_NET any -> [13.213.13.40] 51752 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630018/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630018; rev:1;) alert tcp $HOME_NET any -> [3.137.169.129] 2761 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630017/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630017; rev:1;) alert tcp $HOME_NET any -> [35.164.95.34] 2454 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630016/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630016; rev:1;) alert tcp $HOME_NET any -> [35.164.95.34] 554 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630015/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630015; rev:1;) alert tcp $HOME_NET any -> [15.237.189.230] 8636 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630014/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630014; rev:1;) alert tcp $HOME_NET any -> [16.51.166.133] 5671 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630013/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630013; rev:1;) alert tcp $HOME_NET any -> [18.162.156.159] 5060 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630012/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630012; rev:1;) alert tcp $HOME_NET any -> [54.67.54.47] 8082 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630011/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630011; rev:1;) alert tcp $HOME_NET any -> [54.67.54.47] 2082 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630010/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630010; rev:1;) alert tcp $HOME_NET any -> [78.13.203.158] 51287 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630009/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630009; rev:1;) alert tcp $HOME_NET any -> [52.77.250.77] 58508 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630008/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630008; rev:1;) alert tcp $HOME_NET any -> [52.77.250.77] 26258 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630007/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630007; rev:1;) alert tcp $HOME_NET any -> [43.208.198.115] 6002 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630006/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630006; rev:1;) alert tcp $HOME_NET any -> [13.247.110.96] 11102 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630005/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630005; rev:1;) alert tcp $HOME_NET any -> [3.123.128.137] 18245 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630004/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630004; rev:1;) alert tcp $HOME_NET any -> [3.123.128.137] 8545 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630003/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630003; rev:1;) alert tcp $HOME_NET any -> [13.209.81.180] 29243 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630002/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630002; rev:1;) alert tcp $HOME_NET any -> [18.228.190.148] 17778 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630001/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630001; rev:1;) alert tcp $HOME_NET any -> [13.246.22.80] 9601 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1630000/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91630000; rev:1;) alert tcp $HOME_NET any -> [13.246.22.80] 8001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629999/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629999; rev:1;) alert tcp $HOME_NET any -> [52.64.114.168] 17201 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629998/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629998; rev:1;) alert tcp $HOME_NET any -> [18.60.216.199] 790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629997/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4o2.fa3y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629996; rev:1;) alert tcp $HOME_NET any -> [43.207.81.82] 18188 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629995/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629995; rev:1;) alert tcp $HOME_NET any -> [3.29.244.92] 20506 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629994/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629994; rev:1;) alert tcp $HOME_NET any -> [99.79.161.108] 6369 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629993/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629993; rev:1;) alert tcp $HOME_NET any -> [13.245.109.31] 389 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629992/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629992; rev:1;) alert tcp $HOME_NET any -> [13.246.233.116] 8020 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629991/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629991; rev:1;) alert tcp $HOME_NET any -> [43.208.163.27] 110 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629990/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629990; rev:1;) alert tcp $HOME_NET any -> [3.10.225.156] 8636 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629989/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629989; rev:1;) alert tcp $HOME_NET any -> [13.36.234.100] 17777 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629988/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629988; rev:1;) alert tcp $HOME_NET any -> [16.52.170.40] 5060 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629987/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629987; rev:1;) alert tcp $HOME_NET any -> [35.180.202.152] 49152 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629986/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629986; rev:1;) alert tcp $HOME_NET any -> [116.205.173.10] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629985/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629985; rev:1;) alert tcp $HOME_NET any -> [38.147.172.127] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629984/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629984; rev:1;) alert tcp $HOME_NET any -> [45.227.253.137] 60341 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629983/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629983; rev:1;) alert tcp $HOME_NET any -> [8.148.31.226] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629982/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629982; rev:1;) alert tcp $HOME_NET any -> [124.70.26.41] 65534 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629981/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629981; rev:1;) alert tcp $HOME_NET any -> [8.136.57.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629980/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629980; rev:1;) alert tcp $HOME_NET any -> [47.92.222.254] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629979/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629979; rev:1;) alert tcp $HOME_NET any -> [202.56.160.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629978/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629978; rev:1;) alert tcp $HOME_NET any -> [202.56.160.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629977/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629977; rev:1;) alert tcp $HOME_NET any -> [103.73.163.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629976/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629976; rev:1;) alert tcp $HOME_NET any -> [177.136.225.181] 10035 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629975/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629975; rev:1;) alert tcp $HOME_NET any -> [149.28.24.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629974/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629974; rev:1;) alert tcp $HOME_NET any -> [129.232.178.142] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629973/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629973; rev:1;) alert tcp $HOME_NET any -> [129.232.178.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629972/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629972; rev:1;) alert tcp $HOME_NET any -> [129.232.178.142] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629971/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629971; rev:1;) alert tcp $HOME_NET any -> [8.129.30.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629970/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629970; rev:1;) alert tcp $HOME_NET any -> [191.96.225.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629969/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629969; rev:1;) alert tcp $HOME_NET any -> [191.96.225.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629968/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629968; rev:1;) alert tcp $HOME_NET any -> [193.221.200.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629967/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629967; rev:1;) alert tcp $HOME_NET any -> [165.227.58.75] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629966/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629966; rev:1;) alert tcp $HOME_NET any -> [74.207.228.203] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629965/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629965; rev:1;) alert tcp $HOME_NET any -> [74.207.228.203] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629964/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629964; rev:1;) alert tcp $HOME_NET any -> [43.142.244.154] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629963/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629963; rev:1;) alert tcp $HOME_NET any -> [43.142.244.154] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629962/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629962; rev:1;) alert tcp $HOME_NET any -> [164.128.173.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629961/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629961; rev:1;) alert tcp $HOME_NET any -> [96.9.212.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629960/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629960; rev:1;) alert tcp $HOME_NET any -> [158.158.8.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629959/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629959; rev:1;) alert tcp $HOME_NET any -> [193.42.24.226] 57777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629958/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629958; rev:1;) alert tcp $HOME_NET any -> [45.86.162.111] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629957/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629957; rev:1;) alert tcp $HOME_NET any -> [8.148.85.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629956/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629956; rev:1;) alert tcp $HOME_NET any -> [193.84.71.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629955/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629955; rev:1;) alert tcp $HOME_NET any -> [13.215.177.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629954/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629954; rev:1;) alert tcp $HOME_NET any -> [43.136.23.21] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629953/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629953; rev:1;) alert tcp $HOME_NET any -> [123.57.200.25] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629952/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629952; rev:1;) alert tcp $HOME_NET any -> [106.38.201.207] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629951/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629951; rev:1;) alert tcp $HOME_NET any -> [118.25.1.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629950/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629950; rev:1;) alert tcp $HOME_NET any -> [118.25.1.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629949/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629949; rev:1;) alert tcp $HOME_NET any -> [54.161.29.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629948/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629948; rev:1;) alert tcp $HOME_NET any -> [124.222.236.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629947/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629947; rev:1;) alert tcp $HOME_NET any -> [38.60.125.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629946/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629946; rev:1;) alert tcp $HOME_NET any -> [18.202.246.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629945/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629945; rev:1;) alert tcp $HOME_NET any -> [106.53.64.233] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629944/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629944; rev:1;) alert tcp $HOME_NET any -> [108.130.99.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629943/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629943; rev:1;) alert tcp $HOME_NET any -> [108.130.99.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629942/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629942; rev:1;) alert tcp $HOME_NET any -> [195.133.198.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629941/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629941; rev:1;) alert tcp $HOME_NET any -> [111.229.147.197] 34443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629940/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629940; rev:1;) alert tcp $HOME_NET any -> [193.112.92.122] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629939/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629939; rev:1;) alert tcp $HOME_NET any -> [34.68.221.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629938/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_31; classtype:trojan-activity; sid:91629938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e4.ha7e.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wth.te8x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v8x.ey-l2q.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ihx.q4zi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0q.p7li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r4n.kat31o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a2h4.ey-l2q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"95f.ru6q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zf0.ey-l2q.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xeq.b9sa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oct.j3ve.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pi1.xo3v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0k4.kat31o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq1.ey-l2q.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w8.di5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9hm.se5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9k.ey-l2q.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pe5.ke9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nn.w1um.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_31; classtype:trojan-activity; sid:91629919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z8q.kat31o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w0.ty9a.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p7.ey-l2q.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629757; rev:1;) alert tcp $HOME_NET any -> [161.129.44.48] 16066 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.kat31o.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ga9.fa3y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ij.ha7e.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"po.te8x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r3k.068xaw.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zyz.q4zi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t7z.lo9q.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3mb.p7li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629747; rev:1;) alert tcp $HOME_NET any -> [103.176.197.134] 53 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629746; rev:1;) alert tcp $HOME_NET any -> [150.5.145.84] 82 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w9.ru6q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k1w.lo9q.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g4j.b9sa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2v.068xaw.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7r.j3ve.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h8r.lo9q.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kuc.xo3v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629734; rev:1;) alert tcp $HOME_NET any -> [144.124.243.106] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629733; rev:1;) alert tcp $HOME_NET any -> [167.17.40.15] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jc7.di5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.068xaw.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rorectal.click"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arorectal.click"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629728; rev:1;) alert tcp $HOME_NET any -> [62.60.150.6] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"698.se5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629726; rev:1;) alert tcp $HOME_NET any -> [23.26.237.117] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chuza.locker"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cantrqj.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axibbyg.locker"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alaxak.locker"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"captaix.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"litteru.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"throjvy.locker"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"livusa.locker"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jinga.locker"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genusg.locker"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dourq.locker"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cutccg.asia"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3tc.ke9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4n.ty9a.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z8.fa3y.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629710; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 30205 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0.ha7e.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7m.068xaw.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"itz.te8x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629706; rev:1;) alert tcp $HOME_NET any -> [198.23.177.222] 3565 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"so.q4zi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1h.p7li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ms.ru6q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bxl.b9sa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629700; rev:1;) alert tcp $HOME_NET any -> [172.245.246.89] 2556 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629699; rev:1;) alert tcp $HOME_NET any -> [196.75.216.51] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629698; rev:1;) alert tcp $HOME_NET any -> [94.237.82.123] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629697; rev:1;) alert tcp $HOME_NET any -> [117.158.134.224] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629696; rev:1;) alert tcp $HOME_NET any -> [213.199.61.109] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ut.j3ve.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l3y.lo9q.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g0.xo3v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2w.122suj.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d5n.lo9q.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2b3.di5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629689; rev:1;) alert tcp $HOME_NET any -> [62.182.80.175] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpx.tweethost.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xpx.tweethost.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u6b.lo9q.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s16.se5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p2t.lo9q.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629683; rev:1;) alert tcp $HOME_NET any -> [3.33.246.13] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629682/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h5.122suj.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629681; rev:1;) alert tcp $HOME_NET any -> [23.111.154.98] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629680/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629680; rev:1;) alert tcp $HOME_NET any -> [188.4.157.61] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629679/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629679; rev:1;) alert tcp $HOME_NET any -> [185.196.8.224] 4443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629678/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vvp.ke9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629677; rev:1;) alert tcp $HOME_NET any -> [154.21.14.182] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629676/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629676; rev:1;) alert tcp $HOME_NET any -> [138.199.214.234] 9090 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629675/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629675; rev:1;) alert tcp $HOME_NET any -> [136.107.24.180] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629674/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629674; rev:1;) alert tcp $HOME_NET any -> [124.198.132.101] 1000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629673/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629673; rev:1;) alert tcp $HOME_NET any -> [104.224.153.87] 55558 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629672/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s9e.mi7x.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629671; rev:1;) alert tcp $HOME_NET any -> [196.251.85.150] 7777 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9d4.w1um.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpx.aidexcel.co.uk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xpx.aidexcel.co.uk"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6tm.ty9a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g4m.mi7x.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5ct.fa3y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0x.mi7x.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1z.122suj.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"65.ha7e.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"captaix.lat"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629659; rev:1;) alert tcp $HOME_NET any -> [37.221.65.102] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629658; rev:1;) alert tcp $HOME_NET any -> [192.120.0.1] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629657; rev:1;) alert tcp $HOME_NET any -> [31.40.204.161] 1414 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vq8.mi7x.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3z.te8x.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edh.q4zi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1d.mi7x.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yk5.mi7x.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3f.p7li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vhu.ru6q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ufb.b9sa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"55i.j3ve.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r7a.mi7x.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3a.xo3v.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y4w1.565fit.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1.di5r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"93.se5m.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hum.ke9t.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j2p.mi7x.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d0k.565fit.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8.yf-l3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0.yf-l3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v9p3.565fit.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w4.xa4p.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2.ew-w3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5"; depth:2; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m8.ew-w3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629633; rev:1;) alert tcp $HOME_NET any -> [40.172.150.31] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629632; rev:1;) alert tcp $HOME_NET any -> [168.245.200.216] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mbasic.celticcommunications.co"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l.celticcommunications.co"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629630; rev:1;) alert tcp $HOME_NET any -> [18.134.227.111] 10070 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629628; rev:1;) alert tcp $HOME_NET any -> [104.194.154.86] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629627; rev:1;) alert tcp $HOME_NET any -> [181.162.152.212] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629626; rev:1;) alert tcp $HOME_NET any -> [43.154.70.160] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629625; rev:1;) alert tcp $HOME_NET any -> [47.113.206.220] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629624; rev:1;) alert tcp $HOME_NET any -> [109.206.247.161] 5001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629623; rev:1;) alert tcp $HOME_NET any -> [124.70.100.149] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629622; rev:1;) alert tcp $HOME_NET any -> [154.198.50.44] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tn.xa4p.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"teered.locker"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629618/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dimityk.mom"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629617/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.if-p4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629616; rev:1;) alert tcp $HOME_NET any -> [95.164.92.107] 37686 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1.uz-k9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2x.565fit.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hk.xa4p.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r7.uz-k9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b2.xa4p.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t.yo11.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7.565fit.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3.yo11.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9.xa4p.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.yy88.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p5g1.78nsy6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3.xa4p.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9.yy88.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.ie45.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qx.xa4p.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1.ie45.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.78nsy6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3.0f78.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q9vz.78nsy6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q.0f78.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lk.exe"; depth:7; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fixprjajaa.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"217.154.0.7"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1629584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"fellsminjs.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fellsminjs.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"fellsminjs.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"fellsminjs.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oluh.php"; depth:9; nocase; http.host; content:"thestudioat620.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yifsnwh.zip"; depth:12; nocase; http.host; content:"southerngun.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"southerngun.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629591; rev:1;) alert tcp $HOME_NET any -> [5.181.156.238] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lksrv.exe"; depth:10; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7.xa4p.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7.5v05.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0k.78nsy6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.5v05.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629581; rev:1;) alert tcp $HOME_NET any -> [79.117.134.3] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629580/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0y.ju8r.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.8g89.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s9t.ju8r.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.8g89.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y4c.hy6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sheep.gl.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629572; rev:1;) alert tcp $HOME_NET any -> [139.212.58.169] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629571; rev:1;) alert tcp $HOME_NET any -> [141.98.10.99] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e0925-38257.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teo875-33757.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629567; rev:1;) alert tcp $HOME_NET any -> [45.141.151.105] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629568; rev:1;) alert tcp $HOME_NET any -> [64.23.164.161] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629566; rev:1;) alert tcp $HOME_NET any -> [207.148.70.69] 4433 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"envio.dynuddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ever-lamp.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"added-aurora.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629562; rev:1;) alert tcp $HOME_NET any -> [82.156.147.52] 22222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629561; rev:1;) alert tcp $HOME_NET any -> [103.143.81.95] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j2m.ju8r.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4"; depth:2; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b2.78nsy6.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"77w.gl8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iloveboats9.vip"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629464; rev:1;) alert tcp $HOME_NET any -> [111.228.35.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629521; rev:1;) alert tcp $HOME_NET any -> [8.141.114.103] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629522; rev:1;) alert tcp $HOME_NET any -> [47.112.125.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629523; rev:1;) alert tcp $HOME_NET any -> [103.164.81.113] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629524; rev:1;) alert tcp $HOME_NET any -> [38.102.124.94] 3000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629528; rev:1;) alert tcp $HOME_NET any -> [178.16.52.194] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629525; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 3005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629526; rev:1;) alert tcp $HOME_NET any -> [91.92.242.95] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629527; rev:1;) alert tcp $HOME_NET any -> [196.251.116.57] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629529; rev:1;) alert tcp $HOME_NET any -> [101.34.205.46] 9000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629530; rev:1;) alert tcp $HOME_NET any -> [190.104.11.21] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629532; rev:1;) alert tcp $HOME_NET any -> [156.224.26.42] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629531; rev:1;) alert tcp $HOME_NET any -> [35.227.245.87] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629533; rev:1;) alert tcp $HOME_NET any -> [139.59.92.157] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629534; rev:1;) alert tcp $HOME_NET any -> [16.176.199.116] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629535; rev:1;) alert tcp $HOME_NET any -> [159.89.167.49] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629536; rev:1;) alert tcp $HOME_NET any -> [143.198.215.189] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629537; rev:1;) alert tcp $HOME_NET any -> [106.14.72.75] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629538; rev:1;) alert tcp $HOME_NET any -> [20.15.37.88] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629539; rev:1;) alert tcp $HOME_NET any -> [103.129.205.241] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629540; rev:1;) alert tcp $HOME_NET any -> [141.11.213.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629541; rev:1;) alert tcp $HOME_NET any -> [35.156.114.184] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629542; rev:1;) alert tcp $HOME_NET any -> [20.244.86.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629543; rev:1;) alert tcp $HOME_NET any -> [18.197.198.142] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ipu.hy6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t5m.60nma5.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n6d.ju8r.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aw9.xa4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nv5.tweethost.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nv5.united-gs.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nv5.united-gs.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nv5.tweethost.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n9v.gl8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r5q.ju8r.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.60nma5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xla.v3ix.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1z.ju8r.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qbd.hy6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6hu.gl8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8u.ju8r.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0n9.60nma5.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q9a.hy6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t7p.v3ix.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"879.lo9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629511; rev:1;) alert tcp $HOME_NET any -> [105.101.89.231] 5001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629499/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a12.r4tu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ze.v3ix.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1z.60nma5.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9x2.v3ix.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rsm.xa4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4m.v3ix.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qgb.gl8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p4r.lo9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8tk.r4tu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y2.02lxy3.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0up.s7li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bud.wi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629498; rev:1;) alert tcp $HOME_NET any -> [94.184.20.112] 8844 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629497/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d6k1.02lxy3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629496; rev:1;) alert tcp $HOME_NET any -> [45.79.216.242] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629495/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629495; rev:1;) alert tcp $HOME_NET any -> [187.232.213.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629494/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629494; rev:1;) alert tcp $HOME_NET any -> [185.43.141.40] 5000 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629493/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629493; rev:1;) alert tcp $HOME_NET any -> [18.254.119.46] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629492/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629492; rev:1;) alert tcp $HOME_NET any -> [104.206.234.77] 30213 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629491/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629491; rev:1;) alert tcp $HOME_NET any -> [104.206.234.155] 30196 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629490/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629490; rev:1;) alert tcp $HOME_NET any -> [104.140.154.85] 30191 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629489/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629489; rev:1;) alert tcp $HOME_NET any -> [104.140.154.57] 30191 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629487/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629487; rev:1;) alert tcp $HOME_NET any -> [104.140.154.65] 30164 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629488/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629488; rev:1;) alert tcp $HOME_NET any -> [104.140.154.41] 30115 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629486/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629486; rev:1;) alert tcp $HOME_NET any -> [104.140.154.31] 30111 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629484/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629484; rev:1;) alert tcp $HOME_NET any -> [104.140.154.38] 30115 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629485/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629485; rev:1;) alert tcp $HOME_NET any -> [104.140.154.246] 30127 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629482/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629482; rev:1;) alert tcp $HOME_NET any -> [104.140.154.249] 30115 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629483/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629483; rev:1;) alert tcp $HOME_NET any -> [104.140.154.232] 30191 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629480/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1rd.s7li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629481; rev:1;) alert tcp $HOME_NET any -> [104.140.154.221] 30164 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629479/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629479; rev:1;) alert tcp $HOME_NET any -> [104.140.154.201] 30164 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629478/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629478; rev:1;) alert tcp $HOME_NET any -> [104.140.154.180] 30127 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629476/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629476; rev:1;) alert tcp $HOME_NET any -> [104.140.154.181] 30126 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629477/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629477; rev:1;) alert tcp $HOME_NET any -> [104.140.154.173] 30164 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629474/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629474; rev:1;) alert tcp $HOME_NET any -> [104.140.154.179] 30132 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629475/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629475; rev:1;) alert tcp $HOME_NET any -> [104.140.154.162] 30132 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629472/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629472; rev:1;) alert tcp $HOME_NET any -> [104.140.154.167] 30216 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629473/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629473; rev:1;) alert tcp $HOME_NET any -> [104.140.154.153] 30216 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629471/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629471; rev:1;) alert tcp $HOME_NET any -> [104.140.154.132] 30127 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629468/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629468; rev:1;) alert tcp $HOME_NET any -> [104.140.154.133] 30148 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629469/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629469; rev:1;) alert tcp $HOME_NET any -> [104.140.154.14] 30132 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629470/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629470; rev:1;) alert tcp $HOME_NET any -> [104.140.154.129] 30132 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629467/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629467; rev:1;) alert tcp $HOME_NET any -> [104.140.154.117] 30216 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629466/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"911.s7li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hlp.wi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8xd.r4tu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m00n.s7li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629461; rev:1;) alert tcp $HOME_NET any -> [172.111.244.134] 4030 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glu.po5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vth.ka2s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629458; rev:1;) alert tcp $HOME_NET any -> [3.87.227.105] 102 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629457; rev:1;) alert tcp $HOME_NET any -> [64.226.121.55] 8000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629456; rev:1;) alert tcp $HOME_NET any -> [196.251.84.127] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629455; rev:1;) alert tcp $HOME_NET any -> [45.145.164.234] 9443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629454; rev:1;) alert tcp $HOME_NET any -> [51.81.210.203] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629453; rev:1;) alert tcp $HOME_NET any -> [34.41.169.247] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629452; rev:1;) alert tcp $HOME_NET any -> [144.172.109.53] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629451; rev:1;) alert tcp $HOME_NET any -> [208.69.78.178] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629450; rev:1;) alert tcp $HOME_NET any -> [31.57.147.218] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629449; rev:1;) alert tcp $HOME_NET any -> [110.42.64.206] 8080 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629448; rev:1;) alert tcp $HOME_NET any -> [46.17.41.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629447; rev:1;) alert tcp $HOME_NET any -> [117.72.203.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629446; rev:1;) alert tcp $HOME_NET any -> [117.72.160.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629445; rev:1;) alert tcp $HOME_NET any -> [8.152.100.155] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629444; rev:1;) alert tcp $HOME_NET any -> [38.165.42.58] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629443; rev:1;) alert tcp $HOME_NET any -> [149.104.68.105] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629441; rev:1;) alert tcp $HOME_NET any -> [8.130.79.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629442; rev:1;) alert tcp $HOME_NET any -> [38.55.132.225] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629440; rev:1;) alert tcp $HOME_NET any -> [43.156.91.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t3s.hy6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g00d.s7li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7pz.02lxy3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"za9.wi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fv5.ka2s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plum.s7li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9ij.v3ix.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m5o.hy6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ajs.s7li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"perropa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"menuderg.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/approve"; depth:8; nocase; http.host; content:"144.31.90.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/delta.html"; depth:11; nocase; http.host; content:"ndtv.plus"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629076; rev:1;) alert tcp $HOME_NET any -> [144.31.90.17] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629078; rev:1;) alert tcp $HOME_NET any -> [217.182.253.119] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629109; rev:1;) alert tcp $HOME_NET any -> [113.44.76.47] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629108; rev:1;) alert tcp $HOME_NET any -> [20.189.122.18] 39999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.m365.1drive.zip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beautybalcony.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629112; rev:1;) alert tcp $HOME_NET any -> [154.8.156.39] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629113; rev:1;) alert tcp $HOME_NET any -> [202.10.36.170] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629114; rev:1;) alert tcp $HOME_NET any -> [188.245.112.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629115; rev:1;) alert tcp $HOME_NET any -> [35.156.114.184] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629116; rev:1;) alert tcp $HOME_NET any -> [13.233.199.110] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629117; rev:1;) alert tcp $HOME_NET any -> [34.57.30.61] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629118; rev:1;) alert tcp $HOME_NET any -> [18.197.198.142] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629119; rev:1;) alert tcp $HOME_NET any -> [35.182.218.232] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629120; rev:1;) alert tcp $HOME_NET any -> [89.37.185.190] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629121; rev:1;) alert tcp $HOME_NET any -> [13.38.18.144] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"75nahgyu2.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629359/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629359; rev:1;) alert tcp $HOME_NET any -> [209.141.34.113] 45 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629354/; target:src_ip; metadata: confidence_level 80, first_seen 2025_10_30; classtype:trojan-activity; sid:91629354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"he.75nahgyu2.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629360/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smo.75nahgyu2.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629361/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7404299573:aafjqbpn2tzwryugvo-nrdmjy9cxdmy-g40"; depth:50; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629366/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_30; classtype:trojan-activity; sid:91629366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dune.s7li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrj.r4tu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b23.wi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mow.v3ix.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0se.ze9y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f78.ju8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eaa.v3ix.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rk8.7g37b.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l00k.ze9y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p19.ra6n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d29.v3ix.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629419; rev:1;) alert tcp $HOME_NET any -> [72.230.113.57] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mint.ze9y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wlk.n5ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629416; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 64336 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629415/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_30; classtype:trojan-activity; sid:91629415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"e4hwk3w4ztqfkyo6l36ss3tfj4bw2jw4ytkmomkx2ugwjgrs4w3lriid.onion"; depth:62; nocase; reference:url, threatfox.abuse.ch/ioc/1629414/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_30; classtype:trojan-activity; sid:91629414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gzt.lo9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bark.ze9y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"muj.xa4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tir.hy6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3le.n5ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2b9k.ye-t5c.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7bv.xa4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yrg.ka2s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rmx.ye-t5c.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2v.7g37b.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"svc.lo9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bwp.r4tu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xpx.ra6n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h71.ye-t5c.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"epw.ju8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"npo.wi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0wq.ye-t5c.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629397; rev:1;) alert tcp $HOME_NET any -> [23.22.39.162] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629396; rev:1;) alert tcp $HOME_NET any -> [34.244.72.196] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629395; rev:1;) alert tcp $HOME_NET any -> [165.22.159.5] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629394; rev:1;) alert tcp $HOME_NET any -> [85.9.215.122] 1234 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629393; rev:1;) alert tcp $HOME_NET any -> [45.153.34.51] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629392; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629391; rev:1;) alert tcp $HOME_NET any -> [209.38.69.133] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629390; rev:1;) alert tcp $HOME_NET any -> [57.129.75.98] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629388; rev:1;) alert tcp $HOME_NET any -> [8.141.95.185] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629389; rev:1;) alert tcp $HOME_NET any -> [196.251.70.24] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629387; rev:1;) alert tcp $HOME_NET any -> [196.251.116.219] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629386; rev:1;) alert tcp $HOME_NET any -> [91.92.242.68] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629385; rev:1;) alert tcp $HOME_NET any -> [103.149.93.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629384; rev:1;) alert tcp $HOME_NET any -> [69.62.80.16] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629382; rev:1;) alert tcp $HOME_NET any -> [156.225.23.7] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nyd.po5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tj3.ye-t5c.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.7g37b.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a19.xa4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gsd.ka2s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z0d.xa4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g8.ye-t5c.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cct.ka2s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d2a5.5no-v.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j83.wi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1z.5no-v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n84.po5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qpr.5no-v.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ewd.gl8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m94.5no-v.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0q9.7g37b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vkp.n5ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"405.ju8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7t.5no-v.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c99.bo3l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7x.7g37b.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cbo.xa4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uv4.r4tu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yx.5no-v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jcr.fe7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4.7g37b.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b0r9.7si-s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h07.bo3l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4y.v3ix.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fh9.mi7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8s3.s7li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xk2.7si-s.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r9q.2s84d.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vyt.lo9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h27.mi7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4m.7si-s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gp3.po5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pnq.7si-s.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g42.n5ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rh6.gl8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v31.7si-s.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6i4.ze9y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d5.2s84d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629153; rev:1;) alert tcp $HOME_NET any -> [43.229.150.69] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629152; rev:1;) alert tcp $HOME_NET any -> [3.115.56.24] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629151; rev:1;) alert tcp $HOME_NET any -> [45.141.87.243] 4954 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7.7si-s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y27.po5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_30; classtype:trojan-activity; sid:91629148; rev:1;) alert tcp $HOME_NET any -> [64.188.91.231] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629147; rev:1;) alert tcp $HOME_NET any -> [80.97.160.178] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629146; rev:1;) alert tcp $HOME_NET any -> [45.153.34.90] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feromonesbones.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ljutyojkfgjkfnmf.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unfet.locker"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eleciso.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imbibei.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dimityk.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"databap.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"puntoc.mom"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aspedyd.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"czarpve.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chinij.mom"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lonaktm.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caddov.mom"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"overruq.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corneot.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biauob.mom"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maghaf.mom"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"overfrz.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"middii.mom"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pleasuc.locker"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sugare.locker"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"satet.locker"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b0t2.2s84d.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lvu.xa4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9hd.1ne-z.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0t.po5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629104; rev:1;) alert tcp $HOME_NET any -> [168.119.55.209] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wvw.tweethost.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wvw.united-gs.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wvw.tweethost.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wvw.united-gs.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq.1ne-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8m.2s84d.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sbh.ju8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9mv.lo9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"movies-buzz.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629094/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629094; rev:1;) alert tcp $HOME_NET any -> [192.227.128.173] 3028 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629092/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629092; rev:1;) alert tcp $HOME_NET any -> [216.9.224.128] 4225 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629093/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zv1.1ne-z.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blessingshope100.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629086/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mangomondayyy.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629087/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.abiaclassprojectpage.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629088/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.charlesschrf.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629089/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zihnyunrui.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629090/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lux0w0w0w.dynuddns.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629085/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629085; rev:1;) alert tcp $HOME_NET any -> [91.231.222.220] 7540 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629084/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sb0vht3nf.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629083/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ww25.198c0529-1ea6-483a-8a2e-66d8df595657.server2.ninhaine.com"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629082/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server6.ninhaine.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629081/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign-in"; depth:8; nocase; http.host; content:"amfspro.click"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629080/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91629080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v4.2s84d.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bgq.ze9y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fxh.bo3l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2a9.1ne-z.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629071; rev:1;) alert tcp $HOME_NET any -> [85.117.242.5] 8080 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629070/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91629070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h.3c38h.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a4t.ze9y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xyq.bo3l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629067; rev:1;) alert tcp $HOME_NET any -> [8.136.50.233] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629066/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91629066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rp8.1ne-z.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3jc.n5ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4.1ne-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j5a.fe7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"689.mi7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9.3c38h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qcv.n5ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0k.3c38h.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cs0.fe7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629057; rev:1;) alert tcp $HOME_NET any -> [185.163.204.16] 7720 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g00d.da-5-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629055; rev:1;) alert tcp $HOME_NET any -> [106.14.132.222] 8082 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629054; rev:1;) alert tcp $HOME_NET any -> [43.198.241.172] 1433 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629053; rev:1;) alert tcp $HOME_NET any -> [64.7.199.42] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629050; rev:1;) alert tcp $HOME_NET any -> [185.189.12.247] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629051; rev:1;) alert tcp $HOME_NET any -> [84.247.179.96] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629052; rev:1;) alert tcp $HOME_NET any -> [120.78.127.57] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629049; rev:1;) alert tcp $HOME_NET any -> [196.251.72.219] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugolinovivaldi19490524.html"; depth:28; nocase; http.host; content:"hancockmontrealboreal.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629048; rev:1;) alert tcp $HOME_NET any -> [91.92.242.67] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629046; rev:1;) alert tcp $HOME_NET any -> [103.27.77.131] 783 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"64d.s7li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zq7.3c38h.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l1me.da-5-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uny.ra6n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629041; rev:1;) alert tcp $HOME_NET any -> [213.142.148.110] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629040/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91629040; rev:1;) alert tcp $HOME_NET any -> [192.30.241.135] 6106 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629039/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91629039; rev:1;) alert tcp $HOME_NET any -> [158.94.209.164] 2828 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629038/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91629038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7it.wi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6wo.mi7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2.3c38h.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"foam.da-5-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uxg.n5ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629033; rev:1;) alert tcp $HOME_NET any -> [111.92.240.180] 5539 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ke0.po5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flip.da-5-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lyy.mi7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629029; rev:1;) alert tcp $HOME_NET any -> [95.179.219.176] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629028/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91629028; rev:1;) alert tcp $HOME_NET any -> [74.48.158.45] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629027/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91629027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sak.ra6n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629026; rev:1;) alert tcp $HOME_NET any -> [189.146.123.254] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629025/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91629025; rev:1;) alert tcp $HOME_NET any -> [167.71.83.95] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629024/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91629024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flat.da-5-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l1st.r-1-v-x.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vfp.hy6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0m0.n5ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oaks.r-1-v-x.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qon.ju8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b00k.je-9-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0de.r-1-v-x.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"in9.ra6n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"middii.mom"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1629014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629014; rev:1;) alert tcp $HOME_NET any -> [193.233.112.46] 3389 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629013; rev:1;) alert tcp $HOME_NET any -> [195.10.205.64] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assistancewindows20025.duckdns.org"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629011; rev:1;) alert tcp $HOME_NET any -> [196.251.70.127] 2011 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1629010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"armadengineering.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c00l.je-9-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dwr.bo3l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1u.ra6n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"girl.je-9-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"puma.r-1-v-x.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nn3.lo9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7rj.fe7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gear.je-9-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"57y.bo3l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1629000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91629000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fawn.je-9-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"11f.mi7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m00n.x-2-lu.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hb3.r4tu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1te.fa-0-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1i.ka2s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pa5s.x-2-lu.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scatbhn.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628992/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uqb.ze9y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i11s.fa-0-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bop.s7li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yarn.x-2-lu.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xes.mi7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628987; rev:1;) alert tcp $HOME_NET any -> [139.212.60.147] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628986; rev:1;) alert tcp $HOME_NET any -> [103.14.225.124] 55555 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628985; rev:1;) alert tcp $HOME_NET any -> [104.250.169.2] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628984; rev:1;) alert tcp $HOME_NET any -> [79.241.102.152] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628982; rev:1;) alert tcp $HOME_NET any -> [13.247.108.3] 44819 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628983; rev:1;) alert tcp $HOME_NET any -> [185.72.199.114] 1717 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628981; rev:1;) alert tcp $HOME_NET any -> [158.94.209.59] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628980; rev:1;) alert tcp $HOME_NET any -> [157.20.182.47] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628979; rev:1;) alert tcp $HOME_NET any -> [108.129.39.149] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628978; rev:1;) alert tcp $HOME_NET any -> [85.9.198.8] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628977; rev:1;) alert tcp $HOME_NET any -> [212.154.2.45] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628976; rev:1;) alert tcp $HOME_NET any -> [196.251.116.219] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628975; rev:1;) alert tcp $HOME_NET any -> [152.136.103.50] 18444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628974; rev:1;) alert tcp $HOME_NET any -> [123.57.209.167] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628973; rev:1;) alert tcp $HOME_NET any -> [123.57.209.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628972; rev:1;) alert tcp $HOME_NET any -> [38.162.117.244] 1099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628970; rev:1;) alert tcp $HOME_NET any -> [34.30.114.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"seb.gl8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gale.x-2-lu.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xx6.ju8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"polimakels.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"polimakels.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"polimakels.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"polimakels.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lfrs.php"; depth:9; nocase; http.host; content:"emcuk.co.uk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/waterfool.zip"; depth:14; nocase; http.host; content:"galaxyfoundation.org.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"galaxyfoundation.org.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628965; rev:1;) alert tcp $HOME_NET any -> [5.181.156.234] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1oi.s7li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0rn.fa-0-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brim.x-2-lu.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1fj.lo9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acp.mi7x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f0i1.ju-5-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628953; rev:1;) alert tcp $HOME_NET any -> [192.227.173.59] 1983 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0da.r-9-xa.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5u2.fe7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7d0.ka2s.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628949; rev:1;) alert tcp $HOME_NET any -> [138.199.147.128] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.tweethost.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.united-gs.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dev.tweethost.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dev.united-gs.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d2l.bo3l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ineffqa.asia"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628942/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bots.kiro.forum"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628941; rev:1;) alert tcp $HOME_NET any -> [176.65.134.16] 2083 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628940/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l0se.ju-5-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gu5.v3ix.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l1st.r-9-xa.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zy8.fe7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pfol.wav"; depth:9; nocase; http.host; content:"asturiasactiva.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asturiasactiva.es"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628920; rev:1;) alert tcp $HOME_NET any -> [193.233.112.46] 59999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5f3e.js"; depth:8; nocase; http.host; content:"varorg.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"varorg.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"varorg.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0ar.ju-5-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cove.r-9-xa.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zwf.ze9y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"knit.ju-5-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glow.r-9-xa.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wdh.bo3l.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628927; rev:1;) alert tcp $HOME_NET any -> [38.102.8.135] 24054 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qty.ze9y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plum.r-9-xa.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tide.ju-5-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xk9.fe7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628921; rev:1;) alert tcp $HOME_NET any -> [158.94.209.164] 2040 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628918/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9jw.ju8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l00k.vo-3-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f0b.ze9y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rook.ju-5-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dm1.r4tu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7cw.wi0x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0se.vo-3-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ogj.po5m.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628910; rev:1;) alert tcp $HOME_NET any -> [217.114.10.85] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628909/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dune.vo-3-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cki.fe7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qje.ra6n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wq7.1z22k.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tvx.s7li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mint.vo-3-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2v.ju8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nfs8u9aw.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad4rchr39w8f.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zppd.live"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"urclive.help"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rwmb.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hasist.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hmd.gl8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d5m9.1z22k.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.217.139.186"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1628893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628893; rev:1;) alert tcp $HOME_NET any -> [168.245.201.71] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628892; rev:1;) alert tcp $HOME_NET any -> [168.245.201.74] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windefenderconection.duckdns.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628890; rev:1;) alert tcp $HOME_NET any -> [106.15.192.7] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628889; rev:1;) alert tcp $HOME_NET any -> [196.251.114.201] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r/d5ba60033ceb6c832:123"; depth:24; nocase; http.host; content:"upaste.me"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"takes-thinkpad.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628886; rev:1;) alert tcp $HOME_NET any -> [103.173.226.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yu2.ze9y.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bark.vo-3-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xc6.s7li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628882; rev:1;) alert tcp $HOME_NET any -> [8.152.100.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628842; rev:1;) alert tcp $HOME_NET any -> [35.229.219.235] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628861; rev:1;) alert tcp $HOME_NET any -> [34.143.155.172] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628862; rev:1;) alert tcp $HOME_NET any -> [34.87.144.137] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628863; rev:1;) alert tcp $HOME_NET any -> [3.24.213.227] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628864; rev:1;) alert tcp $HOME_NET any -> [3.77.95.11] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628865; rev:1;) alert tcp $HOME_NET any -> [35.194.35.60] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628866; rev:1;) alert tcp $HOME_NET any -> [84.247.191.4] 65500 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628867; rev:1;) alert tcp $HOME_NET any -> [213.232.229.214] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628868; rev:1;) alert tcp $HOME_NET any -> [139.162.114.227] 2053 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628869; rev:1;) alert tcp $HOME_NET any -> [35.184.92.76] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628870; rev:1;) alert tcp $HOME_NET any -> [15.206.45.85] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628871; rev:1;) alert tcp $HOME_NET any -> [34.69.19.152] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628872; rev:1;) alert tcp $HOME_NET any -> [45.145.228.179] 8010 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628873; rev:1;) alert tcp $HOME_NET any -> [13.213.60.180] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628860; rev:1;) alert tcp $HOME_NET any -> [209.182.238.101] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628859; rev:1;) alert tcp $HOME_NET any -> [34.174.229.200] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628858; rev:1;) alert tcp $HOME_NET any -> [20.224.21.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628857; rev:1;) alert tcp $HOME_NET any -> [34.132.98.183] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628856; rev:1;) alert tcp $HOME_NET any -> [3.142.94.100] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628855; rev:1;) alert tcp $HOME_NET any -> [220.79.56.176] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628854; rev:1;) alert tcp $HOME_NET any -> [69.62.80.16] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628853; rev:1;) alert tcp $HOME_NET any -> [91.217.90.45] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628852; rev:1;) alert tcp $HOME_NET any -> [43.155.166.206] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628851; rev:1;) alert tcp $HOME_NET any -> [47.236.19.197] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628850; rev:1;) alert tcp $HOME_NET any -> [34.67.160.108] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628849; rev:1;) alert tcp $HOME_NET any -> [144.172.109.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628848; rev:1;) alert tcp $HOME_NET any -> [3.80.85.142] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628847; rev:1;) alert tcp $HOME_NET any -> [102.117.166.235] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.aadcdnn.m365.1drive.zip"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628845; rev:1;) alert tcp $HOME_NET any -> [8.130.79.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628844; rev:1;) alert tcp $HOME_NET any -> [154.8.156.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628843; rev:1;) alert tcp $HOME_NET any -> [8.155.162.23] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/x.js"; depth:7; nocase; http.host; content:"secureapimiddleware.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"secureapimiddleware.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628836/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91628836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0.1z22k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fun.je9r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goat.tu-7-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hay.da5v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f1g.x2lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fab.pi6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"golf.tu-7-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1x.1z22k.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"boa.r9xa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628839; rev:1;) alert tcp $HOME_NET any -> [112.3.31.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628837/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628837; rev:1;) alert tcp $HOME_NET any -> [103.39.19.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628833/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628833; rev:1;) alert tcp $HOME_NET any -> [103.44.90.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628834/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628834; rev:1;) alert tcp $HOME_NET any -> [103.44.90.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628835/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"joy.tu7q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s3.1z22k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dune.tu-7-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fix.k8li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bee.je9r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jar.da5v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1rd.tu-7-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0x.6wou3.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dug.x2lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s00n.tu-7-q.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hub.pi6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628821; rev:1;) alert tcp $HOME_NET any -> [88.218.64.49] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0p.r9xa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lag.tu7q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m1lk.pi-6-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"age.m4ze.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628816; rev:1;) alert tcp $HOME_NET any -> [175.24.191.140] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628815; rev:1;) alert tcp $HOME_NET any -> [179.43.186.214] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628814; rev:1;) alert tcp $HOME_NET any -> [124.220.76.69] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628813; rev:1;) alert tcp $HOME_NET any -> [38.85.201.33] 4646 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q.6wou3.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nay.k8li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rig.n4ym.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p00l.pi-6-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5ap.je9r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628807; rev:1;) alert tcp $HOME_NET any -> [79.124.77.41] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628806/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628806; rev:1;) alert tcp $HOME_NET any -> [52.54.56.239] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628805/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"red.da5v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628804; rev:1;) alert tcp $HOME_NET any -> [217.195.153.224] 8088 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628803/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628803; rev:1;) alert tcp $HOME_NET any -> [16.64.4.25] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628802/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628802; rev:1;) alert tcp $HOME_NET any -> [154.17.1.92] 47891 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628801/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lab.x2lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f6.6wou3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hark.pi-6-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"see.pi6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1id.r9xa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1.3pea2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lie.tu7q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"east.pi-6-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628793; rev:1;) alert tcp $HOME_NET any -> [162.252.199.16] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628792; rev:1;) alert tcp $HOME_NET any -> [54.178.98.33] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628790; rev:1;) alert tcp $HOME_NET any -> [18.178.163.94] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628791; rev:1;) alert tcp $HOME_NET any -> [91.217.90.45] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628788; rev:1;) alert tcp $HOME_NET any -> [45.145.164.234] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudstoragebox.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628787; rev:1;) alert tcp $HOME_NET any -> [5.180.151.9] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628786; rev:1;) alert tcp $HOME_NET any -> [38.162.116.86] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628785; rev:1;) alert tcp $HOME_NET any -> [35.91.137.33] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628784; rev:1;) alert tcp $HOME_NET any -> [79.124.77.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628783; rev:1;) alert tcp $HOME_NET any -> [91.92.241.37] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628782; rev:1;) alert tcp $HOME_NET any -> [8.130.79.38] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628780; rev:1;) alert tcp $HOME_NET any -> [8.130.22.97] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628781; rev:1;) alert tcp $HOME_NET any -> [154.26.246.191] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0ff.m4ze.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"app.k8li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pdo.tweethost.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pdo.united-gs.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pdo.united-gs.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pdo.tweethost.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"but.vo3n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b2m.3pea2.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shy.n4ym.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628770; rev:1;) alert tcp $HOME_NET any -> [167.17.40.170] 443 (msg:"ThreatFox HijackLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628769/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91628769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gestcular.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628768/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91628768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dock.pi-6-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ion.je9r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eel.da5v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7k.3pea2.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0up.k-8-li.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"one.x2lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"materials-mali.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628761/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91628761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ate.pi6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0n9.3pea2.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0ur.r9xa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fit.tu7q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628757; rev:1;) alert tcp $HOME_NET any -> [93.127.160.209] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628756/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"far.m4ze.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wc7l"; depth:5; nocase; http.host; content:"165.154.244.221"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628754/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628754; rev:1;) alert tcp $HOME_NET any -> [165.154.244.221] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gab.k8li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628752; rev:1;) alert tcp $HOME_NET any -> [102.165.46.162] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"villataxi.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"navy.k-8-li.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"screen-suggesting.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"get.vo3n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ore.n4ym.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628746; rev:1;) alert tcp $HOME_NET any -> [144.124.240.154] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azure.m365.1drive.zip"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628385; rev:1;) alert tcp $HOME_NET any -> [108.181.115.243] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.accounts.m365.1drive.zip"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628386; rev:1;) alert tcp $HOME_NET any -> [198.252.109.34] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628388; rev:1;) alert tcp $HOME_NET any -> [59.110.29.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628389; rev:1;) alert tcp $HOME_NET any -> [101.42.187.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628390; rev:1;) alert tcp $HOME_NET any -> [167.172.182.247] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628391; rev:1;) alert tcp $HOME_NET any -> [51.77.220.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628392; rev:1;) alert tcp $HOME_NET any -> [5.188.29.124] 8735 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628393; rev:1;) alert tcp $HOME_NET any -> [137.184.118.154] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628394; rev:1;) alert tcp $HOME_NET any -> [213.199.38.144] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628395; rev:1;) alert tcp $HOME_NET any -> [103.101.225.22] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628397; rev:1;) alert tcp $HOME_NET any -> [104.21.37.230] 8080 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628197/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mbjdf8dsh/login.php"; depth:20; nocase; http.host; content:"23.94.145.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w4.3pea2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ban.je9r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kiln.k-8-li.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"out.da5v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"law.x2lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d6.4qua0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hand.k-8-li.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lap.pi6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7p2.4qua0.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rid.r9xa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jog.tu7q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"any.m4ze.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a03.4qua0.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hew.vo3n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628732; rev:1;) alert tcp $HOME_NET any -> [172.104.242.220] 4444 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amfspro.click"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628730; rev:1;) alert tcp $HOME_NET any -> [112.124.24.132] 9000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628729; rev:1;) alert tcp $HOME_NET any -> [173.254.215.95] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628728; rev:1;) alert tcp $HOME_NET any -> [18.143.176.70] 50580 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628727; rev:1;) alert tcp $HOME_NET any -> [94.141.122.234] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628726; rev:1;) alert tcp $HOME_NET any -> [94.154.35.114] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628725; rev:1;) alert tcp $HOME_NET any -> [95.181.212.113] 12313 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628724; rev:1;) alert tcp $HOME_NET any -> [108.181.115.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628723; rev:1;) alert tcp $HOME_NET any -> [5.188.190.129] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628721; rev:1;) alert tcp $HOME_NET any -> [198.252.109.34] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628722; rev:1;) alert tcp $HOME_NET any -> [37.114.41.229] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628718; rev:1;) alert tcp $HOME_NET any -> [195.123.240.47] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628719; rev:1;) alert tcp $HOME_NET any -> [40.233.73.136] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628720; rev:1;) alert tcp $HOME_NET any -> [158.94.209.59] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628717; rev:1;) alert tcp $HOME_NET any -> [34.67.160.108] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628715; rev:1;) alert tcp $HOME_NET any -> [34.16.39.218] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628716; rev:1;) alert tcp $HOME_NET any -> [51.81.210.203] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628714; rev:1;) alert tcp $HOME_NET any -> [46.246.84.8] 2703 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628713; rev:1;) alert tcp $HOME_NET any -> [209.38.69.133] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628712; rev:1;) alert tcp $HOME_NET any -> [203.202.232.37] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628710; rev:1;) alert tcp $HOME_NET any -> [196.251.115.90] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628711; rev:1;) alert tcp $HOME_NET any -> [46.151.33.182] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628709; rev:1;) alert tcp $HOME_NET any -> [8.130.22.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628708; rev:1;) alert tcp $HOME_NET any -> [34.131.39.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628707; rev:1;) alert tcp $HOME_NET any -> [154.198.49.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628705; rev:1;) alert tcp $HOME_NET any -> [8.219.115.51] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gig.n4ym.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.4qua0.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hat.je9r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1d.da5v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n2ch.9ha-t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"led.x2lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bet.pi6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9z.4qua0.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ken.r9xa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g8wy.9ha-t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dry.tu7q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p5ld.9ha-t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628692; rev:1;) alert tcp $HOME_NET any -> [8.17.56.128] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628691/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628691; rev:1;) alert tcp $HOME_NET any -> [185.225.226.74] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628690/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_29; classtype:trojan-activity; sid:91628690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hid.m4ze.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bra.k8li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628688; rev:1;) alert tcp $HOME_NET any -> [23.94.145.109] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628687/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_29; classtype:trojan-activity; sid:91628687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9sr.9ha-t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cap.vo3n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628685; rev:1;) alert tcp $HOME_NET any -> [147.185.221.223] 31494 (msg:"ThreatFox XenoRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"had.n4ym.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"may.je9r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.4qua0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0qm.9ha-t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"has.da5v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0re.do-k-3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bus.x2lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b3vf.9ha-t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"10ta.do-k-3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fro.pi6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y6nb.7l-0b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asp.r9xa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2px.7l-0b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dud.tu7q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7w.7l-0b.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nag.m4ze.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d1hs.7l-0b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pop.k8li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1ne.do-k-3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ant.vo3n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mbjdf8dsh/index.php"; depth:20; nocase; http.host; content:"23.94.145.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pit.n4ym.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sage.do-k-3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v9tc.7l-0b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fin.je9r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m4qy.7l-0b.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rum.da5v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hot.x2lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"onyx.do-k-3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628655; rev:1;) alert tcp $HOME_NET any -> [172.104.242.220] 8080 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628654; rev:1;) alert tcp $HOME_NET any -> [103.253.147.9] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628653; rev:1;) alert tcp $HOME_NET any -> [196.75.60.36] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628652; rev:1;) alert tcp $HOME_NET any -> [178.157.62.249] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628651; rev:1;) alert tcp $HOME_NET any -> [109.236.89.41] 54333 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_29; classtype:trojan-activity; sid:91628650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rub.pi6o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a8lx.1p-8s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"opal.do-k-3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ham.r9xa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bug.tu7q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u3kd.1p-8s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rye.m4ze.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7wp.1p-8s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bow.k8li.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brirbxl.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"calbewo.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meeqgem.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"venezdj.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stamozp.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faeadud.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foodopg.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irrufnv.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scatbhn.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ventagl.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phthkob.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"splwplx.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teered.locker"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anomal.locker"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strisef.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaloop.cyou"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sentmpy.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"texaajc.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genubxc.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sounqp.cyou"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628406; rev:1;) alert tcp $HOME_NET any -> [104.164.55.232] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9r.1p-8s.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"day.vo3n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mend.s-2-ly.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"up.je5w.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"etch.s-2-ly.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1mv.1p-8s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bu5.je5w.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"reed.s-2-ly.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bay.r7va.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohpyybsl.msi"; depth:13; nocase; http.host; content:"95.164.55.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628377/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vn.vbs"; depth:7; nocase; http.host; content:"95.164.55.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628376/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a09ee3dc53f6a9f461a45bac946c5a09ee3dc453f6a9f461a5.pages.dev"; depth:60; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628375/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q5tn.1p-8s.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pan.je5w.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628373; rev:1;) alert tcp $HOME_NET any -> [91.98.85.163] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prd.tweethost.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prd.united-gs.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"prd.tweethost.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"prd.united-gs.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0il.s-2-ly.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"msnapp.help"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628350/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"accountroyal.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628351/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"palaerospace.careers"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628352/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"msnapp.live"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628353/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"healthiestmama.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628354/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"alwayslivehealthy.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628355/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"rhealthylivingsolutions.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628356/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"rheinmetallcareer.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628357/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"chakracleansetherapy.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628358/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"clearmindhealthandwellness.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628359/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"joinboeing.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628360/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"rheinmetallcareer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628361/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"zytonhealth.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628362/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"airbushiring.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628363/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"healthinfusiontherapy.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628364/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"bodywellnessbycynthia.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628365/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"careers-portal.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628366/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"perstby.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628349/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d1m.r7va.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628348; rev:1;) alert tcp $HOME_NET any -> [216.250.249.182] 2026 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628344/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628344; rev:1;) alert tcp $HOME_NET any -> [216.250.251.199] 4020 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628345/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628345; rev:1;) alert tcp $HOME_NET any -> [216.9.225.197] 2472 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628346/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628346; rev:1;) alert tcp $HOME_NET any -> [45.154.98.167] 1516 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628347/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"moremoneyyyyyyyyyyyyyyeeeeeeeee.ydns.eu"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628342/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.soloteck.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628343/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cnc.changeme.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628340/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"joker.proxywall.p-e.kr"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628341/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ytenode.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628338/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.z611.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628339/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.p6.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628318/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.partments-for-rent-94915.bond"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628319/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.q1kxvb7a02-90x0.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628320/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rindcity.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628321/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rnamentalhub.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628322/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rontointerventofabbro.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628323/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rvxae.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628324/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ryequatureteam.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628325/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.so0un.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628326/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.t222.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628327/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tguosheng.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628328/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.trategy-21.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628329/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ullcitytrackclub.run"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628330/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.umjb2.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628331/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.upkie.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628332/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.urewellnesshub.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628333/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vkugx.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628334/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vtnvb.click"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628335/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vvvt.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628336/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ww26510.vip"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628337/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.enviro.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628297/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eonesens.cloud"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628298/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eshara.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628299/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hatimage.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628300/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iatyogrod63.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628301/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.igiconsulting.pro"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628302/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ile.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628303/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.indvyn.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628304/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.inhbaokhang.website"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628305/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.islr.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628306/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.italideas.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628307/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.marov.tech"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628308/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nlyoneserver.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628309/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.offeecoffeecoffeecoffee.coffee"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628310/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oftonsonline.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628311/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.onfirmacaoenviodigiital.shop"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628312/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oodsy.design"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628313/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.orbiddendreams.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628314/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ord-connect.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628315/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ordsserialli1.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628316/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oweredby.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628317/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.agamentomonave.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628280/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.annahnoh.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628281/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aofi.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628282/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ark-10.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628283/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aystablecoin.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628284/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.brj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628285/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.btwbo.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628286/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.c1809.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628287/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.c2863.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628288/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.c4895.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628289/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cciccloud.sbs"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628290/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cxzsa.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628291/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.d5468338461.click"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628292/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.echat.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628293/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.edallionroofrepairs.xyz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628294/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.egt.lat"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628295/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.enpercent.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628296/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.56837.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628276/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.6n.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628277/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.6w5rfre.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628278/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.7684455.vip"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628279/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.ullcitytrackclub.run"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628266/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.umjb2.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628267/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.upkie.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628268/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.urewellnesshub.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628269/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.vkugx.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628270/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.vtnvb.click"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628271/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.vvvt.vip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628272/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.ww26510.vip"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628273/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.ytenode.cloud"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628274/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.z611.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628275/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.q1kxvb7a02-90x0.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628256/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.rindcity.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628257/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.rnamentalhub.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628258/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.rontointerventofabbro.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628259/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.rvxae.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628260/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.ryequatureteam.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628261/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.so0un.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628262/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.t222.vip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628263/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.tguosheng.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628264/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.trategy-21.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628265/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.offeecoffeecoffeecoffee.coffee"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628246/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.oftonsonline.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628247/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.onfirmacaoenviodigiital.shop"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628248/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.oodsy.design"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628249/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.orbiddendreams.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628250/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.ord-connect.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628251/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.ordsserialli1.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628252/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.oweredby.dev"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628253/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.p6.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628254/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.partments-for-rent-94915.bond"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628255/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.eshara.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628235/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.hatimage.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628236/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.iatyogrod63.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628237/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.igiconsulting.pro"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628238/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.ile.live"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628239/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.indvyn.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628240/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.inhbaokhang.website"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628241/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.islr.tech"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628242/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.italideas.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628243/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.marov.tech"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628244/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.nlyoneserver.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628245/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.cciccloud.sbs"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628226/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.cxzsa.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628227/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.d5468338461.click"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628228/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.echat.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628229/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.edallionroofrepairs.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628230/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.egt.lat"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628231/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.enpercent.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628232/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.enviro.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628233/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.eonesens.cloud"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628234/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.aofi.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628217/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.ark-10.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628218/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.aystablecoin.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628219/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.brj.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628220/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.btwbo.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628221/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.c1723.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628222/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.c1809.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628223/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.c2863.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628224/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.c4895.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628225/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.56837.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628211/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.6n.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628212/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.6w5rfre.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628213/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.7684455.vip"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628214/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.agamentomonave.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628215/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zl28/"; depth:6; nocase; http.host; content:"www.annahnoh.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628216/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628216; rev:1;) alert tcp $HOME_NET any -> [196.251.73.65] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628210/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"envio22-10.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628209/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8463509866:aae8qgyjoatxf5_qootk098axh9e2tfr940/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628208/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server7.nisdably.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628206/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"12f9f8f0-e24d-4d0d-9273-e2e46fa86931.server4.nisdably.com"; depth:57; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628207/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.180.151.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628205/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91628205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wow.je5w.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dove.s-2-ly.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ki.r7va.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"twig.s-2-ly.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cow.je5w.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"veil.m-4-rj.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"piy.r7va.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hark.tu7q.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns1.servicedata.services"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628195/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"east.tu7q.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cow.r7va.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ace.je5w.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dune.tu7q.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0s5.m-4-rj.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kit.r7va.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628189; rev:1;) alert tcp $HOME_NET any -> [168.245.201.194] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628188; rev:1;) alert tcp $HOME_NET any -> [52.91.53.19] 9034 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628187; rev:1;) alert tcp $HOME_NET any -> [212.154.2.45] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.factionwarfare.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628185; rev:1;) alert tcp $HOME_NET any -> [121.37.228.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1n.r7va.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dock.tu7q.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l10n.m-4-rj.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f0r.je5w.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coal.m-4-rj.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ra.je5w.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dewy.tu7q.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bi.tov-4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ma.q-len.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glow.m-4-rj.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dawn.tu7q.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test6633"; depth:9; nocase; http.host; content:"162.252.198.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/live"; depth:9; nocase; http.host; content:"browsertools.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/live"; depth:9; nocase; http.host; content:"opencamping.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/send"; depth:9; nocase; http.host; content:"browsertools.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/conf"; depth:9; nocase; http.host; content:"browsertools.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skillnorequired.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dropcheats.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config.txt"; depth:11; nocase; http.host; content:"wasabiwallet.website"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service_up.php"; depth:15; nocase; http.host; content:"96.9.125.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service_live.php"; depth:17; nocase; http.host; content:"96.9.125.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help_image.php"; depth:15; nocase; http.host; content:"96.9.125.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log.php"; depth:8; nocase; http.host; content:"96.9.125.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oh.j5-ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5age.pi6o.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wave.m-4-rj.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628170; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 306 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628169/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628169; rev:1;) alert tcp $HOME_NET any -> [52.78.234.116] 10001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628168/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628168; rev:1;) alert tcp $HOME_NET any -> [47.251.253.239] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628167/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628167; rev:1;) alert tcp $HOME_NET any -> [45.83.31.84] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628166/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628166; rev:1;) alert tcp $HOME_NET any -> [159.203.28.203] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628165/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hi.n2-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1ris.pi6o.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plum.n4ym.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ho.z3-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ma.r0-mx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"10.tcp.eu.ngrok.io"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628158; rev:1;) alert tcp $HOME_NET any -> [158.173.24.104] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gale.n4ym.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ta.hu-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2c.8ds98.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"we.g-vox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cove.n4ym.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"um.xe-1r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628145; rev:1;) alert tcp $HOME_NET any -> [194.59.30.84] 1234 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628140/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0q9.8ds98.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lopa"; depth:5; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/socket.io/"; depth:11; nocase; http.host; content:"198.1.195.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evil"; depth:5; nocase; http.host; content:"198.1.195.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/steal"; depth:10; nocase; http.host; content:"198.1.195.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stata"; depth:6; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brim.n4ym.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"key.la9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628136; rev:1;) alert tcp $HOME_NET any -> [108.187.7.240] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"orb.z3lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7m.8ds98.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beg.tov4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glow.k8li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dew.mi4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"global.coachmyresume.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628129; rev:1;) alert tcp $HOME_NET any -> [93.232.102.79] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628128; rev:1;) alert tcp $HOME_NET any -> [162.252.199.182] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628127; rev:1;) alert tcp $HOME_NET any -> [95.181.212.113] 22222 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apexxenon.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628125; rev:1;) alert tcp $HOME_NET any -> [5.180.151.9] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628124; rev:1;) alert tcp $HOME_NET any -> [40.115.12.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628123; rev:1;) alert tcp $HOME_NET any -> [128.90.113.166] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628122; rev:1;) alert tcp $HOME_NET any -> [45.74.48.66] 5671 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628121; rev:1;) alert tcp $HOME_NET any -> [47.100.184.216] 45600 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go.tov-4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"golf.k8li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ha.q-len.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4.8ds98.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goat.k8li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bi.fy-7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ho.n2-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"rodriggez.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5h7h.js"; depth:8; nocase; http.host; content:"rodriggez.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rodriggez.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"girl.k8li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1n.z3-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gear.k8li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d5.6cm81.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"do.r0-mx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fawn.k8li.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jairecanoas.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zmzkdodudhdbdu.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dhdjisksnsbhssu.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w7k2.6cm81.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628097; rev:1;) alert tcp $HOME_NET any -> [5.181.156.224] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"themccoyhome.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dsfcnotufy.zip"; depth:15; nocase; http.host; content:"themccoyhome.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pops.php"; depth:9; nocase; http.host; content:"www.pantallaleds.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"prajsm.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"prajsm.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"prajsm.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"prajsm.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"foam.da5v.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1f.g-vox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628087; rev:1;) alert tcp $HOME_NET any -> [185.237.165.254] 2081 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flip.da5v.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ya.p2-om.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b0t.6cm81.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"act.la9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628082; rev:1;) alert tcp $HOME_NET any -> [64.176.41.85] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628081/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pie.z3lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xq8.6cm81.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kld.tov4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"far.mi4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628077; rev:1;) alert tcp $HOME_NET any -> [8.137.149.67] 8060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628076; rev:1;) alert tcp $HOME_NET any -> [117.72.45.63] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628075; rev:1;) alert tcp $HOME_NET any -> [111.229.78.55] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flat.da5v.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xl.tov-4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"am.q-len.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"appbnc-connexion.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628070; rev:1;) alert tcp $HOME_NET any -> [91.108.245.176] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"simplecopseholding.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"hlherb.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hlherb.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6h8d.js"; depth:8; nocase; http.host; content:"hlherb.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ventagl.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1628064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f1rm.da5v.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628063; rev:1;) alert tcp $HOME_NET any -> [3.83.55.90] 50001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628062; rev:1;) alert tcp $HOME_NET any -> [18.181.52.48] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628061; rev:1;) alert tcp $HOME_NET any -> [102.96.215.5] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628060; rev:1;) alert tcp $HOME_NET any -> [108.181.115.242] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628059; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubongoload.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dirolchiks.tplinkdns.com"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1628055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dirolchiks.tplinkdns.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"multiple-knitting.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"need-disturbed.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ex.j5-ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ye.fy-7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f1le.da5v.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1.6cm81.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nu.n2-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nu.ra-9x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"no.z3-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f15h.da5v.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"no.r0-mx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628044; rev:1;) alert tcp $HOME_NET any -> [107.172.44.172] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x3pn.1s-1n.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628042; rev:1;) alert tcp $HOME_NET any -> [46.62.228.181] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628041; rev:1;) alert tcp $HOME_NET any -> [108.181.115.242] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628039; rev:1;) alert tcp $HOME_NET any -> [195.123.240.47] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.jamesriver-ins.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628038; rev:1;) alert tcp $HOME_NET any -> [5.253.41.244] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628035; rev:1;) alert tcp $HOME_NET any -> [34.66.153.118] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628036; rev:1;) alert tcp $HOME_NET any -> [158.220.115.77] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628034; rev:1;) alert tcp $HOME_NET any -> [77.110.106.206] 22809 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628033/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_28; classtype:trojan-activity; sid:91628033; rev:1;) alert tcp $HOME_NET any -> [45.93.8.3] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628031; rev:1;) alert tcp $HOME_NET any -> [117.72.197.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ha.hu-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628030; rev:1;) alert tcp $HOME_NET any -> [182.16.98.84] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628029/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628029; rev:1;) alert tcp $HOME_NET any -> [175.42.125.10] 6005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628028/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jump.0x1.ink"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628027/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"52sya04g88x3k.cfc-execute.su.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628026/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d6aw.1s-1n.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t04.4md69.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628024; rev:1;) alert tcp $HOME_NET any -> [203.202.232.245] 24043 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628023/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2v.4md69.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q9lt.1s-1n.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"say.p2om.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2vx.1s-1n.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rot.la9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"why.z3lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ion.v3sa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9k1.4md69.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yaw.tov4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r4yd.1s-1n.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hit.mi4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7qc.1s-1n.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7p.4md69.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628008; rev:1;) alert tcp $HOME_NET any -> [196.251.88.245] 7805 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"if.tov-4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1628006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628006; rev:1;) alert tcp $HOME_NET any -> [209.38.108.180] 8000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628004/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628004; rev:1;) alert tcp $HOME_NET any -> [94.74.191.25] 5888 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91628005; rev:1;) alert tcp $HOME_NET any -> [87.229.95.86] 8881 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628003/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628003; rev:1;) alert tcp $HOME_NET any -> [54.95.86.23] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628002/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628002; rev:1;) alert tcp $HOME_NET any -> [54.144.14.138] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628001/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628001; rev:1;) alert tcp $HOME_NET any -> [18.253.199.156] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1628000/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91628000; rev:1;) alert tcp $HOME_NET any -> [46.224.14.87] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iit.tweethost.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iit.teba-forexport.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"iit.tweethost.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"iit.teba-forexport.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627996; rev:1;) alert tcp $HOME_NET any -> [168.245.200.185] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627994; rev:1;) alert tcp $HOME_NET any -> [3.83.55.90] 6001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal.dmg-tech.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627992; rev:1;) alert tcp $HOME_NET any -> [139.59.246.232] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627991; rev:1;) alert tcp $HOME_NET any -> [5.253.41.244] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627990; rev:1;) alert tcp $HOME_NET any -> [8.138.96.41] 21100 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627989; rev:1;) alert tcp $HOME_NET any -> [114.67.206.25] 8080 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627988; rev:1;) alert tcp $HOME_NET any -> [31.40.204.127] 2403 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627987/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91627987; rev:1;) alert tcp $HOME_NET any -> [203.202.232.5] 2135 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627986/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91627986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z8wm.7-09f.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"inspectlet.observer"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627983/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"insightanalytics.pro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627984/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cdnjscookies.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627967/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gagichls.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627968/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wordpress-login.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627969/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wordpress-commerce.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627970/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ls1ks.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627971/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"suckerity.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627972/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"woscket.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627973/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wsocket.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627974/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wooadminpro.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627975/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"elementatorprof.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627976/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gigacgetski.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627977/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kezopersuc.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627978/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"webawast.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627979/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"asd123qwe2.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627980/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"keritysuc.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627981/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"websocket.click"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627982/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"babymarket.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627966/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"feabihc.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627965/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"decision-danny.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627964/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"whiteangelcameonearthwithgodsignformegod.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627963/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"faggotfaggotfaggotfaggotfaggotfaggotfaggotfaggotfaggotfaggot.die.skin"; depth:69; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627962/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk_sxfds128.bin"; depth:16; nocase; http.host; content:"gulfscaffolding.com.sa"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627961/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627961; rev:1;) alert tcp $HOME_NET any -> [62.60.148.184] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627960/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"contents-douglas.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627957/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"robotproject.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627958/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"safe-railway.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627959/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"doxxing.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627955/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"seznam.giize.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627956/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/4dsyh9sw"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627954/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server9.ninhaine.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627951/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server11.ninhaine.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627952/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server14.ninhaine.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627953/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9af57c9106bf2c01.php"; depth:21; nocase; http.host; content:"194.50.153.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627949/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_28; classtype:trojan-activity; sid:91627949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"us.ra-9x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g1rq.7-09f.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"do.z3-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627947; rev:1;) alert tcp $HOME_NET any -> [62.60.131.193] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627568; rev:1;) alert tcp $HOME_NET any -> [62.60.131.194] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627569; rev:1;) alert tcp $HOME_NET any -> [62.60.131.185] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627570; rev:1;) alert tcp $HOME_NET any -> [62.60.131.202] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627571; rev:1;) alert tcp $HOME_NET any -> [62.60.131.197] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627572; rev:1;) alert tcp $HOME_NET any -> [62.60.131.183] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627573; rev:1;) alert tcp $HOME_NET any -> [62.60.131.200] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627574; rev:1;) alert tcp $HOME_NET any -> [62.60.131.192] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627575; rev:1;) alert tcp $HOME_NET any -> [62.60.131.188] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627576; rev:1;) alert tcp $HOME_NET any -> [62.60.131.181] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627577; rev:1;) alert tcp $HOME_NET any -> [62.60.131.187] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627578; rev:1;) alert tcp $HOME_NET any -> [62.60.131.182] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627579; rev:1;) alert tcp $HOME_NET any -> [62.60.131.179] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627580; rev:1;) alert tcp $HOME_NET any -> [62.60.131.180] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627581; rev:1;) alert tcp $HOME_NET any -> [62.60.131.186] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627582; rev:1;) alert tcp $HOME_NET any -> [62.60.131.184] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627583; rev:1;) alert tcp $HOME_NET any -> [62.60.131.196] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627584; rev:1;) alert tcp $HOME_NET any -> [62.60.131.199] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627585; rev:1;) alert tcp $HOME_NET any -> [62.60.131.201] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627586; rev:1;) alert tcp $HOME_NET any -> [62.60.131.195] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627587; rev:1;) alert tcp $HOME_NET any -> [62.60.131.191] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627588; rev:1;) alert tcp $HOME_NET any -> [62.60.131.190] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627589; rev:1;) alert tcp $HOME_NET any -> [62.60.131.189] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627590; rev:1;) alert tcp $HOME_NET any -> [62.60.131.198] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627591; rev:1;) alert tcp $HOME_NET any -> [62.60.131.178] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/codebase5533"; depth:13; nocase; http.host; content:"162.252.198.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627607; rev:1;) alert tcp $HOME_NET any -> [13.80.136.92] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627681; rev:1;) alert tcp $HOME_NET any -> [79.250.142.26] 9215 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627682; rev:1;) alert tcp $HOME_NET any -> [64.7.199.12] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627683; rev:1;) alert tcp $HOME_NET any -> [203.154.83.190] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"178.17.50.15"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1627946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627946; rev:1;) alert tcp $HOME_NET any -> [108.181.161.143] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627945; rev:1;) alert tcp $HOME_NET any -> [198.44.185.177] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wilsonkumar.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giftoo1.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627943; rev:1;) alert tcp $HOME_NET any -> [196.251.87.218] 9900 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q3.4md69.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uh.yq-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2xb.7-09f.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go.r0-mx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y9lg.9-32p.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bi.hu-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9r2.0bj3i.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627934; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627933; rev:1;) alert tcp $HOME_NET any -> [172.238.172.240] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my.com.au.debbiesimril.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627931; rev:1;) alert tcp $HOME_NET any -> [46.173.214.104] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627930; rev:1;) alert tcp $HOME_NET any -> [198.12.85.93] 1589 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627929; rev:1;) alert tcp $HOME_NET any -> [40.115.12.132] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627928; rev:1;) alert tcp $HOME_NET any -> [104.223.84.7] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627927; rev:1;) alert tcp $HOME_NET any -> [176.100.36.88] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627926; rev:1;) alert tcp $HOME_NET any -> [182.254.155.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ox.g-vox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0b.0bj3i.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0hs.9-32p.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"my.xe-1r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3dpf.9-32p.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"my.p2-om.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7.0bj3i.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ego.p2om.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flx.la9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n6vt.9-32p.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627721; rev:1;) alert tcp $HOME_NET any -> [39.98.58.80] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627720/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91627720; rev:1;) alert tcp $HOME_NET any -> [182.16.98.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627719/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91627719; rev:1;) alert tcp $HOME_NET any -> [116.62.226.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627718/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91627718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wulongdakon.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627717/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_28; classtype:trojan-activity; sid:91627717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ram.z3lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9y1.0bj3i.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627715; rev:1;) alert tcp $HOME_NET any -> [13.55.193.86] 58016 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7qy.9-32p.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3z.0bj3i.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oak.tov4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ion.mi4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w4jm.9-32p.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ox.tov-4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f6.0bj3i.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"we.q-len.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u4hm.6-19t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0.j5-ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xi.ko-8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0j.6-19t.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i5.ra-9x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w2cx.6-19t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0p.3jw5u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"am.z3-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"we.bo-x2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d6pl.6-19t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m.3jw5u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"up.yq-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627694; rev:1;) alert tcp $HOME_NET any -> [47.236.194.231] 1433 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627693; rev:1;) alert tcp $HOME_NET any -> [154.38.187.64] 8080 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627692; rev:1;) alert tcp $HOME_NET any -> [172.94.36.171] 8082 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_28; classtype:trojan-activity; sid:91627691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v4.3jw5u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y3s.6-19t.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"no.de-6a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r8kd.6-19t.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xl.hu-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"173.212.216.226"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627685/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7r.0vl3u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627680; rev:1;) alert tcp $HOME_NET any -> [175.42.125.10] 6004 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627679/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g5t.8j8-o.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1t.g-vox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.0vl3u.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z0wa.8j8-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7nh.8j8-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eh.p2-om.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"egg.p2om.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rat.la9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1rx.8j8-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zq8.0vl3u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wig.z3lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k1.0vl3u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gas.v3sa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"one.tov4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9q.8j8-o.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lag.mi4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m6zk.8j8-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y41.9bp6i.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lo.tov-4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627660; rev:1;) alert tcp $HOME_NET any -> [182.16.98.84] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627659/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627659; rev:1;) alert tcp $HOME_NET any -> [136.115.102.225] 44444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627658/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"us-gateway.google-status.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627657/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"antams.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627656/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b2yl.3v9-u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pi.q-len.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627654; rev:1;) alert tcp $HOME_NET any -> [108.187.7.206] 447 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mu.j5-ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h4qc.3v9-u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oh.ko-8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hk2.9bp6i.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"am.fy-7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627648; rev:1;) alert tcp $HOME_NET any -> [168.245.200.108] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627647; rev:1;) alert tcp $HOME_NET any -> [8.219.171.47] 3306 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627646; rev:1;) alert tcp $HOME_NET any -> [154.9.227.213] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627645; rev:1;) alert tcp $HOME_NET any -> [104.194.154.86] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627644; rev:1;) alert tcp $HOME_NET any -> [86.198.215.11] 4785 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627643; rev:1;) alert tcp $HOME_NET any -> [157.250.195.21] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627642; rev:1;) alert tcp $HOME_NET any -> [40.115.12.128] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627641; rev:1;) alert tcp $HOME_NET any -> [45.64.246.17] 8080 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627640; rev:1;) alert tcp $HOME_NET any -> [167.17.40.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627639; rev:1;) alert tcp $HOME_NET any -> [39.107.82.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627637; rev:1;) alert tcp $HOME_NET any -> [167.17.40.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627638; rev:1;) alert tcp $HOME_NET any -> [159.65.125.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1g.3v9-u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ia.ra-9x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z.9bp6i.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanomiloklosikolaymas.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9dr.3v9-u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cersaavtolabnovuklubykol.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fiklokasilupafas.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627629; rev:1;) alert tcp $HOME_NET any -> [94.74.191.123] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpjslongpollwplocaltemporary.php"; depth:34; nocase; http.host; content:"411712cm.nyash.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.newshimforjune.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.lkofitjhecvr.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.gigachatglob.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.newshimone.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627625; rev:1;) alert tcp $HOME_NET any -> [146.103.99.179] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627622; rev:1;) alert tcp $HOME_NET any -> [202.71.14.164] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627621; rev:1;) alert tcp $HOME_NET any -> [94.74.164.94] 55886 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627620; rev:1;) alert tcp $HOME_NET any -> [111.11.112.162] 5858 (msg:"ThreatFox donut_injector botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627619; rev:1;) alert tcp $HOME_NET any -> [94.74.164.181] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/excel/now/windows/invite.php"; depth:29; nocase; http.host; content:"workdesk.us.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627617/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627617; rev:1;) alert tcp $HOME_NET any -> [109.120.178.7] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sirrbef.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orthnsa.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pitchz.locker"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portag.locker"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627615; rev:1;) alert tcp $HOME_NET any -> [61.143.184.8] 19265 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627611/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627611; rev:1;) alert tcp $HOME_NET any -> [37.107.29.71] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627610/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627610; rev:1;) alert tcp $HOME_NET any -> [196.251.115.86] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627609/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627609; rev:1;) alert tcp $HOME_NET any -> [16.51.152.150] 7170 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627608/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d0m7.9bp6i.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q3vz.3v9-u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w3t.9bp6i.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"220520122153.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contents-hungarian.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"555888.cyou"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sirrbef.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"feabihc.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7m.3v9-u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cover-phantom.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ex.de-6a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"unit.b-9-ku.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvdfnafjbmc2/index.php"; depth:23; nocase; http.host; content:"158.94.208.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ad.hu-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q8.9bp6i.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"task.b-9-ku.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ye.g-vox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627565; rev:1;) alert tcp $HOME_NET any -> [146.88.129.2] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rd5.8vl8u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sale.b-9-ku.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"flickrodf.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flickrodf.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"flickrodf.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"flickrodf.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ikol.php"; depth:9; nocase; http.host; content:"atsexport.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/platour.zip"; depth:12; nocase; http.host; content:"technoxpertsgroup.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"technoxpertsgroup.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627545; rev:1;) alert tcp $HOME_NET any -> [5.181.156.218] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627546; rev:1;) alert tcp $HOME_NET any -> [194.107.126.124] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627561/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dstat.one"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627560/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627560; rev:1;) alert tcp $HOME_NET any -> [212.11.64.95] 56001 (msg:"ThreatFox HijackLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627559/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.txt"; depth:6; nocase; http.host; content:"nsbko.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627556/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teekpbfu.msi"; depth:13; nocase; http.host; content:"nsbko.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627557/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign-in/uri.html"; depth:17; nocase; http.host; content:"booking.com-admin.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627555/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ten.p2om.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clod.txt"; depth:9; nocase; http.host; content:"powerplayzone.rest"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627554/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627554; rev:1;) alert tcp $HOME_NET any -> [5.75.213.214] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627551; rev:1;) alert tcp $HOME_NET any -> [49.13.39.101] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cvt.technicalprorj.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.39.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cvt.technicalprorj.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.214"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1it.la9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2v.8vl8u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mhzlh773-56010.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627536/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627536; rev:1;) alert tcp $HOME_NET any -> [185.38.142.109] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627535; rev:1;) alert tcp $HOME_NET any -> [78.141.231.26] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627534; rev:1;) alert tcp $HOME_NET any -> [13.93.30.163] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627533; rev:1;) alert tcp $HOME_NET any -> [192.30.240.101] 2403 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627532; rev:1;) alert tcp $HOME_NET any -> [200.149.179.129] 28364 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627531; rev:1;) alert tcp $HOME_NET any -> [158.94.209.51] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"road.b-9-ku.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"key.z3lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.204.42.107"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1627513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.205.164.223"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1627514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"31.14.41.82"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1627515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"31.14.41.57"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1627516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yen.v3sa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.8vl8u.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1nc.b-9-ku.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cut.tov4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ash.mi4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0q9.8vl8u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yard.b-9-ku.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"la.tov-4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wood.wi-7-e.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7m.8vl8u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"it.q-len.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"view.wi-7-e.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ye.j5-ol.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gate.wi-7-e.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ma.ko-8r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newtpp.exe"; depth:11; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4.8vl8u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"he.fy-7a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ad.n2-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fuel.wi-7-e.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ta.ra-9x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2.8ss4e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"um.z3-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"game.wi-7-e.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ma.bo-x2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32.exe"; depth:7; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1"; depth:2; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2"; depth:2; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3"; depth:2; nocase; http.host; content:"176.46.158.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"la.yq-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"book.wi-7-e.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1x3.8ss4e.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g0.de-6a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cvt.teba-forexport.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cvt.teba-forexport.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"or.r0-mx.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.8ss4e.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hill.x-3-ri.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"at.hu-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eh.s4-ti.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0a.8ss4e.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"home.x-3-ri.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ya.g-vox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627481; rev:1;) alert tcp $HOME_NET any -> [161.35.177.165] 55123 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zq9.8ss4e.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ta.xe-1r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gold.x-3-ri.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"to.p2-om.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k5.8ss4e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bus.p2om.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fire.x-3-ri.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dry.la9q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7.7kf1u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7y5g.js"; depth:8; nocase; http.host; content:"sessomania.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sessomania.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"sessomania.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/codebase5533"; depth:13; nocase; http.host; content:"144.31.221.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tip.z3lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cold.x-3-ri.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"but.v3sa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sorbbolindo.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627463; rev:1;) alert tcp $HOME_NET any -> [192.52.166.48] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627462; rev:1;) alert tcp $HOME_NET any -> [95.181.212.113] 12311 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627461; rev:1;) alert tcp $HOME_NET any -> [158.94.209.59] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627460; rev:1;) alert tcp $HOME_NET any -> [196.251.114.209] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627459; rev:1;) alert tcp $HOME_NET any -> [186.169.46.112] 3585 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratings-architects.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627456; rev:1;) alert tcp $HOME_NET any -> [104.37.172.150] 6071 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2k.7kf1u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pap.tov4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bird.x-3-ri.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dry.mi4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"no.vex-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ad.n4-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627450; rev:1;) alert tcp $HOME_NET any -> [187.188.191.252] 61994 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627433; rev:1;) alert tcp $HOME_NET any -> [35.220.199.172] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627443; rev:1;) alert tcp $HOME_NET any -> [37.203.255.37] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627444; rev:1;) alert tcp $HOME_NET any -> [217.160.25.65] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627445; rev:1;) alert tcp $HOME_NET any -> [38.12.32.82] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627446; rev:1;) alert tcp $HOME_NET any -> [111.229.78.55] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627447; rev:1;) alert tcp $HOME_NET any -> [94.23.220.69] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627448; rev:1;) alert tcp $HOME_NET any -> [178.73.218.18] 7046 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c5r.3j5-y.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qi.wi-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d4pz.3j5-y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eh.pl-8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627439; rev:1;) alert tcp $HOME_NET any -> [91.92.240.17] 9332 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627438/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7mf.3j5-y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627437; rev:1;) alert tcp $HOME_NET any -> [196.251.72.93] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627436/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u3qa.3j5-y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oh.s2-ly.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627434; rev:1;) alert tcp $HOME_NET any -> [38.60.92.181] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627432/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627432; rev:1;) alert tcp $HOME_NET any -> [35.157.46.108] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627431/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k8xn.3j5-y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pe.r1v-x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nu.qen-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0lg.3j5-y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ax.tr-8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627426; rev:1;) alert tcp $HOME_NET any -> [5.59.248.73] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627425; rev:1;) alert tcp $HOME_NET any -> [185.165.169.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627424; rev:1;) alert tcp $HOME_NET any -> [181.162.178.106] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627423; rev:1;) alert tcp $HOME_NET any -> [3.1.103.26] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627422; rev:1;) alert tcp $HOME_NET any -> [144.91.117.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627421; rev:1;) alert tcp $HOME_NET any -> [174.57.168.202] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627420; rev:1;) alert tcp $HOME_NET any -> [174.57.168.202] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627419; rev:1;) alert tcp $HOME_NET any -> [39.100.97.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627418; rev:1;) alert tcp $HOME_NET any -> [47.94.132.198] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"os.x3-ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3n.2h7-o.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ye.vex-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627414; rev:1;) alert tcp $HOME_NET any -> [78.47.233.147] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627412; rev:1;) alert tcp $HOME_NET any -> [46.62.232.48] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627413; rev:1;) alert tcp $HOME_NET any -> [46.224.22.46] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gpu.orca-trade.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gz.technicalprorj.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wed.salahelden.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fri.technicalprorj.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627410; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 43718 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627406/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561198776306228"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sc0lers"; depth:8; nocase; http.host; content:"telegram.me"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gz.technicalprorj.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gpu.orca-trade.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wed.salahelden.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fri.technicalprorj.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"manaura-43718.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627397/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"3thebfgnh.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627398/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"z9kahfjxc.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627399/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/zu1f9id5"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627396/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"new.executor.qzz.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627395/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2.xoilaczzzgz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627393/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v3.xoilaczzzgz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627394/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627394; rev:1;) alert tcp $HOME_NET any -> [154.222.25.117] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627391/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627391; rev:1;) alert tcp $HOME_NET any -> [154.222.25.117] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627392/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blog.atri.today"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627387/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gatex.xoilaczzzgz.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627388/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kw.atri.today"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627389/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pay.atri.today"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627390/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"157.250.195.21"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627386/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ye.qen-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u83mfds2/index.php"; depth:19; nocase; http.host; content:"77.91.78.118"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627384/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c7f0d33720d0f381.php"; depth:21; nocase; http.host; content:"185.244.48.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627383/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_27; classtype:trojan-activity; sid:91627383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ef.s2-ly.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n2bv.2h7-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ow.x3-ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627380; rev:1;) alert tcp $HOME_NET any -> [38.60.211.235] 36765 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627379/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6yd.ru"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ya.tr-8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h5yx.2h7-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"fatisabi.linkpc.net"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1627120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateapi/pbjrh9wj.9es9e"; depth:23; nocase; http.host; content:"176.46.141.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fc98bed393364b52.php"; depth:21; nocase; http.host; content:"178.16.54.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627123; rev:1;) alert tcp $HOME_NET any -> [107.182.225.107] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627126; rev:1;) alert tcp $HOME_NET any -> [101.34.205.46] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627132; rev:1;) alert tcp $HOME_NET any -> [195.3.223.146] 2005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627127; rev:1;) alert tcp $HOME_NET any -> [185.177.239.252] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627128; rev:1;) alert tcp $HOME_NET any -> [175.27.229.108] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627129; rev:1;) alert tcp $HOME_NET any -> [46.173.214.104] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627130; rev:1;) alert tcp $HOME_NET any -> [31.11.18.237] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627131; rev:1;) alert tcp $HOME_NET any -> [101.34.205.46] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627133; rev:1;) alert tcp $HOME_NET any -> [202.181.24.117] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627134; rev:1;) alert tcp $HOME_NET any -> [70.34.242.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627136; rev:1;) alert tcp $HOME_NET any -> [195.248.230.153] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627135; rev:1;) alert tcp $HOME_NET any -> [54.175.101.28] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627137; rev:1;) alert tcp $HOME_NET any -> [107.174.44.88] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627138; rev:1;) alert tcp $HOME_NET any -> [46.62.228.181] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627139; rev:1;) alert tcp $HOME_NET any -> [57.129.6.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627140; rev:1;) alert tcp $HOME_NET any -> [65.0.127.157] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627141; rev:1;) alert tcp $HOME_NET any -> [35.158.26.2] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627142; rev:1;) alert tcp $HOME_NET any -> [3.77.95.11] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627143; rev:1;) alert tcp $HOME_NET any -> [143.198.90.176] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ye.ky-4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xi.pl-8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9tw.2h7-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627373; rev:1;) alert tcp $HOME_NET any -> [92.246.87.36] 5888 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ho.n4-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627371; rev:1;) alert tcp $HOME_NET any -> [192.229.115.159] 8520 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getting-judicial.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"za.r1v-x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627368; rev:1;) alert tcp $HOME_NET any -> [82.64.201.145] 43710 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627367; rev:1;) alert tcp $HOME_NET any -> [196.251.116.159] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627366; rev:1;) alert tcp $HOME_NET any -> [77.160.90.130] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1mk.2h7-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627364; rev:1;) alert tcp $HOME_NET any -> [192.229.115.159] 8521 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ow.ze-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"no.wi-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q6pr.2h7-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ya.to-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yo.re-t0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ai.ky-4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3yc.3v-3y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1t.x3-ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jo.s2-ly.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6b.3v-3y.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jo.n4-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lo.ze-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ae.to-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627350; rev:1;) alert tcp $HOME_NET any -> [196.75.193.242] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627349; rev:1;) alert tcp $HOME_NET any -> [104.250.169.5] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627348; rev:1;) alert tcp $HOME_NET any -> [66.85.27.179] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627347; rev:1;) alert tcp $HOME_NET any -> [152.42.189.132] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627346; rev:1;) alert tcp $HOME_NET any -> [37.114.41.229] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627345; rev:1;) alert tcp $HOME_NET any -> [34.29.218.146] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627344; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 9995 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627342; rev:1;) alert tcp $HOME_NET any -> [178.16.54.184] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627343; rev:1;) alert tcp $HOME_NET any -> [209.151.154.151] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627341; rev:1;) alert tcp $HOME_NET any -> [196.251.80.130] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g1zx.3v-3y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fa.wi-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lo.pl-8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"he.tr-8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2tl.3v-3y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"me.r1v-x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t9x4.7kf1u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"he.re-t0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"so.x3-ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7md.3v-3y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ta.vex-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627329; rev:1;) alert tcp $HOME_NET any -> [108.170.31.37] 7705 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627328; rev:1;) alert tcp $HOME_NET any -> [172.67.186.100] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627327/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mz1.7kf1u.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627326; rev:1;) alert tcp $HOME_NET any -> [118.195.236.210] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627325/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627325; rev:1;) alert tcp $HOME_NET any -> [104.21.32.116] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627324/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bililbilil.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627323/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ar.ze-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f9q.3v-3y.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ox.to-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q3.7kf1u.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"na.tr-8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"he.qen-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blue.ky-4-x.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ut.ky-4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pine.tr-8-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cook.ky-4-x.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aw.re-t0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627312; rev:1;) alert tcp $HOME_NET any -> [196.251.114.65] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627311/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_27; classtype:trojan-activity; sid:91627311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quit.ky-4-x.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rift.tr-8-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"re.s2-ly.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clay.tr-8-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"da.wi-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1t.ky-4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"port.ky-4-x.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ye.n4-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oe.wi-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"open.ky-4-x.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627159; rev:1;) alert tcp $HOME_NET any -> [185.173.38.8] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627158; rev:1;) alert tcp $HOME_NET any -> [192.159.99.245] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627157; rev:1;) alert tcp $HOME_NET any -> [196.251.114.12] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627156; rev:1;) alert tcp $HOME_NET any -> [185.208.158.78] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627155; rev:1;) alert tcp $HOME_NET any -> [23.146.241.142] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627154; rev:1;) alert tcp $HOME_NET any -> [158.94.209.52] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_27; classtype:trojan-activity; sid:91627153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b0.vex-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0l0.tr-8-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"if.re-t0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go.r1v-x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bark.tr-8-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"node.ky-4-x.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gale.tr-8-n.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"el.qen-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dune.n-4-ke.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b00k.re-t-0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627124; rev:1;) alert tcp $HOME_NET any -> [199.127.61.237] 9019 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627122/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l0gs.re-t-0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1lk.n-4-ke.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.re-t-0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5o.do-k3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ye.ze-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eh.tr-8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l0re.n-4-ke.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"icebergtbilisi.ge"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627110/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ablelifepurelife.ydns.eu"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627111/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ablelifepurelifebk.ydns.eu"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627112/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lake.re-t-0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ah.to-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tab.ju5q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"end.xa5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mint.n-4-ke.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jump.re-t-0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go.tr-8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kawt2qxfppuenm/index.php"; depth:25; nocase; http.host; content:"mi.overlapsnowbound.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1.re-t0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"join.re-t-0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ol.wi-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"my.s2-ly.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t00l.pl-8-a.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fa.x3-ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0ve.n-4-ke.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fern.n-4-ke.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627094; rev:1;) alert tcp $HOME_NET any -> [92.112.125.132] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627093; rev:1;) alert tcp $HOME_NET any -> [125.24.164.96] 7443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627092; rev:1;) alert tcp $HOME_NET any -> [31.14.17.141] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627091; rev:1;) alert tcp $HOME_NET any -> [208.85.16.193] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627090; rev:1;) alert tcp $HOME_NET any -> [185.72.199.92] 1717 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627089; rev:1;) alert tcp $HOME_NET any -> [105.97.132.171] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627088; rev:1;) alert tcp $HOME_NET any -> [199.217.99.148] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627087; rev:1;) alert tcp $HOME_NET any -> [158.94.209.58] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627085; rev:1;) alert tcp $HOME_NET any -> [158.94.209.50] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cog.vex0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hi.ky-4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f1le.pl-8-a.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627083; rev:1;) alert tcp $HOME_NET any -> [94.154.35.153] 6969 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627081/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avast_update"; depth:13; nocase; http.host; content:"cmqsqomiwwksmcsw.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/client_hello"; depth:17; nocase; http.host; content:"cmqsqomiwwksmcsw.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tasks/collect"; depth:14; nocase; http.host; content:"cmqsqomiwwksmcsw.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tasks/get_worker"; depth:17; nocase; http.host; content:"cmqsqomiwwksmcsw.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/client/new"; depth:15; nocase; http.host; content:"cmqsqomiwwksmcsw.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/fhst.pdf"; depth:18; nocase; http.host; content:"anydesck.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kenges-rakishev-investigation.is"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dorimeinserino.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.aieov.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627059; rev:1;) alert tcp $HOME_NET any -> [178.16.55.189] 90 (msg:"ThreatFox SalatStealer payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627067/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627067; rev:1;) alert tcp $HOME_NET any -> [213.209.143.41] 41323 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627080/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.snickers.lol"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627079; rev:1;) alert tcp $HOME_NET any -> [58.216.62.178] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627057/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627057; rev:1;) alert tcp $HOME_NET any -> [157.250.195.21] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627056/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627056; rev:1;) alert tcp $HOME_NET any -> [1.161.104.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627054/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7gs.4aeaco0.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"idea.pl-8-a.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uh.qen-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"host.pl-8-a.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ex.to-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.4aeaco0.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b00t.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627033; rev:1;) alert tcp $HOME_NET any -> [151.243.95.164] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"growth-turtle.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ka.do-k3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedumanno.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"articles-dividend.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"job-citizenship.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"county-secret.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gift.pl-8-a.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"em.n4-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"we.vex-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gear.pl-8-a.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q8yr.4aeaco0.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ma.r1v-x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pa55.me-2-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"am.x3-ri.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"needleexperience.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7p28w7bn"; depth:9; nocase; http.host; content:"my.to-qa.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627016/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lusakamarathon.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627015/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627015; rev:1;) alert tcp $HOME_NET any -> [185.238.191.35] 3000 (msg:"ThreatFox Unknown Stealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627014/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627014; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 58261 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"my.to-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91627012; rev:1;) alert tcp $HOME_NET any -> [38.134.148.74] 443 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627011/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"write-event.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1627010/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; nocase; http.host; content:"87.121.79.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627007/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; nocase; http.host; content:"176.65.148.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627008/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"42.53.30.229"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627009/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cbsrs89.cc"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627004/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64.1"; depth:9; nocase; http.host; content:"202.55.132.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627005/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; nocase; http.host; content:"42.232.50.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627006/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mimikatz_trunk/win32/mimikatz.exe"; depth:34; nocase; http.host; content:"120.25.163.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627003/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server9.cdneurops.buzz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627002/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ails06.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1627001/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91627001; rev:1;) alert tcp $HOME_NET any -> [178.16.54.119] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1627000/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91627000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ka.s2-ly.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1te.me-2-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"classic-dave.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rfvlive.help"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utps.live"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"systemsupport.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nwrstghbwrtjynrsfghberth.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ka.ze-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626992; rev:1;) alert tcp $HOME_NET any -> [170.130.55.38] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ad23d4a47cfd4c13.php"; depth:21; nocase; http.host; content:"170.130.55.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626988; rev:1;) alert tcp $HOME_NET any -> [45.155.69.25] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8380e89dabaee4a.php"; depth:21; nocase; http.host; content:"45.155.69.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626990; rev:1;) alert tcp $HOME_NET any -> [193.151.108.232] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"farm.me-2-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ka.ky-4x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j1.4aeaco0.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pe.vex-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.173.152.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.236.203.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626959; rev:1;) alert tcp $HOME_NET any -> [185.236.203.114] 3176 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bhware.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"root.bhware.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626967; rev:1;) alert tcp $HOME_NET any -> [95.223.252.235] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626982; rev:1;) alert tcp $HOME_NET any -> [23.94.190.51] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626981; rev:1;) alert tcp $HOME_NET any -> [43.246.210.148] 3350 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626980; rev:1;) alert tcp $HOME_NET any -> [123.60.168.129] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edit.me-2-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"re.wi-7e.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xh5.6aiiwi2.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ut.tr-8n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"er.n4-ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2n.6aiiwi2.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"data.me-2-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"em.pl-8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"calm.me-2-v.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ho.do-k3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f.6aiiwi2.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h0me.xa-5-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"da.qen-9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0de.xa-5-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l9q7.6aiiwi2.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oy.r1v-x.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oh.re-t0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0b.6aiiwi2.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jab.b9ku.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"boat.xa-5-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fry.fa0n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wed.pl8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"area.xa-5-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"one.me2v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626950; rev:1;) alert tcp $HOME_NET any -> [101.34.205.46] 7000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626908; rev:1;) alert tcp $HOME_NET any -> [79.132.170.91] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626909; rev:1;) alert tcp $HOME_NET any -> [196.251.83.89] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626910; rev:1;) alert tcp $HOME_NET any -> [165.227.208.203] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626911; rev:1;) alert tcp $HOME_NET any -> [165.227.208.203] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626912; rev:1;) alert tcp $HOME_NET any -> [190.16.203.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626913; rev:1;) alert tcp $HOME_NET any -> [35.158.26.2] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626914; rev:1;) alert tcp $HOME_NET any -> [20.199.89.232] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626915; rev:1;) alert tcp $HOME_NET any -> [47.121.179.212] 5443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626916; rev:1;) alert tcp $HOME_NET any -> [34.252.217.241] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626917; rev:1;) alert tcp $HOME_NET any -> [89.23.113.73] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626918; rev:1;) alert tcp $HOME_NET any -> [165.22.237.80] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626919; rev:1;) alert tcp $HOME_NET any -> [176.124.198.208] 7777 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626907; rev:1;) alert tcp $HOME_NET any -> [56.125.162.63] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626863/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c3.6aiiwi2.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acid.xa-5-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"our.n4ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9r2.7ph88.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yam.qen9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626945; rev:1;) alert tcp $HOME_NET any -> [94.103.1.70] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"par.m4rj.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0b.7ph88.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"able.xa-5-r.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626943; rev:1;) alert tcp $HOME_NET any -> [167.17.40.139] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thread-faq.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"norot15.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"88.214.50.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1626937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626937; rev:1;) alert tcp $HOME_NET any -> [196.75.230.238] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626936; rev:1;) alert tcp $HOME_NET any -> [14.103.149.177] 6000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626935; rev:1;) alert tcp $HOME_NET any -> [18.162.232.144] 58603 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626934; rev:1;) alert tcp $HOME_NET any -> [185.227.108.110] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626931; rev:1;) alert tcp $HOME_NET any -> [185.227.108.1] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626932; rev:1;) alert tcp $HOME_NET any -> [185.47.174.1] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626933; rev:1;) alert tcp $HOME_NET any -> [26.14.127.201] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626929; rev:1;) alert tcp $HOME_NET any -> [185.47.174.199] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bln.vex0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4sm.9h-5y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hue.b9ku.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v0jp.9h-5y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h8rf.9h-5y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"boy.fa0n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1wn.9h-5y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wee.pl8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9y1.7ph88.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fad.me2v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626906; rev:1;) alert tcp $HOME_NET any -> [85.239.35.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626905/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626905; rev:1;) alert tcp $HOME_NET any -> [47.101.40.177] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626904/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626904; rev:1;) alert tcp $HOME_NET any -> [178.16.54.117] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626903/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626903; rev:1;) alert tcp $HOME_NET any -> [122.152.233.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626902/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626902; rev:1;) alert tcp $HOME_NET any -> [106.52.62.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626901/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3z.7ph88.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"few.n4ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z6qa.9h-5y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"k9toothsolutions.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626896/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfe0ddqn"; depth:9; nocase; http.host; content:"ate.qen9.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626897/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ate.qen9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t3yg.9h-5y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l5vd.8r-4u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"odd.m4rj.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aid.ju5q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e7pk.8r-4u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jug.vex0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f6.7ph88.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u4qh.8r-4u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yap.xa5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"technical-adsl.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626885/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q/2152978/23354"; depth:16; nocase; http.host; content:"stackoverflow.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626884/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"miodzaki.bit"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626883/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"comando555.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626879/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dcdgloss.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626880/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"go-fairy.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626881/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"less-drives.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626882/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cloudflare.cooltheburn.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626877/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cloudflare.fentonph.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626878/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cloudflare.alegria-productions.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626875/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cloudflare.avicforging.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626876/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626876; rev:1;) alert tcp $HOME_NET any -> [31.57.188.76] 14256 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626874/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"x.hinderalawfirm.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626872/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"yww68h3pz.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626873/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jijqj12g"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626871/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dn.logllilssyou.mydns.bz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626870/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"you.b9ku.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server11.nisdably.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626868/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medicare-plans/"; depth:16; nocase; http.host; content:"www.browse-health-insurance-plans.unitedhealthcare-group.uhc-com.vision-solution.top"; depth:84; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626865/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medicare-plans/"; depth:16; nocase; http.host; content:"www.browse-health-insurance-plans.unitedhealthcare-group.uhc-com.vision-solution.top"; depth:84; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626866/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huc/"; depth:5; nocase; http.host; content:"reddesignandprint.co.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626867/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/"; depth:7; nocase; http.host; content:"webrat.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626864/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_26; classtype:trojan-activity; sid:91626864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mz6.5bq18.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a2mx.8r-4u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gad.fa0n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626860; rev:1;) alert tcp $HOME_NET any -> [3.84.111.100] 53685 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626859; rev:1;) alert tcp $HOME_NET any -> [168.245.201.8] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626857; rev:1;) alert tcp $HOME_NET any -> [24.168.206.186] 80 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626858; rev:1;) alert tcp $HOME_NET any -> [191.8.234.185] 6653 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626856; rev:1;) alert tcp $HOME_NET any -> [144.172.109.53] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626855; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 9996 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626854; rev:1;) alert tcp $HOME_NET any -> [104.243.37.233] 6066 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626853; rev:1;) alert tcp $HOME_NET any -> [74.208.167.121] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626852; rev:1;) alert tcp $HOME_NET any -> [112.124.97.171] 8080 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626851; rev:1;) alert tcp $HOME_NET any -> [154.12.51.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l1e.pl8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g9tl.8r-4u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vat.me2v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"banjuyj.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626585/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blasttw.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626586/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"brothdy.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626587/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cutke.asia"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626588/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cracka.asia"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626589/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"illuyxka.asia"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626590/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pseuyms.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626591/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"senegmx.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626592/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swepois.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626593/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tangebg.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626594/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vacuuex.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626595/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"walruhj.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626596/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chalkc.asia"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626597/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ineffqa.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626599/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trannlh.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626598/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626598; rev:1;) alert tcp $HOME_NET any -> [91.151.95.13] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626665/; target:src_ip; metadata: confidence_level 80, first_seen 2025_10_26; classtype:trojan-activity; sid:91626665; rev:1;) alert tcp $HOME_NET any -> [94.156.152.237] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626667/; target:src_ip; metadata: confidence_level 80, first_seen 2025_10_26; classtype:trojan-activity; sid:91626667; rev:1;) alert tcp $HOME_NET any -> [81.88.18.108] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626670/; target:src_ip; metadata: confidence_level 80, first_seen 2025_10_26; classtype:trojan-activity; sid:91626670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"vps-2624.onecom-cloud.one"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626671/; target:src_ip; metadata: confidence_level 80, first_seen 2025_10_26; classtype:trojan-activity; sid:91626671; rev:1;) alert tcp $HOME_NET any -> [160.238.13.201] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626672/; target:src_ip; metadata: confidence_level 80, first_seen 2025_10_26; classtype:trojan-activity; sid:91626672; rev:1;) alert tcp $HOME_NET any -> [195.74.93.158] 8984 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626691/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626691; rev:1;) alert tcp $HOME_NET any -> [139.159.149.202] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626704; rev:1;) alert tcp $HOME_NET any -> [65.21.115.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626706/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_26; classtype:trojan-activity; sid:91626706; rev:1;) alert tcp $HOME_NET any -> [220.246.201.233] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626708; rev:1;) alert tcp $HOME_NET any -> [196.251.83.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626705; rev:1;) alert tcp $HOME_NET any -> [129.151.240.2] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626709; rev:1;) alert tcp $HOME_NET any -> [157.230.19.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626710; rev:1;) alert tcp $HOME_NET any -> [115.120.216.100] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626711; rev:1;) alert tcp $HOME_NET any -> [117.72.118.120] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626715; rev:1;) alert tcp $HOME_NET any -> [51.20.65.22] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626712; rev:1;) alert tcp $HOME_NET any -> [13.49.74.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626713; rev:1;) alert tcp $HOME_NET any -> [162.141.117.200] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626714; rev:1;) alert tcp $HOME_NET any -> [104.248.0.9] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626716; rev:1;) alert tcp $HOME_NET any -> [103.242.180.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cureprjajaa.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626740; rev:1;) alert tcp $HOME_NET any -> [178.16.54.217] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626826/; target:src_ip; metadata: confidence_level 80, first_seen 2025_10_26; classtype:trojan-activity; sid:91626826; rev:1;) alert tcp $HOME_NET any -> [144.172.100.4] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2k3.5bq18.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jag.n4ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0we.8r-4u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f1ct.6-w0y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bog.qen9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thy.m4rj.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626840; rev:1;) alert tcp $HOME_NET any -> [115.190.178.249] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626839; rev:1;) alert tcp $HOME_NET any -> [38.55.132.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626838; rev:1;) alert tcp $HOME_NET any -> [8.145.48.4] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626835; rev:1;) alert tcp $HOME_NET any -> [8.145.48.4] 20000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626836; rev:1;) alert tcp $HOME_NET any -> [1.94.136.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b9.5bq18.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7hp.6-w0y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dry.ju5q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"his.xa5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d3yv.6-w0y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ken.b9ku.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0p4.5bq18.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rib.fa0n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626827; rev:1;) alert tcp $HOME_NET any -> [23.133.4.99] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626825; rev:1;) alert tcp $HOME_NET any -> [23.133.4.99] 5555 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server145454-55503.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"center-para.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nako-33498.portmap.host"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m.5bq18.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"day.pl8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8lb.6-w0y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"set.me2v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aim.n4ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j5qn.6-w0y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1.5bq18.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pry.qen9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2uk.6-w0y.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oft.m4rj.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"orb.ju5q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2w.1lt22.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"her.vex0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rap.xa5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b6dc.3-s0u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r4n9.1lt22.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"war.b9ku.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"far.fa0n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0sa.3-s0u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bid.pl8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7.1lt22.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626800; rev:1;) alert tcp $HOME_NET any -> [185.217.199.146] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626799; rev:1;) alert tcp $HOME_NET any -> [95.164.10.114] 5037 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626798; rev:1;) alert tcp $HOME_NET any -> [162.244.210.132] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626797; rev:1;) alert tcp $HOME_NET any -> [107.155.68.162] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626795; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 9997 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626796; rev:1;) alert tcp $HOME_NET any -> [119.29.4.226] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626794; rev:1;) alert tcp $HOME_NET any -> [23.95.117.248] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626793; rev:1;) alert tcp $HOME_NET any -> [113.47.4.233] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626791; rev:1;) alert tcp $HOME_NET any -> [118.195.236.210] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jam.me2v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0k2.1lt22.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tea.n4ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p7vx.3-s0u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cap.qen9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z8q.1lt22.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pan.m4rj.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w4ty.3-s0u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.1lt22.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bit.ju5q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p5w0.7aoasu3.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n1qh.3-s0u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wet.vex0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626779; rev:1;) alert tcp $HOME_NET any -> [38.181.219.93] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626777/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626777; rev:1;) alert tcp $HOME_NET any -> [178.16.54.112] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626775/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626775; rev:1;) alert tcp $HOME_NET any -> [178.16.54.118] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626776/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_26; classtype:trojan-activity; sid:91626776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bud.xa5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"top.b9ku.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k8zr.3-s0u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bar.fa0n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t4q.7aoasu3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spy.pl8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sod.me2v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y5fw.4-l8u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cab.n4ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dug.qen9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ice.m4rj.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c2jn.4-l8u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626763; rev:1;) alert tcp $HOME_NET any -> [144.31.2.51] 56812 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pun.ju5q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gum.vex0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v9rx.4-l8u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rub.xa5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mat.b9ku.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1kd.4-l8u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jar.fa0n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vow.pl8a.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hq7b.4-l8u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hop.me2v.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rut.n4ke.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626751; rev:1;) alert tcp $HOME_NET any -> [89.32.41.31] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626750; rev:1;) alert tcp $HOME_NET any -> [168.119.105.156] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626749; rev:1;) alert tcp $HOME_NET any -> [196.251.114.12] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_26; classtype:trojan-activity; sid:91626748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7y1.7aoasu3.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dip.qen9.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3mp.4-l8u.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mob.m4rj.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0sb.o-b-79.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"raw.ju5q.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7rcl.o-b-79.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"did.vex0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9pa.o-b-79.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626738; rev:1;) alert tcp $HOME_NET any -> [64.188.64.59] 3333 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2z.7aoasu3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ge1.xa5r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pitchz.locker"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626734/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4wj.o-b-79.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"nobles.locker"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626732/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7d.ziqa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e1mk.o-b-79.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q6yt.o-b-79.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626728; rev:1;) alert tcp $HOME_NET any -> [175.178.98.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626727/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iv.yjor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0ga.i-c-81.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0q.xvo4.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n5vx.i-c-81.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ma.xer-o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wj.x-vo4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2lh.i-c-81.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626720; rev:1;) alert tcp $HOME_NET any -> [194.107.126.124] 6379 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626719/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jg.vuln5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f8rn.i-c-81.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sq.twy0.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y3pq.i-c-81.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nn.twy-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y5n.0ouuky0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k1zw.i-c-81.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"52.t4mox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ru.su4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.0ouuky0.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yb.su-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9sn.i-d-96.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q0h3.0ouuky0.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l0.slaq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t4ub.i-d-96.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7w.rvox.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w4.r8li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d3yk.i-d-96.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7.plx-5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"33.njur.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w6jl.i-d-96.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cr.n-jur.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ms.meqt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626682; rev:1;) alert tcp $HOME_NET any -> [16.79.127.166] 60000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626681; rev:1;) alert tcp $HOME_NET any -> [81.91.177.192] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626680; rev:1;) alert tcp $HOME_NET any -> [47.92.220.70] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r3.m7lo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1.0ouuky0.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kf.loxr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0ce.i-d-96.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8d.ko-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r1se.jg-7-ra.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6t.jeqr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bw.g-lim.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7px.i-d-96.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v0.b2-ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1gd.y-p-19.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bd.ziqa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626662; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626661/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626661; rev:1;) alert tcp $HOME_NET any -> [62.106.66.157] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626660/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626660; rev:1;) alert tcp $HOME_NET any -> [54.215.110.48] 55615 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626659/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wf.zi-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626658; rev:1;) alert tcp $HOME_NET any -> [37.221.67.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626657/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626657; rev:1;) alert tcp $HOME_NET any -> [196.251.114.32] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626656/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626656; rev:1;) alert tcp $HOME_NET any -> [117.169.5.67] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626655/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u9tw.y-p-19.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q3.yjor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l4.xvo4.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dawn.jg-7-ra.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sp.xer-o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z5kr.y-p-19.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ui.x-vo4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626648; rev:1;) alert tcp $HOME_NET any -> [124.66.208.108] 73 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626643; rev:1;) alert tcp $HOME_NET any -> [124.66.208.108] 288 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626644; rev:1;) alert tcp $HOME_NET any -> [122.10.24.243] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626645; rev:1;) alert tcp $HOME_NET any -> [122.10.24.243] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626646; rev:1;) alert tcp $HOME_NET any -> [122.10.24.243] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"know-studied.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mi.overlapsnowbound.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1626641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626641; rev:1;) alert tcp $HOME_NET any -> [136.0.157.34] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626640; rev:1;) alert tcp $HOME_NET any -> [136.0.157.34] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626638; rev:1;) alert tcp $HOME_NET any -> [136.0.157.34] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"212.ip.gl.ply.gg"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s7.vuln5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3ql.y-p-19.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"os.twy0.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c2hf.y-p-19.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fd.twy-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7mx.y-p-19.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5e.t4mox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"21.su4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0il.jg-7-ra.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0al.sne-4-p.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"co.su-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0y.slaq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mist.jg-7-ra.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"el.rvox.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tide.sne-4-p.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1o.r8li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e8.plx-5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8v.njur.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bark.sne-4-p.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tk.n-jur.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626617; rev:1;) alert tcp $HOME_NET any -> [178.172.227.128] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626616; rev:1;) alert tcp $HOME_NET any -> [179.43.126.100] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626615; rev:1;) alert tcp $HOME_NET any -> [125.32.67.136] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626614; rev:1;) alert tcp $HOME_NET any -> [5.231.70.68] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626613; rev:1;) alert tcp $HOME_NET any -> [182.182.165.151] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626612; rev:1;) alert tcp $HOME_NET any -> [196.251.115.117] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nobles.locker"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unembel.locker"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unembel.locker"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626608/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0ss.uht3o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626607; rev:1;) alert tcp $HOME_NET any -> [124.66.208.108] 69 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9z.m7lo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gl0w.sne-4-p.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sk.loxr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.ko-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626602; rev:1;) alert tcp $HOME_NET any -> [196.251.81.93] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626601/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j5.jeqr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5b.g-lim.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mist.sne-4-p.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2.b2-ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fern.sne-4-p.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qh.ziqa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l00m.uht3o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybertecha.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"browsertools.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamedb.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudupdate.cfd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sky/clinet.exe"; depth:15; nocase; http.host; content:"178.16.55.189"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmfd8ejds/index.php"; depth:20; nocase; http.host; content:"196.251.81.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1.zi-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y5.yjor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nexu5.lizqa.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ve1l.uht3o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yu.xvo4.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tidal.lizqa.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wm.xer-o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cd.x-vo4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"candy.lizqa.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zl.vuln5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626568; rev:1;) alert tcp $HOME_NET any -> [187.10.174.10] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626567/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"au.twy0.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"charm.lizqa.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d2.twy-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plush.lizqa.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"81.t4mox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gale.uht3o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xd.su4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0xide.lizqa.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"peak.uht3o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lertyui9/gerty56/fre.php"; depth:25; nocase; http.host; content:"www.szonlane.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0g.su-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"de78.toptubereviews.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626555/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mahmoudzoroo.myftp.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate.myvnc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clay.uht3o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626552; rev:1;) alert tcp $HOME_NET any -> [103.86.44.18] 73 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626550; rev:1;) alert tcp $HOME_NET any -> [103.86.44.18] 288 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.bn.cail1teve.mydns.bz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626549/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626549; rev:1;) alert tcp $HOME_NET any -> [125.25.110.70] 7443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626548; rev:1;) alert tcp $HOME_NET any -> [165.154.5.76] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626547; rev:1;) alert tcp $HOME_NET any -> [139.180.131.34] 10001 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wanfeng168.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626546/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"single-finally.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"links-rwanda.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626543; rev:1;) alert tcp $HOME_NET any -> [159.203.100.206] 25565 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.txt"; depth:6; nocase; http.host; content:"tlgrm-redirect.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626541/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w7.slaq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tlgrm-redirect.icu"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626539/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kh.rvox.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pearl.q0spi.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8q.r8li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qu1rk.q0spi.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626535; rev:1;) alert tcp $HOME_NET any -> [196.251.72.69] 1948 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"28.plx-5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9i.njur.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grain.q0spi.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v0id.sne4p.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2t.n-jur.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"azure.q0spi.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i3.meqt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8t.m7lo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"raven.q0spi.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lb.loxr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maple.q0spi.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tide.sne4p.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lm.ko-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/categories/"; depth:12; nocase; http.host; content:"avsomi.co"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626474/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.npa-eportal.digital-service.elster-de.status-drive.top"; depth:58; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"package2879-core-maht-improved.s3.ap-northeast-2.amazonaws.com"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eportal/"; depth:9; nocase; http.host; content:"www.npa-eportal.digital-service.elster-de.status-drive.top"; depth:58; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yw87ybm77yrtva"; depth:15; nocase; http.host; content:"package2879-core-maht-improved.s3.ap-northeast-2.amazonaws.com"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ql3qfvot"; depth:9; nocase; http.host; content:"4f.jeqr.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626469/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wwww/daily/top"; depth:15; nocase; http.host; content:"whitebarsunlight.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626464/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"willowabbyoptimization-dot-elite-magpie-462511-c4.uc.r.appspot.com"; depth:66; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626465/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9xfc0noz"; depth:9; nocase; http.host; content:"5w.g-lim.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626466/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8ozkn69k3n.sh"; depth:14; nocase; http.host; content:"zebra.fenod.online"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626467/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.bin"; depth:8; nocase; http.host; content:"up.freeandlast.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626468/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"68gamewin7.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626461/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/captcha/"; depth:9; nocase; http.host; content:"freelawchat.ai"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626462/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/urco"; depth:5; nocase; http.host; content:"urlz.fr"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626463/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4f.jeqr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0se.sne4p.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5w.g-lim.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zebra.fenod.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y2.b2-ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626456; rev:1;) alert tcp $HOME_NET any -> [192.210.235.240] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626455; rev:1;) alert tcp $HOME_NET any -> [148.230.99.234] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626454; rev:1;) alert tcp $HOME_NET any -> [166.88.142.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626452; rev:1;) alert tcp $HOME_NET any -> [14.44.67.60] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626451; rev:1;) alert tcp $HOME_NET any -> [222.112.130.92] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626448; rev:1;) alert tcp $HOME_NET any -> [37.203.250.52] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626449; rev:1;) alert tcp $HOME_NET any -> [220.121.206.37] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626450; rev:1;) alert tcp $HOME_NET any -> [61.76.175.46] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626446; rev:1;) alert tcp $HOME_NET any -> [210.222.156.151] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626447; rev:1;) alert tcp $HOME_NET any -> [211.114.133.103] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626444; rev:1;) alert tcp $HOME_NET any -> [108.168.8.135] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626445; rev:1;) alert tcp $HOME_NET any -> [24.10.126.194] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626442; rev:1;) alert tcp $HOME_NET any -> [207.38.227.101] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626443; rev:1;) alert tcp $HOME_NET any -> [81.94.94.99] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626440; rev:1;) alert tcp $HOME_NET any -> [135.23.161.85] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626441; rev:1;) alert tcp $HOME_NET any -> [139.199.157.125] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626439; rev:1;) alert tcp $HOME_NET any -> [196.251.88.188] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lf.ziqa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cedar.fenod.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alumibro.asia"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meeukdt.locker"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626434; rev:1;) alert tcp $HOME_NET any -> [158.94.208.98] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3u.zi-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m1nt.sne4p.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626430; rev:1;) alert tcp $HOME_NET any -> [158.94.208.93] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flint.fenod.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ln.yjor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626427; rev:1;) alert tcp $HOME_NET any -> [147.185.221.229] 50473 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9o.xvo4.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bark.sne4p.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"prism.fenod.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8h.xer-o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626422; rev:1;) alert tcp $HOME_NET any -> [220.121.11.221] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626215; rev:1;) alert tcp $HOME_NET any -> [45.94.31.42] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626172; rev:1;) alert tcp $HOME_NET any -> [221.163.215.226] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626217; rev:1;) alert tcp $HOME_NET any -> [145.40.252.206] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626216; rev:1;) alert tcp $HOME_NET any -> [138.75.120.161] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626218; rev:1;) alert tcp $HOME_NET any -> [152.42.197.32] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626219; rev:1;) alert tcp $HOME_NET any -> [116.62.151.244] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626220; rev:1;) alert tcp $HOME_NET any -> [44.217.119.131] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626221; rev:1;) alert tcp $HOME_NET any -> [178.254.12.89] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626223; rev:1;) alert tcp $HOME_NET any -> [159.203.70.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626222; rev:1;) alert tcp $HOME_NET any -> [91.98.114.154] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626224; rev:1;) alert tcp $HOME_NET any -> [128.140.12.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626225; rev:1;) alert tcp $HOME_NET any -> [157.90.231.173] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626226; rev:1;) alert tcp $HOME_NET any -> [135.181.101.129] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.sayyesmovement.ca"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmfd8ejds/login.php"; depth:20; nocase; http.host; content:"196.251.81.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmfd8ejds/login.php"; depth:20; nocase; http.host; content:"ns2.logrecovery.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmfd8ejds/login.php"; depth:20; nocase; http.host; content:"mail.logrecovery.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmfd8ejds/login.php"; depth:20; nocase; http.host; content:"www.logrecovery.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626410; rev:1;) alert tcp $HOME_NET any -> [184.82.96.153] 444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626420/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6y.x-vo4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fern.sne4p.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a1.vuln5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iyr1c.fenod.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626417; rev:1;) alert tcp $HOME_NET any -> [77.110.100.54] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626416/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626416; rev:1;) alert tcp $HOME_NET any -> [70.183.54.124] 8080 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626415/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626415; rev:1;) alert tcp $HOME_NET any -> [60.163.142.133] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626414/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rn.twy0.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626413; rev:1;) alert tcp $HOME_NET any -> [207.180.216.244] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626412/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_25; classtype:trojan-activity; sid:91626412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9f.twy-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3t.5u5vbu6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amber.fenod.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ak.t4mox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ba.su4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b4nz.xf7-27.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o4.su-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g6k2.5u5vbu6.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626400; rev:1;) alert tcp $HOME_NET any -> [62.60.131.249] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626399; rev:1;) alert tcp $HOME_NET any -> [54.205.208.230] 22322 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626397; rev:1;) alert tcp $HOME_NET any -> [45.14.246.128] 5555 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626398; rev:1;) alert tcp $HOME_NET any -> [43.229.150.111] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626396; rev:1;) alert tcp $HOME_NET any -> [159.223.50.225] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626395; rev:1;) alert tcp $HOME_NET any -> [185.91.127.173] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626394; rev:1;) alert tcp $HOME_NET any -> [54.179.178.191] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626392; rev:1;) alert tcp $HOME_NET any -> [69.197.183.159] 8000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626393; rev:1;) alert tcp $HOME_NET any -> [34.29.218.146] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626391; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626390; rev:1;) alert tcp $HOME_NET any -> [31.57.97.136] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626389; rev:1;) alert tcp $HOME_NET any -> [145.241.249.54] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626388; rev:1;) alert tcp $HOME_NET any -> [195.246.230.161] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626386; rev:1;) alert tcp $HOME_NET any -> [182.255.46.151] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626387; rev:1;) alert tcp $HOME_NET any -> [185.29.10.122] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626385; rev:1;) alert tcp $HOME_NET any -> [196.251.115.229] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626384; rev:1;) alert tcp $HOME_NET any -> [1.94.53.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rg.slaq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y8ce.xf7-27.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aw.rvox.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"segy.shop"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626377/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"segy.cc"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626378/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"segy2.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626379/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"segy.zip"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626376/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"modgovindia.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626374/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"newforsomething.rest"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626375/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3um.xf7-27.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w.5u5vbu6.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yn.r8li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"joiner.best"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626370/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626370; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 45283 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626369/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"final-highlight.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626368/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cofof37797-42209.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626367/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mirainetvbot.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626366/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/fre.php"; depth:14; nocase; http.host; content:"doupfate.ml"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626365/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626365; rev:1;) alert tcp $HOME_NET any -> [188.64.133.147] 24419 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626362/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626362; rev:1;) alert tcp $HOME_NET any -> [188.64.133.147] 8828 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626363/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626363; rev:1;) alert tcp $HOME_NET any -> [213.176.79.35] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626364/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"customers-commander.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626357/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"law-necklace.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626358/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"message-their.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626359/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"perfect-shut.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626360/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"qiuehwefu-62319.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626361/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cards-latin.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626356/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626356; rev:1;) alert tcp $HOME_NET any -> [73.125.85.148] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626355/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"assettocorsamain.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626354/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/qphtbsru"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626353/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5d8fd57c-62b0-48f1-b595-796cb6b6e7f4.server4.nisdably.com"; depth:57; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626351/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ww25.5d8fd57c-62b0-48f1-b595-796cb6b6e7f4.server2.ninhaine.com"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626352/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0wr.xf7-27.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.browse-health-insurance-plans.unitedhealthcare-group.uhc-com.vision-solution.top"; depth:84; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626349/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huc/"; depth:5; nocase; http.host; content:"reddesignandprint.co.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626348/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"154.36.184.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626347/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_25; classtype:trojan-activity; sid:91626347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0z1.5u5vbu6.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fx.plx5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b8q.5u5vbu6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s9lp.xf7-27.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9y.njur.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g1tb.xf7-27.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4.5u5vbu6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"40.n-jur.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626339; rev:1;) alert tcp $HOME_NET any -> [103.86.44.18] 69 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leetaka1337.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fogueteiro.webhop.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626337; rev:1;) alert tcp $HOME_NET any -> [188.215.31.4] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626335; rev:1;) alert tcp $HOME_NET any -> [23.160.168.167] 4122 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4w.9i3mpa6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qv5a.xb1-60.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bf.m7lo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"20.loxr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m6dx.xb1-60.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3v9.9i3mpa6.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c6.ko-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6d.jeqr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j2yr.xb1-60.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ry.g-lim.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0.9i3mpa6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1c.b2-ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t8kc.xb1-60.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fm.ziqa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7m.9i3mpa6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kj.zi-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w9.yjor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d8.xvo4.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626316; rev:1;) alert tcp $HOME_NET any -> [23.22.39.162] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626315; rev:1;) alert tcp $HOME_NET any -> [196.75.76.28] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626314; rev:1;) alert tcp $HOME_NET any -> [178.16.53.135] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626313; rev:1;) alert tcp $HOME_NET any -> [173.212.216.226] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626312; rev:1;) alert tcp $HOME_NET any -> [182.16.11.156] 8088 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626311; rev:1;) alert tcp $HOME_NET any -> [182.16.11.155] 8088 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626309; rev:1;) alert tcp $HOME_NET any -> [182.16.11.157] 8088 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626310; rev:1;) alert tcp $HOME_NET any -> [37.72.168.176] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626308; rev:1;) alert tcp $HOME_NET any -> [196.251.116.232] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626307; rev:1;) alert tcp $HOME_NET any -> [178.16.54.184] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4wq.xb1-60.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626305; rev:1;) alert tcp $HOME_NET any -> [35.220.199.172] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626304; rev:1;) alert tcp $HOME_NET any -> [143.198.158.122] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626302; rev:1;) alert tcp $HOME_NET any -> [46.224.19.128] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626303; rev:1;) alert tcp $HOME_NET any -> [186.169.57.143] 5061 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626301; rev:1;) alert tcp $HOME_NET any -> [47.121.135.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kz1.9i3mpa6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s4.xer-o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5q.x-vo4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pz7h.xb1-60.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yf.vuln5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"we.twy0.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2.9i3mpa6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u1jd.fv0-93.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2p.twy-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"11.t4mox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ck4v.fv0-93.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"03.su4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vz8.4a7vci9.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oe.su-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5qzn.fv0-93.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"90.slaq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7.rvox.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jd5.fv0-93.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ue.r8li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7p2.4a7vci9.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"07.plx5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w3ta.fv0-93.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a1.4a7vci9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oz.plx-5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r8gk.fv0-93.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sw.njur.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6b.n-jur.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7p.meqt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0k4.4a7vci9.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0p.m7lo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n7xs.cdn-6-38.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ke.loxr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q3x.4a7vci9.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kl.ko-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mc.jeqr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0la.cdn-6-38.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mi.g-lim.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4hz.cdn-6-38.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626262; rev:1;) alert tcp $HOME_NET any -> [8.210.134.138] 5858 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aa.b2-ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d9.4a7vci9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v8.ziqa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w5en.cdn-6-38.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rz3.1e2u2a0.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rz.zi-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ik.yjor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626254; rev:1;) alert tcp $HOME_NET any -> [128.0.118.72] 8090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626253; rev:1;) alert tcp $HOME_NET any -> [79.133.46.74] 65432 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626252; rev:1;) alert tcp $HOME_NET any -> [144.172.98.81] 911 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626251; rev:1;) alert tcp $HOME_NET any -> [151.245.54.181] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_25; classtype:trojan-activity; sid:91626250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y3tb.cdn-6-38.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6u.xvo4.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r6mp.cdn-3-29.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dm.xer-o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kq0x.cdn-3-29.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3v.x-vo4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i5.vuln5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g0x8.1e2u2a0.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l2.twy0.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f7du.cdn-3-29.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"et.twy-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v9c3.cdn-3-29.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videopipesecuregeoprocessorserverbasetestprivate.php"; depth:53; nocase; http.host; content:"725822cm.nyash.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cu.t4mox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2wl.cdn-3-29.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b5.su4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq.su-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w4.1e2u2a0.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3kp.cdn-2-45.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"78.slaq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bm.rvox.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zx2a.cdn-2-45.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mr.r8li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0.1e2u2a0.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vb.plx5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626211; rev:1;) alert tcp $HOME_NET any -> [94.103.1.38] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g3.plx-5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m4rs.cdn-2-45.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7p1.1e2u2a0.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5m.njur.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n9.1e2u2a0.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t9fe.cdn-2-45.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0.n-jur.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bq6.cdn-2-45.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y8m.6e5a5u3.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d0.meqt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fz.m7lo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626199; rev:1;) alert tcp $HOME_NET any -> [82.146.49.236] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626198/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"console.ctrlx-redops.ca"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626197/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"te.loxr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tide.qytan.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p7.ko-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l00p.qytan.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"17.jeqr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lg.g-lim.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"snow.qytan.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"55.ziqa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ameli-vitale-guadeloupe.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paketzustellungen.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.colis-suspendu-2025.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"banking.bankaustria.at.dswcontracting.work"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626185; rev:1;) alert tcp $HOME_NET any -> [182.16.11.154] 8088 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626184; rev:1;) alert tcp $HOME_NET any -> [88.210.12.133] 789 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626183; rev:1;) alert tcp $HOME_NET any -> [85.23.147.237] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626182; rev:1;) alert tcp $HOME_NET any -> [43.134.38.218] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626181; rev:1;) alert tcp $HOME_NET any -> [95.9.236.210] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626180; rev:1;) alert tcp $HOME_NET any -> [47.105.117.197] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626179; rev:1;) alert tcp $HOME_NET any -> [20.162.8.92] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626178; rev:1;) alert tcp $HOME_NET any -> [91.132.162.78] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626177; rev:1;) alert tcp $HOME_NET any -> [172.94.122.69] 8810 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vq.zi-qa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s6.yjor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h0me.qytan.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kr.xvo4.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cg.xer-o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4k.x-vo4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5eed.qytan.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dd.vuln5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k.6e5a5u3.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unmeonj.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jamelik.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"road.qytan.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wx.twy0.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lc.twy-0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626161; rev:1;) alert tcp $HOME_NET any -> [45.11.228.74] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626160/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626160; rev:1;) alert tcp $HOME_NET any -> [23.95.117.252] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626159/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626159; rev:1;) alert tcp $HOME_NET any -> [195.85.115.70] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626158/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626158; rev:1;) alert tcp $HOME_NET any -> [18.60.109.225] 591 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626157/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626157; rev:1;) alert tcp $HOME_NET any -> [174.129.49.245] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626156/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l1me.mab7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2w.8y5o8a8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c2.t4mox.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wz.su4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626152; rev:1;) alert tcp $HOME_NET any -> [196.119.246.134] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wave.mab7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"br.su-4n.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lj.slaq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g0ld.mab7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r4n.8y5o8a8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unmeonj.asia"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626145; rev:1;) alert tcp $HOME_NET any -> [31.57.219.207] 9619 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626144; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 33663 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626143; rev:1;) alert tcp $HOME_NET any -> [31.57.219.207] 4169 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626142; rev:1;) alert tcp $HOME_NET any -> [45.81.113.184] 80 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fg.rvox.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hg.r8li.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1ft.mab7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dp.plx5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2w.plx-5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"leaf.mab7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"91.njur.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0k3.8y5o8a8.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vz.n-jur.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c00l.mab7o.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ss.meqt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pk.m7lo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qz8.8y5o8a8.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xg.loxr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qi.ko-lu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1.8y5o8a8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"89.jeqr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fine.0zvel.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"something0x.at"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626119; rev:1;) alert tcp $HOME_NET any -> [62.60.131.230] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.multas-impagas2025.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626117; rev:1;) alert tcp $HOME_NET any -> [181.162.187.123] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626116; rev:1;) alert tcp $HOME_NET any -> [154.36.184.35] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626115; rev:1;) alert tcp $HOME_NET any -> [172.94.3.201] 5812 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626114; rev:1;) alert tcp $HOME_NET any -> [101.126.153.91] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626113; rev:1;) alert tcp $HOME_NET any -> [140.143.194.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c3.g-lim.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626111; rev:1;) alert tcp $HOME_NET any -> [78.47.238.183] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gor.technicalprorj.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gor.orca-trade.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gor.orca-trade.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gor.technicalprorj.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0ld.0zvel.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dn.b2-ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"32.kaq51.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rope.0zvel.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1v.j8ro.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m4.hyk5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ze.fe-k2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1w.d5en.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5tar.0zvel.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"openjsc.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"openjsc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"openjsc.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"openjsc.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fawe"; depth:5; nocase; http.host; content:"askislam.ca"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32dhxy.zip"; depth:11; nocase; http.host; content:"plavomore.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1626080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plavomore.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626081; rev:1;) alert tcp $HOME_NET any -> [5.181.156.197] 1203 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3.d5-en.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sc.b2ra.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h0pe.0zvel.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0k.a-zon.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4p.3druv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"no.kaq51.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4n.j8ro.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind.0zvel.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d7.hyk5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lake.rjofi.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iz.fe-k2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nq.d5en.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5x.d5-en.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i1se.rjofi.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8y.b2ra.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zp.a-zon.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626072; rev:1;) alert tcp $HOME_NET any -> [79.112.34.246] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626071/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6s.3druv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"46.kaq51.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626069; rev:1;) alert tcp $HOME_NET any -> [196.251.69.115] 62025 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2c.j8ro.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r00m.rjofi.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4v.hyk5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626065; rev:1;) alert tcp $HOME_NET any -> [23.95.117.247] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626064/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91626064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1h.fe-k2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1de.rjofi.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626062; rev:1;) alert tcp $HOME_NET any -> [217.72.204.227] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626061; rev:1;) alert tcp $HOME_NET any -> [20.218.149.195] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626060; rev:1;) alert tcp $HOME_NET any -> [196.75.237.81] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626059; rev:1;) alert tcp $HOME_NET any -> [182.16.11.158] 8088 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626058; rev:1;) alert tcp $HOME_NET any -> [158.94.208.177] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626057; rev:1;) alert tcp $HOME_NET any -> [205.198.65.130] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626056; rev:1;) alert tcp $HOME_NET any -> [191.235.242.43] 1024 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zbj2025.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abril04.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metmanagermandatesxxxxme.duckdns.org"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plentymattersub.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pradaguccimaneto.freeddns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"choose-cited.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manythingsilove.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"person-pencil.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"undetected123-42839.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m1dn1ght-32162.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626046; rev:1;) alert tcp $HOME_NET any -> [140.143.194.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nr.d5en.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bark.rjofi.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9.d5-en.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626041; rev:1;) alert tcp $HOME_NET any -> [87.251.67.85] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626006; rev:1;) alert tcp $HOME_NET any -> [139.224.135.193] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626007; rev:1;) alert tcp $HOME_NET any -> [69.51.241.155] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626008; rev:1;) alert tcp $HOME_NET any -> [217.211.133.65] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626009; rev:1;) alert tcp $HOME_NET any -> [77.244.231.31] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626010; rev:1;) alert tcp $HOME_NET any -> [210.100.224.190] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626011; rev:1;) alert tcp $HOME_NET any -> [23.94.83.9] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626013; rev:1;) alert tcp $HOME_NET any -> [13.53.72.24] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626014; rev:1;) alert tcp $HOME_NET any -> [212.85.27.110] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626015; rev:1;) alert tcp $HOME_NET any -> [18.222.82.160] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626017; rev:1;) alert tcp $HOME_NET any -> [52.79.165.82] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626016; rev:1;) alert tcp $HOME_NET any -> [54.169.83.135] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moon.rjofi.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"77.b2ra.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mesh.treqz.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ua.a-zon.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c0re.treqz.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z6.3druv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dune.treqz.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gum.dor8y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ny.kaq51.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gem.dor8y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r1se.treqz.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dr.j8ro.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626029; rev:1;) alert tcp $HOME_NET any -> [8.136.1.42] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626028/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626028; rev:1;) alert tcp $HOME_NET any -> [114.67.243.235] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626027/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fj.hyk5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gl0w.treqz.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"far.dor8y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"py.fe-k2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kz.d5en.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0a.d5-en.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mint.treqz.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ea.b2ra.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wiider.syc0aq8uy1.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cj.a-zon.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0v.3druv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ie.kaq51.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626003; rev:1;) alert tcp $HOME_NET any -> [196.251.73.187] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1626002/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91626002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sm1ie.syc0aq8uy1.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jz.j8ro.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1626000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91626000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"elm.dor8y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"securepainelx.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625998/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enjoy.php"; depth:10; nocase; http.host; content:"securepainelx.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625997/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zt.hyk5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625996; rev:1;) alert tcp $HOME_NET any -> [172.245.152.196] 37000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625995/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625995; rev:1;) alert tcp $HOME_NET any -> [103.83.86.58] 14306 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625994/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"leaf0.syc0aq8uy1.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3.fe-k2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625992; rev:1;) alert tcp $HOME_NET any -> [154.9.235.238] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625978/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625978; rev:1;) alert tcp $HOME_NET any -> [103.44.90.93] 8120 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625979/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625979; rev:1;) alert tcp $HOME_NET any -> [144.126.151.64] 555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625980/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625980; rev:1;) alert tcp $HOME_NET any -> [103.48.133.115] 8120 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625981/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625981; rev:1;) alert tcp $HOME_NET any -> [61.166.154.109] 12399 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625982/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625982; rev:1;) alert tcp $HOME_NET any -> [39.97.37.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625983/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625983; rev:1;) alert tcp $HOME_NET any -> [103.39.19.250] 10030 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625984/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625984; rev:1;) alert tcp $HOME_NET any -> [156.234.94.61] 10030 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625985/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625985; rev:1;) alert tcp $HOME_NET any -> [5.181.181.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625987/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625987; rev:1;) alert tcp $HOME_NET any -> [103.39.19.236] 10030 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625986/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625986; rev:1;) alert tcp $HOME_NET any -> [196.251.118.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625988/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625988; rev:1;) alert tcp $HOME_NET any -> [1.94.215.88] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625989/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625989; rev:1;) alert tcp $HOME_NET any -> [101.126.85.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625990/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ear.dor8y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"giass5.syc0aq8uy1.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1.d5en.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8b.d5-en.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"waveo.syc0aq8uy1.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625974; rev:1;) alert tcp $HOME_NET any -> [54.220.22.245] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625973/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625973; rev:1;) alert tcp $HOME_NET any -> [45.59.114.14] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625972/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625972; rev:1;) alert tcp $HOME_NET any -> [23.27.123.63] 2455 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625971/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6z.b2ra.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"princess-mens-club.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625962/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"princess-mens.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625963/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"bsnowcommunications.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625964/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"lapas.live"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625965/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"zoomconference.click"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625966/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"goodhillsenterprise.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625967/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"aerobionix.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625968/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"zoomconference.app"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625969/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"user-highly.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625961/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625961; rev:1;) alert tcp $HOME_NET any -> [107.175.246.23] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625960/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mpannukwummadunawaoo.duckdns.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625959/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"asdfasfasdf3-42172.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625958/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lopezsierra20.casacam.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625957/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625957; rev:1;) alert tcp $HOME_NET any -> [78.151.104.143] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625954/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625954; rev:1;) alert tcp $HOME_NET any -> [78.151.104.143] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625955/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625955; rev:1;) alert tcp $HOME_NET any -> [78.151.104.143] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625956/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kingspy.freemyip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625952/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"loganwolverin2027.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625953/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fatisabi.linkpc.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625951/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"c46ad61e-137f-4726-8068-89ea6faa468d.server4.nisdably.com"; depth:57; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625950/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tt2.sorahub.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625948/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jinbaobao055.xin"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625949/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/galilery/index.php"; depth:19; nocase; http.host; content:"66.129.66.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625947/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"minibox.dennyding.vip"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625946/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tjs.easy-dotnet.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625945/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mycago.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625944/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"limintr.ejoy-tech.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625943/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"yyj567.lllkoov.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625941/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"beeing.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625942/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_24; classtype:trojan-activity; sid:91625942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l5.a-zon.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xj.3druv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sil3nt.syc0aq8uy1.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dot.dor8y.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gb.kaq51.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"green1.syc0aq8uy1.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pn.j8ro.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625934; rev:1;) alert tcp $HOME_NET any -> [54.178.98.33] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625933; rev:1;) alert tcp $HOME_NET any -> [141.136.47.171] 8000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625932; rev:1;) alert tcp $HOME_NET any -> [213.209.143.41] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pagomulta2025.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"formulaire-mondialrelay-pro.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"entrepots-colis-2025.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625930; rev:1;) alert tcp $HOME_NET any -> [91.92.240.66] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625927; rev:1;) alert tcp $HOME_NET any -> [209.38.92.217] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625925; rev:1;) alert tcp $HOME_NET any -> [170.64.173.240] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625926; rev:1;) alert tcp $HOME_NET any -> [91.92.242.3] 39888 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625924; rev:1;) alert tcp $HOME_NET any -> [45.134.26.69] 443 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625923/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625923; rev:1;) alert tcp $HOME_NET any -> [172.86.90.58] 80 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625922/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625922; rev:1;) alert tcp $HOME_NET any -> [172.86.90.58] 443 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625921/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625921; rev:1;) alert tcp $HOME_NET any -> [170.130.165.201] 443 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625919/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625919; rev:1;) alert tcp $HOME_NET any -> [170.130.165.201] 80 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625920/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625920; rev:1;) alert tcp $HOME_NET any -> [107.158.128.26] 443 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625917/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625917; rev:1;) alert tcp $HOME_NET any -> [107.158.128.26] 80 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625918/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neverlandstop.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chickaboom.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625915; rev:1;) alert tcp $HOME_NET any -> [46.62.232.45] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625913; rev:1;) alert tcp $HOME_NET any -> [5.75.210.202] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stg.server24x.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stg.mistonecorp.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stg.server24x.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stg.mistonecorp.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625910; rev:1;) alert tcp $HOME_NET any -> [5.252.178.162] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625908; rev:1;) alert tcp $HOME_NET any -> [206.237.12.183] 800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investor.veranofund.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estate.verano.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.paquetesparaorlando.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625675; rev:1;) alert tcp $HOME_NET any -> [159.203.131.49] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"configure.visionsflorida.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/perl"; depth:5; nocase; http.host; content:"137.184.112.170"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625682/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625682; rev:1;) alert tcp $HOME_NET any -> [195.96.129.161] 39691 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625722; rev:1;) alert tcp $HOME_NET any -> [172.67.146.22] 8080 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625735/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_24; classtype:trojan-activity; sid:91625735; rev:1;) alert tcp $HOME_NET any -> [43.201.115.211] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625736/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_24; classtype:trojan-activity; sid:91625736; rev:1;) alert tcp $HOME_NET any -> [57.128.16.51] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625738; rev:1;) alert tcp $HOME_NET any -> [34.244.112.168] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625739; rev:1;) alert tcp $HOME_NET any -> [65.0.231.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625740; rev:1;) alert tcp $HOME_NET any -> [51.77.148.193] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demo.halfmoonboulder.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625887; rev:1;) alert tcp $HOME_NET any -> [88.210.12.133] 67 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elumadns.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elumadns.eluma101.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625904; rev:1;) alert tcp $HOME_NET any -> [45.64.246.155] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625899; rev:1;) alert tcp $HOME_NET any -> [45.64.246.155] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625900; rev:1;) alert tcp $HOME_NET any -> [45.64.246.155] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625901; rev:1;) alert tcp $HOME_NET any -> [103.86.47.130] 73 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625902; rev:1;) alert tcp $HOME_NET any -> [103.86.47.130] 288 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coorpfree9.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"la-supreme.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625897; rev:1;) alert tcp $HOME_NET any -> [216.250.252.224] 33500 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625896; rev:1;) alert tcp $HOME_NET any -> [62.60.131.250] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625895; rev:1;) alert tcp $HOME_NET any -> [98.89.19.248] 18246 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625894; rev:1;) alert tcp $HOME_NET any -> [195.3.223.146] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625893; rev:1;) alert tcp $HOME_NET any -> [213.218.234.181] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625892; rev:1;) alert tcp $HOME_NET any -> [124.198.132.84] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625891; rev:1;) alert tcp $HOME_NET any -> [85.17.67.54] 7705 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625890; rev:1;) alert tcp $HOME_NET any -> [103.86.47.130] 69 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625889; rev:1;) alert tcp $HOME_NET any -> [184.105.237.196] 5001 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625888; rev:1;) alert tcp $HOME_NET any -> [197.60.201.21] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625886; rev:1;) alert tcp $HOME_NET any -> [167.172.73.118] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625885; rev:1;) alert tcp $HOME_NET any -> [16.62.169.89] 2082 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625884; rev:1;) alert tcp $HOME_NET any -> [167.71.122.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625883; rev:1;) alert tcp $HOME_NET any -> [18.158.218.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625882; rev:1;) alert tcp $HOME_NET any -> [91.92.240.56] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_24; classtype:trojan-activity; sid:91625881; rev:1;) alert tcp $HOME_NET any -> [185.247.117.229] 7082 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625742; rev:1;) alert tcp $HOME_NET any -> [175.178.225.121] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625734/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khamyp.asia"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servgkp.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"indef.locker"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canonjo.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cypridy.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"refowdr.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scratfx.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"denihwc.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sternbg.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625731; rev:1;) alert tcp $HOME_NET any -> [217.156.66.6] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625724; rev:1;) alert tcp $HOME_NET any -> [217.156.66.74] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"peace7.sys7yn0iy5.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sn.hyk5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"light0.sys7yn0iy5.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wn.fe-k2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625718; rev:1;) alert tcp $HOME_NET any -> [18.234.223.80] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625716; rev:1;) alert tcp $HOME_NET any -> [18.234.223.80] 80 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625717; rev:1;) alert tcp $HOME_NET any -> [195.230.23.72] 8085 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remote2.dmg-tech.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625714; rev:1;) alert tcp $HOME_NET any -> [40.177.84.3] 8090 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625713; rev:1;) alert tcp $HOME_NET any -> [81.27.99.93] 445 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625712; rev:1;) alert tcp $HOME_NET any -> [146.235.38.234] 8060 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.ricountyassoc.store"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csp.newmmaintenanhomes.online"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625708; rev:1;) alert tcp $HOME_NET any -> [64.227.130.123] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625709; rev:1;) alert tcp $HOME_NET any -> [178.62.105.158] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office.othersepoxfrontier-win.cloud"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"id.grcuc.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msfed.othersepoxfrontier-win.cloud"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sci.ricountyassoc.store"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"id.othersepoxfrontier-win.cloud"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook.optumseragamaglas-ouns.cloud"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sziget.dupsiteszta.hu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625700; rev:1;) alert tcp $HOME_NET any -> [196.251.118.36] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625699; rev:1;) alert tcp $HOME_NET any -> [192.109.138.97] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625698; rev:1;) alert tcp $HOME_NET any -> [3.142.81.166] 16993 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625697; rev:1;) alert tcp $HOME_NET any -> [194.14.217.23] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625696; rev:1;) alert tcp $HOME_NET any -> [196.251.66.6] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625695; rev:1;) alert tcp $HOME_NET any -> [109.205.211.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625694; rev:1;) alert tcp $HOME_NET any -> [45.74.19.28] 4500 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625693/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"storm1.sys7yn0iy5.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8w.d5en.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cioud6.sys7yn0iy5.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b4.d5-en.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2o.b2ra.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dreams.sys7yn0iy5.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w2.a-zon.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bay.k4tem.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gg.3druv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"power5.sys7yn0iy5.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5n.kaq51.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"96.j8ro.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625680; rev:1;) alert tcp $HOME_NET any -> [77.40.160.49] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625679/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"truth3.sys7yn0iy5.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625678; rev:1;) alert tcp $HOME_NET any -> [52.205.114.165] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625677/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vm.hyk5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625674; rev:1;) alert tcp $HOME_NET any -> [185.196.11.90] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625673/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625673; rev:1;) alert tcp $HOME_NET any -> [182.242.50.12] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625672/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625672; rev:1;) alert tcp $HOME_NET any -> [176.120.17.181] 80 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625670/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625670; rev:1;) alert tcp $HOME_NET any -> [154.214.53.55] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625668/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625668; rev:1;) alert tcp $HOME_NET any -> [154.12.22.191] 7666 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625667/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625667; rev:1;) alert tcp $HOME_NET any -> [144.208.127.112] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625666/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625666; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 42172 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1y.fe-k2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rl.d5en.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ash.k4tem.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2.d5-en.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s2.b2ra.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625660; rev:1;) alert tcp $HOME_NET any -> [88.214.27.48] 444 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"denihwc.asia"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trial-ask.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"available-screw.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"restaurants-hold.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625654; rev:1;) alert tcp $HOME_NET any -> [178.233.65.115] 5552 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0i.a-zon.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ace.k4tem.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6.3druv.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xi.sne4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"op.lizqa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"body.vsmu9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fa.jg7ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ma.fenod.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"boat.vsmu9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pe.vakun.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"polysies.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"polysies.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"polysies.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yigw"; depth:5; nocase; http.host; content:"orthodoxlynchburg.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josmzn.zip"; depth:11; nocase; http.host; content:"powerbrokermagazine.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"powerbrokermagazine.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625635; rev:1;) alert tcp $HOME_NET any -> [5.252.177.8] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"polysies.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmfd8ejds/index.php"; depth:20; nocase; http.host; content:"logrecovery.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lorraineyeung.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625609/; target:src_ip; metadata: confidence_level 95, first_seen 2025_10_23; classtype:trojan-activity; sid:91625609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"slequip.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625610/; target:src_ip; metadata: confidence_level 95, first_seen 2025_10_23; classtype:trojan-activity; sid:91625610; rev:1;) alert tcp $HOME_NET any -> [103.73.66.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625643/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"maelootp.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625642/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ax.trowy.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blue.vsmu9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"no.q0spi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oy.uht3o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"es.fenod.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bear.vsmu9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ha.vakun.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625626; rev:1;) alert tcp $HOME_NET any -> [185.47.253.51] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allenkeith.newmmaintenanhomes.online"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dotfoods.tonescapesccbnv.live"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c2.clc2.cl"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o.tonescapesccbnv.live"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office.newmmaintenanhomes.online"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"equityprods.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ow.jg7ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"base.vsmu9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"so.q0spi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"et.trowy.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"strongo.res4ev7oy1.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bank.vsmu9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pi.sne4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625612; rev:1;) alert tcp $HOME_NET any -> [45.137.22.237] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ne.uht3o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sieep4.res4ev7oy1.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"band.vsmu9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iu.server24x.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iu.mistonecorp.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625605; rev:1;) alert tcp $HOME_NET any -> [5.75.222.151] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625603; rev:1;) alert tcp $HOME_NET any -> [135.181.91.59] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"iu.server24x.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"iu.mistonecorp.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wo.lizqa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oh.fenod.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barbnormadasolkuidfsa.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharpekolasdomeyko.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"biaze7.res4ev7oy1.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"te.vakun.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gukolinanyamannoklo.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625593; rev:1;) alert tcp $HOME_NET any -> [51.68.140.123] 8081 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625592; rev:1;) alert tcp $HOME_NET any -> [15.228.101.13] 2080 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"id.newmmaintenanhomes.online"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-cdn.newmmaintenanhomes.online"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.newmmaintenanhomes.online"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-cdn.tonescapesccbnv.live"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dotfoods.newmmaintenanhomes.online"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-login-cdn.tonescapesccbnv.live"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625585; rev:1;) alert tcp $HOME_NET any -> [196.251.118.109] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625584; rev:1;) alert tcp $HOME_NET any -> [86.54.24.30] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625583; rev:1;) alert tcp $HOME_NET any -> [115.120.18.59] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625582; rev:1;) alert tcp $HOME_NET any -> [200.149.179.129] 21728 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625581; rev:1;) alert tcp $HOME_NET any -> [91.92.240.50] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625580; rev:1;) alert tcp $HOME_NET any -> [216.218.135.118] 7771 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"ip-5-199-166-102.003.ptr.cherryservers.net"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625578/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clear1.res4ev7oy1.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hb9.9z2503.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"um.trowy.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625574; rev:1;) alert tcp $HOME_NET any -> [144.208.127.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625475/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_23; classtype:trojan-activity; sid:91625475; rev:1;) alert tcp $HOME_NET any -> [115.120.18.59] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625476/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_23; classtype:trojan-activity; sid:91625476; rev:1;) alert tcp $HOME_NET any -> [18.158.218.208] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625477; rev:1;) alert tcp $HOME_NET any -> [191.8.234.185] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625478; rev:1;) alert tcp $HOME_NET any -> [8.213.45.219] 51766 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625479; rev:1;) alert tcp $HOME_NET any -> [34.135.223.7] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625480; rev:1;) alert tcp $HOME_NET any -> [34.236.147.68] 8089 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625483; rev:1;) alert tcp $HOME_NET any -> [18.139.84.125] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625487; rev:1;) alert tcp $HOME_NET any -> [18.136.58.175] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625489; rev:1;) alert tcp $HOME_NET any -> [209.151.151.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625490; rev:1;) alert tcp $HOME_NET any -> [13.126.193.85] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625491; rev:1;) alert tcp $HOME_NET any -> [62.210.163.140] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625492; rev:1;) alert tcp $HOME_NET any -> [79.137.248.131] 2087 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shadow5.res4ev7oy1.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ba.q0spi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t.y.mistonecorp.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"t.y.mistonecorp.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625570; rev:1;) alert tcp $HOME_NET any -> [43.155.8.141] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625569/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625569; rev:1;) alert tcp $HOME_NET any -> [43.154.227.203] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625568/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625568; rev:1;) alert tcp $HOME_NET any -> [37.59.127.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625567/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.furykris.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625566/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"namemic.icu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625565/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evil.ritademo.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625564/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"na.sne4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"night0.res4ev7oy1.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ar.uht3o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1x.9z2503.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ox.lizqa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7.9z2503.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aw.q0spi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"favorali.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625556; rev:1;) alert tcp $HOME_NET any -> [157.10.157.130] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.geraldine-crai.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1625554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625554; rev:1;) alert tcp $HOME_NET any -> [44.223.6.99] 5485 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625552; rev:1;) alert tcp $HOME_NET any -> [44.223.6.99] 7335 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625553; rev:1;) alert tcp $HOME_NET any -> [44.223.6.99] 135 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625551; rev:1;) alert tcp $HOME_NET any -> [168.245.200.55] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625550; rev:1;) alert tcp $HOME_NET any -> [43.156.17.19] 88 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625549; rev:1;) alert tcp $HOME_NET any -> [77.237.246.243] 8443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625548; rev:1;) alert tcp $HOME_NET any -> [102.117.161.5] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625547; rev:1;) alert tcp $HOME_NET any -> [45.83.89.134] 50542 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625546; rev:1;) alert tcp $HOME_NET any -> [186.169.57.143] 5060 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625545; rev:1;) alert tcp $HOME_NET any -> [94.154.32.166] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metillacanduiuitmanagerman.duckdns.org"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"storms.tuful32io3.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"we.trowy.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r8m2.9z2503.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"39.98.204.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625539/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fiame2.tuful32io3.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.92.240.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625537/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.92.240.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625536/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"109.120.152.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625534/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"62.60.246.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625535/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"109.120.152.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625533/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xmg99.wxlmail.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625532/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"appleer.olivia999999.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625530/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xmg109.wxlmail.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625531/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ti.jg7ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625529; rev:1;) alert tcp $HOME_NET any -> [151.244.72.219] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alafair.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625525/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wereatwar.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625526/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bethschwier.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625527/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/file1.bin"; depth:27; nocase; http.host; content:"www.bethschwier.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625521/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/file3.bin"; depth:27; nocase; http.host; content:"www.bethschwier.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625522/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/inter64.bin"; depth:29; nocase; http.host; content:"www.bethschwier.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625523/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/file3.bin"; depth:27; nocase; http.host; content:"www.wereatwar.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625524/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/save_1.bin"; depth:28; nocase; http.host; content:"alafair.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625515/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/save_2.bin"; depth:28; nocase; http.host; content:"alafair.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625516/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/file3.bin"; depth:27; nocase; http.host; content:"wereatwar.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625517/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/save_1.bin"; depth:28; nocase; http.host; content:"www.alafair.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625518/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/save_2.bin"; depth:28; nocase; http.host; content:"www.alafair.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625519/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/ac.bin"; depth:24; nocase; http.host; content:"www.bethschwier.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625520/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/save_1.bin"; depth:28; nocase; http.host; content:"107.158.128.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625508/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/save_2.bin"; depth:28; nocase; http.host; content:"107.158.128.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625509/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/ac.bin"; depth:24; nocase; http.host; content:"170.130.165.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625510/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/file1.bin"; depth:27; nocase; http.host; content:"170.130.165.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625511/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/file3.bin"; depth:27; nocase; http.host; content:"170.130.165.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625512/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/inter64.bin"; depth:29; nocase; http.host; content:"170.130.165.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625513/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service/download/file3.bin"; depth:27; nocase; http.host; content:"172.86.90.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625514/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y4.9z2503.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625507; rev:1;) alert tcp $HOME_NET any -> [43.156.59.110] 7070 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625506/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625506; rev:1;) alert tcp $HOME_NET any -> [196.251.117.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625505/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625505; rev:1;) alert tcp $HOME_NET any -> [85.208.84.35] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625504/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fakeurl.htm"; depth:12; nocase; http.host; content:"85.208.84.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625503/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"welcomehomestyling.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625501/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zct3.wav"; depth:9; nocase; http.host; content:"rutadelcares.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625502/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"br1ght.tuful32io3.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"do.sne4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vietrekking.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625496/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orxh9j6n"; depth:9; nocase; http.host; content:"be.lizqa.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625497/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.bin"; depth:8; nocase; http.host; content:"ios5.blackandark.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625498/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a8x.6ck9465.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stoneo.tuful32io3.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/iphone/invite.php"; depth:23; nocase; http.host; content:"khoancatbetong89.vn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625488/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/"; depth:6; nocase; http.host; content:"khoancatbetong89.vn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625481/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/windows/invite.php"; depth:24; nocase; http.host; content:"khoancatbetong89.vn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625482/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/windows/microsoft-store.php"; depth:33; nocase; http.host; content:"khoancatbetong89.vn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625484/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/windows/download.php"; depth:26; nocase; http.host; content:"khoancatbetong89.vn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625485/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/iphone/"; depth:13; nocase; http.host; content:"khoancatbetong89.vn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625486/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smart1.tuful32io3.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"my.lizqa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/download.php"; depth:21; nocase; http.host; content:"www.zoomwebinviiite.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625470/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iphone/"; depth:8; nocase; http.host; content:"www.zoomwebinviiite.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625471/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iphone/invite.php"; depth:18; nocase; http.host; content:"www.zoomwebinviiite.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625472/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.zoomwebinviiite.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625467/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/invite.php"; depth:19; nocase; http.host; content:"www.zoomwebinviiite.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625468/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/microsoft-store.php"; depth:28; nocase; http.host; content:"www.zoomwebinviiite.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625469/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"www.zoomwebinviiite.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625466/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qz7.6ck9465.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y0kv.93i197934.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ut.q0spi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cp/pages/login.php"; depth:19; nocase; http.host; content:"inmylove.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625461/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cp/pages/login.php"; depth:19; nocase; http.host; content:"inmylove.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625462/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"om.jg7ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t.y.server24x.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"t.y.server24x.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ya.uht3o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sea0123.malaysiatiktok.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625456/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"thenewflights.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625455/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"196.251.118.36"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625454/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frnd/pws/pvqdq929bsx_a_d_m1n_a.php"; depth:35; nocase; http.host; content:"sellea-ims.cfd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625453/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w8jr.93i197934.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sh.vakun.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frnd/pws/pvqdq929bsx_a_d_m1n_a.php"; depth:35; nocase; http.host; content:"sellea-ims.cfd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1nx.93i197934.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mi.sne4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"released-temple.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625447/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625447; rev:1;) alert tcp $HOME_NET any -> [5.230.34.116] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625446/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625446; rev:1;) alert tcp $HOME_NET any -> [23.132.164.48] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625445/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625445; rev:1;) alert tcp $HOME_NET any -> [107.173.135.109] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625444/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625444; rev:1;) alert tcp $HOME_NET any -> [104.206.234.26] 30160 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625443/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625443; rev:1;) alert tcp $HOME_NET any -> [104.206.234.185] 30118 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625442/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625442; rev:1;) alert tcp $HOME_NET any -> [104.206.234.108] 30244 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625441/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625441; rev:1;) alert tcp $HOME_NET any -> [104.140.154.94] 30109 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625440/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625440; rev:1;) alert tcp $HOME_NET any -> [104.140.154.84] 30243 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625437/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625437; rev:1;) alert tcp $HOME_NET any -> [104.140.154.86] 30029 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625438/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625438; rev:1;) alert tcp $HOME_NET any -> [104.140.154.91] 30043 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625439/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625439; rev:1;) alert tcp $HOME_NET any -> [104.140.154.73] 30071 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625435/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625435; rev:1;) alert tcp $HOME_NET any -> [104.140.154.80] 30226 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625436/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625436; rev:1;) alert tcp $HOME_NET any -> [104.140.154.50] 30071 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625433/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625433; rev:1;) alert tcp $HOME_NET any -> [104.140.154.55] 30216 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625434/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625434; rev:1;) alert tcp $HOME_NET any -> [104.140.154.48] 30200 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625432/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625432; rev:1;) alert tcp $HOME_NET any -> [104.140.154.4] 30115 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625431/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625431; rev:1;) alert tcp $HOME_NET any -> [104.140.154.3] 30115 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625430/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625430; rev:1;) alert tcp $HOME_NET any -> [104.140.154.252] 30088 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625429/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625429; rev:1;) alert tcp $HOME_NET any -> [104.140.154.248] 30192 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625428/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625428; rev:1;) alert tcp $HOME_NET any -> [104.140.154.219] 30226 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625426/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625426; rev:1;) alert tcp $HOME_NET any -> [104.140.154.224] 30079 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625427/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625427; rev:1;) alert tcp $HOME_NET any -> [104.140.154.215] 30253 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625425/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625425; rev:1;) alert tcp $HOME_NET any -> [104.140.154.202] 30226 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625424/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625424; rev:1;) alert tcp $HOME_NET any -> [104.140.154.185] 30200 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625422/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625422; rev:1;) alert tcp $HOME_NET any -> [104.140.154.188] 30254 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625423/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625423; rev:1;) alert tcp $HOME_NET any -> [104.140.154.181] 30079 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625419/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625419; rev:1;) alert tcp $HOME_NET any -> [146.59.228.67] 1433 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625420/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625420; rev:1;) alert tcp $HOME_NET any -> [104.140.154.181] 30092 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625421/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625421; rev:1;) alert tcp $HOME_NET any -> [104.140.154.142] 30084 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625418/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625418; rev:1;) alert tcp $HOME_NET any -> [104.140.154.129] 30219 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625416/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625416; rev:1;) alert tcp $HOME_NET any -> [104.140.154.132] 30136 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625417/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625417; rev:1;) alert tcp $HOME_NET any -> [104.140.154.123] 30029 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625414/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625414; rev:1;) alert tcp $HOME_NET any -> [104.140.154.127] 30200 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625415/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625415; rev:1;) alert tcp $HOME_NET any -> [104.140.154.116] 30216 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625410/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625410; rev:1;) alert tcp $HOME_NET any -> [104.140.154.12] 30253 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625411/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625411; rev:1;) alert tcp $HOME_NET any -> [104.140.154.120] 30170 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625412/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625412; rev:1;) alert tcp $HOME_NET any -> [104.140.154.120] 30200 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625413/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625413; rev:1;) alert tcp $HOME_NET any -> [104.140.154.112] 30043 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625407/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625407; rev:1;) alert tcp $HOME_NET any -> [104.140.154.112] 30219 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625408/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625408; rev:1;) alert tcp $HOME_NET any -> [104.140.154.113] 30005 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625409/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625409; rev:1;) alert tcp $HOME_NET any -> [104.140.154.102] 30226 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625406/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2jnpv5"; depth:7; nocase; http.host; content:"iplogger.co"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625405/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a09ee3dc53f6a9f461a45bac946c5a09ee3dc453f6a9f461a5bac946c.pages.dev"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625402/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pit.txt"; depth:8; nocase; http.host; content:"bnhar.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625403/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pitchometer.exe"; depth:16; nocase; http.host; content:"bnhar.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625404/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a09ee3dc53f6a9f461a45bac946c5a09ee3dc453f6a9f461a5bac946c.pages.dev"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625401/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sellea-ims.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625400/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625400; rev:1;) alert tcp $HOME_NET any -> [185.227.152.100] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625398; rev:1;) alert tcp $HOME_NET any -> [15.235.198.126] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625399; rev:1;) alert tcp $HOME_NET any -> [54.196.82.167] 2078 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625397; rev:1;) alert tcp $HOME_NET any -> [196.74.219.156] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625396; rev:1;) alert tcp $HOME_NET any -> [188.166.234.70] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625395; rev:1;) alert tcp $HOME_NET any -> [154.205.8.114] 7001 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625394; rev:1;) alert tcp $HOME_NET any -> [40.66.42.246] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625393; rev:1;) alert tcp $HOME_NET any -> [91.92.240.66] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625392; rev:1;) alert tcp $HOME_NET any -> [62.60.131.7] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625391; rev:1;) alert tcp $HOME_NET any -> [8.210.193.105] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625390; rev:1;) alert tcp $HOME_NET any -> [216.128.136.39] 14443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625389; rev:1;) alert tcp $HOME_NET any -> [185.235.137.135] 7712 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625388; rev:1;) alert tcp $HOME_NET any -> [60.205.164.215] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625387; rev:1;) alert tcp $HOME_NET any -> [8.152.100.230] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625385; rev:1;) alert tcp $HOME_NET any -> [196.251.117.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625386; rev:1;) alert tcp $HOME_NET any -> [156.244.44.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625383; rev:1;) alert tcp $HOME_NET any -> [45.58.56.34] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625384; rev:1;) alert tcp $HOME_NET any -> [83.147.243.110] 1008 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625382/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thenewflights.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z4qe.49o103159.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fe.jg7ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frnd/pws/fre.php"; depth:17; nocase; http.host; content:"sellea-ims.cfd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3.6ck9465.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625377; rev:1;) alert tcp $HOME_NET any -> [185.177.239.65] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ho.uht3o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625375; rev:1;) alert tcp $HOME_NET any -> [195.10.205.232] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b9th.49o103159.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bo.sne4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2fv.49o103159.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625371; rev:1;) alert tcp $HOME_NET any -> [46.62.232.202] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.t.rizbegadget.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.t.memphis-eg.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a.t.rizbegadget.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a.t.memphis-eg.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x3q.q-0-spi.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"35.212.217.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625363/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"network.spamhaussupport.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625362; rev:1;) alert tcp $HOME_NET any -> [167.99.70.133] 43957 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625361/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miraiv5.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ef.q0spi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625359; rev:1;) alert tcp $HOME_NET any -> [144.172.109.62] 69 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625358/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625358; rev:1;) alert tcp $HOME_NET any -> [41.216.189.108] 12121 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625357/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"droby88.bounceme.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625356; rev:1;) alert tcp $HOME_NET any -> [43.138.15.154] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625353; rev:1;) alert tcp $HOME_NET any -> [152.32.191.249] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625354; rev:1;) alert tcp $HOME_NET any -> [101.132.148.165] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625355; rev:1;) alert tcp $HOME_NET any -> [43.139.22.189] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aa.trowy.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"142.93.64.125"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625350/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"13.230.162.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625349/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625349; rev:1;) alert tcp $HOME_NET any -> [103.83.87.91] 43957 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625348/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7bk.49o103159.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"da.lizqa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bratanchill.accessdennied.uk"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625345; rev:1;) alert tcp $HOME_NET any -> [196.251.80.211] 1995 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625344/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2wr.31e854642.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9.q-0-spi.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nu.fenod.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"175.178.17.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625340/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ed.trowy.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625339; rev:1;) alert tcp $HOME_NET any -> [123.136.95.225] 1525 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625338/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0gx.31e854642.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625337; rev:1;) alert tcp $HOME_NET any -> [176.65.134.16] 12199 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625336/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oi.vakun.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"am.jg7ra.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s15.csgo.co.pl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kets4eki.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625333; rev:1;) alert tcp $HOME_NET any -> [196.251.72.121] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pradeepprabhu705.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625330; rev:1;) alert tcp $HOME_NET any -> [203.202.232.87] 40409 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625329/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625329; rev:1;) alert tcp $HOME_NET any -> [203.202.232.87] 40408 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625328/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"en.fenod.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"restaurant-kids-working-naturally.trycloudflare.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t5hl.31e854642.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625325; rev:1;) alert tcp $HOME_NET any -> [158.69.214.127] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625324/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625324; rev:1;) alert tcp $HOME_NET any -> [96.47.228.213] 3360 (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625323/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hell.dedicated-coords.lol"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625322/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mo.uht3o.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion"; depth:62; nocase; reference:url, threatfox.abuse.ch/ioc/1625320/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"receive-walter.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625319/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625319; rev:1;) alert tcp $HOME_NET any -> [109.130.200.177] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625318/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xoilaczzzdz.tv"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625317/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"emily21314-21959.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625315/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"loganwolverin2026.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625316/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8402070841:aahrl8fa0gxoflnkaww-sereimkpzxkh9xo/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625314/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"server13.ninhaine.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625312/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ww25.dfe03de9-5d5d-4ecc-9423-14b8f289583d.server1.ninhaine.com"; depth:62; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625313/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"154.31.221.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625311/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"196.251.73.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625310/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"196.251.73.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625309/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"196.251.118.109"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625308/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_23; classtype:trojan-activity; sid:91625308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q8md.31e854642.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625307; rev:1;) alert tcp $HOME_NET any -> [61.147.247.41] 44442 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625306/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_23; classtype:trojan-activity; sid:91625306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"re.sne4p.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g4n0.q-0-spi.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ag.lizqa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j3vp.31e854642.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mu.q0spi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i7b3x8r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e4r6k9l.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625299; rev:1;) alert tcp $HOME_NET any -> [178.16.55.254] 2079 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r9cb.37i658094.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y8t4s2w.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u5p1d7qg.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2mx.37i658094.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s5x8jq1.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g1l6m9p.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l7x.q-0-spi.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g4ny.37i658094.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o2v9c4n.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625289; rev:1;) alert tcp $HOME_NET any -> [168.245.201.166] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625288; rev:1;) alert tcp $HOME_NET any -> [70.34.214.70] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625287; rev:1;) alert tcp $HOME_NET any -> [196.251.73.222] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625286; rev:1;) alert tcp $HOME_NET any -> [138.124.101.157] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625285; rev:1;) alert tcp $HOME_NET any -> [168.231.106.215] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625283; rev:1;) alert tcp $HOME_NET any -> [98.87.192.90] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625284; rev:1;) alert tcp $HOME_NET any -> [185.208.159.210] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625282; rev:1;) alert tcp $HOME_NET any -> [195.66.215.248] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625280; rev:1;) alert tcp $HOME_NET any -> [158.94.208.177] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625281; rev:1;) alert tcp $HOME_NET any -> [45.156.87.252] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625279; rev:1;) alert tcp $HOME_NET any -> [201.78.45.51] 53282 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625278; rev:1;) alert tcp $HOME_NET any -> [91.92.240.57] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625277; rev:1;) alert tcp $HOME_NET any -> [91.92.240.59] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625276; rev:1;) alert tcp $HOME_NET any -> [18.138.241.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1zt.37i658094.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3z2m8b.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w0f7n3ty.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9v3c2p.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p6qw.37i658094.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3p9sle.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e2.q-0-spi.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r7h0g4s.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0jm.30u241207.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m1d8g4hf.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v0q.jg-7-ra.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k8jv1m2.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7hv.30u241207.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p38md1r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y2sk.30u241207.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b2z7r5k.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l8rd.30u241207.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t4c6yx8.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hn3.jg-7-ra.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1pc.30u241207.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qw59f3d.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9.jg-7-ra.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f0rq.54o477354.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l2b9nzt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6bn.54o477354.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x9k4f2q.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1m.imm-yi.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videotopythonpacketlongpolllinuxflowergeneratorwp.php"; depth:54; nocase; http.host; content:"126821cm.nyash.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z7t2.jg-7-ra.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3zy.54o477354.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8.imm-yi.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1a.jg-7-ra.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9wt.54o477354.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0.imm-yi.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0z.imm-yi.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3.imm-yi.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u2kh.54o477354.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1.imm-yi.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.imm-yi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f6.jg-7-ra.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1.ahz-ya.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r9.ahz-ya.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bq.ahz-ya.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625231; rev:1;) alert tcp $HOME_NET any -> [216.250.252.224] 31400 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w6qc.60e533569.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q0h.uht-3-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2.ahz-ya.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pc.ahz-ya.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625226; rev:1;) alert tcp $HOME_NET any -> [188.120.242.143] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-login-cdn.kelvrion.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sp.authpoint.usa.kelvrion.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625223; rev:1;) alert tcp $HOME_NET any -> [34.29.67.102] 6001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625222; rev:1;) alert tcp $HOME_NET any -> [195.3.223.146] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625221; rev:1;) alert tcp $HOME_NET any -> [101.132.148.165] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625220; rev:1;) alert tcp $HOME_NET any -> [118.89.81.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d0mu.60e533569.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_23; classtype:trojan-activity; sid:91625218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m8.ahz-ya.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m5x.uht-3-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.ahz-ya.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y4np.60e533569.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0.owp-oo.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wz.owp-oo.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625212; rev:1;) alert tcp $HOME_NET any -> [114.66.27.112] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2.uht-3-o.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s1vr.60e533569.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625209; rev:1;) alert tcp $HOME_NET any -> [103.83.86.61] 1720 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2.owp-oo.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625207; rev:1;) alert tcp $HOME_NET any -> [103.83.86.27] 1212 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k7fx.60e533569.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4w3.uht-3-o.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q.owp-oo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y8n.uht-3-o.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e3pz.11u812580.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xt.owp-oo.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n5.owp-oo.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625199; rev:1;) alert tcp $HOME_NET any -> [103.86.47.226] 69 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u9q.sne-4-p.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9wl.11u812580.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.owp-oo.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.yxb-au.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q5ya.11u812580.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bw6.sne-4-p.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9.yxb-au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t5.sne-4-p.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq.yxb-au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625189; rev:1;) alert tcp $HOME_NET any -> [196.251.83.67] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0dn.11u812580.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625187; rev:1;) alert tcp $HOME_NET any -> [5.252.177.60] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625185; rev:1;) alert tcp $HOME_NET any -> [162.19.220.101] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625186; rev:1;) alert tcp $HOME_NET any -> [18.188.87.169] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625183; rev:1;) alert tcp $HOME_NET any -> [47.121.179.212] 6443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625184; rev:1;) alert tcp $HOME_NET any -> [43.138.15.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625181; rev:1;) alert tcp $HOME_NET any -> [34.55.66.65] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625182; rev:1;) alert tcp $HOME_NET any -> [212.28.179.109] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625178; rev:1;) alert tcp $HOME_NET any -> [201.16.156.113] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625179; rev:1;) alert tcp $HOME_NET any -> [203.161.57.254] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625180; rev:1;) alert tcp $HOME_NET any -> [57.128.63.8] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625176; rev:1;) alert tcp $HOME_NET any -> [148.230.99.234] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625177; rev:1;) alert tcp $HOME_NET any -> [123.57.134.58] 10394 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625175; rev:1;) alert tcp $HOME_NET any -> [40.66.42.246] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allenkeith.mstoresabotaniud.site"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dotfoods.othersepoxfrontier-win.cloud"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dotfoods.mellor-engineering.cloud"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loginii.kelvrion.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-cdn.mstoresabotaniud.site"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csp.mellor-engineering.cloud"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dotfoods.grcuc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allenkeith.grcuc.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loginii.optumseragamaglas-ouns.cloud"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-cdn.kelvrion.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usa.optumseragamaglas-ouns.cloud"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.mstoresabotaniud.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625162; rev:1;) alert tcp $HOME_NET any -> [196.251.118.36] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625161; rev:1;) alert tcp $HOME_NET any -> [156.67.29.114] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625160; rev:1;) alert tcp $HOME_NET any -> [5.230.34.116] 445 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625159/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_22; classtype:trojan-activity; sid:91625159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.yxb-au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bd.yxb-au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b6tj.11u812580.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7.yxb-au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x0v4.sne-4-p.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g.yxb-au.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v4sz.08u073852.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xq.y742au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g8k1.08u073852.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h7.y742au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pv.y742au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625147; rev:1;) alert tcp $HOME_NET any -> [128.140.121.48] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625146/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2qm.08u073852.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a1.y742au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zt.y742au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3yl.08u073852.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3.y742au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j2.sne-4-p.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625140; rev:1;) alert tcp $HOME_NET any -> [77.51.217.123] 5552 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e.y742au.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9w5.08u073852.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625137; rev:1;) alert tcp $HOME_NET any -> [45.88.186.184] 6090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9.i261au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625135; rev:1;) alert tcp $HOME_NET any -> [128.199.250.172] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625133; rev:1;) alert tcp $HOME_NET any -> [103.83.87.91] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625134; rev:1;) alert tcp $HOME_NET any -> [95.164.19.57] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625132; rev:1;) alert tcp $HOME_NET any -> [174.138.73.70] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625131; rev:1;) alert tcp $HOME_NET any -> [43.139.115.146] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625130; rev:1;) alert tcp $HOME_NET any -> [84.154.182.253] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.jamesriver-ins.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625127; rev:1;) alert tcp $HOME_NET any -> [195.66.214.118] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625128; rev:1;) alert tcp $HOME_NET any -> [98.93.118.31] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625126; rev:1;) alert tcp $HOME_NET any -> [196.251.73.119] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625125; rev:1;) alert tcp $HOME_NET any -> [192.109.138.97] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625123; rev:1;) alert tcp $HOME_NET any -> [196.251.73.119] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625124; rev:1;) alert tcp $HOME_NET any -> [173.249.1.63] 9443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625121; rev:1;) alert tcp $HOME_NET any -> [137.74.43.218] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625122; rev:1;) alert tcp $HOME_NET any -> [45.156.87.82] 1000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625120; rev:1;) alert tcp $HOME_NET any -> [85.9.196.238] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625119; rev:1;) alert tcp $HOME_NET any -> [107.173.135.109] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625118; rev:1;) alert tcp $HOME_NET any -> [119.91.41.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0uq.99y401874.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qb.i261au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2.i261au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns.cs.endorsec.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625113/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625113; rev:1;) alert tcp $HOME_NET any -> [45.83.31.140] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625112/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625112; rev:1;) alert tcp $HOME_NET any -> [45.59.114.14] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625111/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625111; rev:1;) alert tcp $HOME_NET any -> [34.255.169.3] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625110/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625110; rev:1;) alert tcp $HOME_NET any -> [196.251.118.109] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625109/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625109; rev:1;) alert tcp $HOME_NET any -> [185.72.8.137] 443 (msg:"ThreatFox RansomHub botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625107/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625107; rev:1;) alert tcp $HOME_NET any -> [185.72.8.137] 7882 (msg:"ThreatFox RansomHub botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625108/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625108; rev:1;) alert tcp $HOME_NET any -> [141.164.49.253] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625106/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625106; rev:1;) alert tcp $HOME_NET any -> [94.154.32.166] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.i261au.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7july-lithuania.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p-zinc.gl.at.ply.gg"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cypridy.asia"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yy.js"; depth:6; nocase; http.host; content:"wpaii.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625092; rev:1;) alert tcp $HOME_NET any -> [104.143.46.74] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"given-delete.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supremogtarp.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625099; rev:1;) alert tcp $HOME_NET any -> [143.92.34.40] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fazoxxd-45223.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ball.k4tem.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pl.i261au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625093; rev:1;) alert tcp $HOME_NET any -> [192.52.242.147] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625091/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91625091; rev:1;) alert tcp $HOME_NET any -> [192.52.242.147] 4448 (msg:"ThreatFox FireBird RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"slequip.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624883/; target:src_ip; metadata: confidence_level 95, first_seen 2025_10_22; classtype:trojan-activity; sid:91624883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"xeljson.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xeljson.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"xeljson.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"xeljson.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soncu"; depth:6; nocase; http.host; content:"powerbrokermagazine.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsoming.zip"; depth:12; nocase; http.host; content:"stgeorgelight.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stgeorgelight.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625082; rev:1;) alert tcp $HOME_NET any -> [5.181.156.153] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625083; rev:1;) alert tcp $HOME_NET any -> [65.21.254.84] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625088; rev:1;) alert tcp $HOME_NET any -> [78.46.244.27] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p.x.rizbegadget.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p.x.memphis-eg.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"p.x.memphis-eg.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"p.x.rizbegadget.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1625084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rdp.dmg-tech.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625075; rev:1;) alert tcp $HOME_NET any -> [192.3.136.211] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625073; rev:1;) alert tcp $HOME_NET any -> [192.3.136.202] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625074; rev:1;) alert tcp $HOME_NET any -> [101.132.148.165] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625072; rev:1;) alert tcp $HOME_NET any -> [203.195.159.67] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625071; rev:1;) alert tcp $HOME_NET any -> [3.99.171.89] 18188 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625070/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625070; rev:1;) alert tcp $HOME_NET any -> [3.99.171.89] 788 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625069/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625069; rev:1;) alert tcp $HOME_NET any -> [51.84.65.27] 51455 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625068/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625068; rev:1;) alert tcp $HOME_NET any -> [51.84.65.27] 7905 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625067/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625067; rev:1;) alert tcp $HOME_NET any -> [51.84.65.27] 6005 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625066/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625066; rev:1;) alert tcp $HOME_NET any -> [52.67.176.106] 59032 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625065/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625065; rev:1;) alert tcp $HOME_NET any -> [52.67.176.106] 26932 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625064/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625064; rev:1;) alert tcp $HOME_NET any -> [52.67.176.106] 2082 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625063/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625063; rev:1;) alert tcp $HOME_NET any -> [52.67.176.106] 832 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625062/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625062; rev:1;) alert tcp $HOME_NET any -> [52.58.149.105] 8636 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625061/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625061; rev:1;) alert tcp $HOME_NET any -> [52.58.149.105] 2086 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625060/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625060; rev:1;) alert tcp $HOME_NET any -> [13.115.245.30] 8010 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625059/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625059; rev:1;) alert tcp $HOME_NET any -> [13.115.245.30] 5060 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625058/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625058; rev:1;) alert tcp $HOME_NET any -> [16.28.31.88] 46296 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625057/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625057; rev:1;) alert tcp $HOME_NET any -> [16.28.31.88] 2096 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625056/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625056; rev:1;) alert tcp $HOME_NET any -> [13.247.55.242] 1961 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625055/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625055; rev:1;) alert tcp $HOME_NET any -> [15.161.43.220] 771 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625054/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625054; rev:1;) alert tcp $HOME_NET any -> [18.144.37.50] 2082 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625053/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625053; rev:1;) alert tcp $HOME_NET any -> [3.107.155.61] 24090 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625052/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625052; rev:1;) alert tcp $HOME_NET any -> [3.107.155.61] 2290 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625051/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625051; rev:1;) alert tcp $HOME_NET any -> [3.107.155.61] 790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625050/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625050; rev:1;) alert tcp $HOME_NET any -> [13.208.241.199] 1488 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625049/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625049; rev:1;) alert tcp $HOME_NET any -> [18.183.225.59] 6443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625048/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625048; rev:1;) alert tcp $HOME_NET any -> [15.168.164.15] 9301 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625047/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625047; rev:1;) alert tcp $HOME_NET any -> [15.168.164.15] 8001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625046/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625046; rev:1;) alert tcp $HOME_NET any -> [15.168.164.15] 7001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625045/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625045; rev:1;) alert tcp $HOME_NET any -> [15.168.164.15] 2701 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625044/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625044; rev:1;) alert tcp $HOME_NET any -> [43.198.151.220] 18246 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625043/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625043; rev:1;) alert tcp $HOME_NET any -> [43.198.151.220] 13446 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625042/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625042; rev:1;) alert tcp $HOME_NET any -> [3.148.108.9] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625041/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625041; rev:1;) alert tcp $HOME_NET any -> [13.211.236.25] 44819 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625040/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625040; rev:1;) alert tcp $HOME_NET any -> [13.211.236.25] 30469 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625039/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z7hd.99y401874.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625037; rev:1;) alert tcp $HOME_NET any -> [18.228.241.101] 17795 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625038/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625038; rev:1;) alert tcp $HOME_NET any -> [43.210.9.192] 587 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625036/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625036; rev:1;) alert tcp $HOME_NET any -> [3.28.187.161] 52200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625035/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625035; rev:1;) alert tcp $HOME_NET any -> [3.28.187.161] 51200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625034/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625034; rev:1;) alert tcp $HOME_NET any -> [3.28.187.161] 39350 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625033/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625033; rev:1;) alert tcp $HOME_NET any -> [3.28.187.161] 10000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625032/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625032; rev:1;) alert tcp $HOME_NET any -> [35.181.65.124] 8013 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625031/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625031; rev:1;) alert tcp $HOME_NET any -> [15.168.12.65] 15898 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625030/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625030; rev:1;) alert tcp $HOME_NET any -> [15.237.184.220] 46489 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625029/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625029; rev:1;) alert tcp $HOME_NET any -> [15.237.184.220] 39089 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625028/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625028; rev:1;) alert tcp $HOME_NET any -> [15.237.184.220] 789 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625027/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625027; rev:1;) alert tcp $HOME_NET any -> [15.237.184.220] 389 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625026/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625026; rev:1;) alert tcp $HOME_NET any -> [18.227.21.138] 13220 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625025/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625025; rev:1;) alert tcp $HOME_NET any -> [15.222.65.137] 55615 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625024/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625024; rev:1;) alert tcp $HOME_NET any -> [15.222.65.137] 25565 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625023/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625023; rev:1;) alert tcp $HOME_NET any -> [43.218.136.136] 33130 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625022/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625022; rev:1;) alert tcp $HOME_NET any -> [43.218.136.136] 1080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625021/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625021; rev:1;) alert tcp $HOME_NET any -> [54.74.236.68] 4839 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625020/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625020; rev:1;) alert tcp $HOME_NET any -> [54.74.236.68] 3389 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625019/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625019; rev:1;) alert tcp $HOME_NET any -> [54.74.236.68] 789 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625018/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625018; rev:1;) alert tcp $HOME_NET any -> [35.181.170.184] 32182 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625017/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625017; rev:1;) alert tcp $HOME_NET any -> [15.157.63.21] 44819 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625016/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625016; rev:1;) alert tcp $HOME_NET any -> [15.157.63.21] 4369 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625015/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625015; rev:1;) alert tcp $HOME_NET any -> [13.115.68.182] 35070 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625014/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625014; rev:1;) alert tcp $HOME_NET any -> [18.228.199.202] 102 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625013/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625013; rev:1;) alert tcp $HOME_NET any -> [3.110.210.152] 48283 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625012/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625012; rev:1;) alert tcp $HOME_NET any -> [3.110.210.152] 23833 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625011/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3.i261au.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1625010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91625010; rev:1;) alert tcp $HOME_NET any -> [3.110.210.152] 833 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625009/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625009; rev:1;) alert tcp $HOME_NET any -> [16.50.207.217] 16993 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625008/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625008; rev:1;) alert tcp $HOME_NET any -> [3.29.126.242] 27932 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625007/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625007; rev:1;) alert tcp $HOME_NET any -> [13.245.75.176] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625006/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625006; rev:1;) alert tcp $HOME_NET any -> [15.223.51.74] 21413 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625005/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625005; rev:1;) alert tcp $HOME_NET any -> [16.26.180.148] 5671 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625004/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625004; rev:1;) alert tcp $HOME_NET any -> [35.179.107.68] 2380 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625003/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625003; rev:1;) alert tcp $HOME_NET any -> [35.179.107.68] 1080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625002/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625002; rev:1;) alert tcp $HOME_NET any -> [16.28.107.147] 8000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625001/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625001; rev:1;) alert tcp $HOME_NET any -> [43.218.233.194] 20163 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1625000/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91625000; rev:1;) alert tcp $HOME_NET any -> [18.143.100.248] 8010 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624999/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624999; rev:1;) alert tcp $HOME_NET any -> [43.218.23.102] 147 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624998/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624998; rev:1;) alert tcp $HOME_NET any -> [43.201.147.72] 4839 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624997/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624997; rev:1;) alert tcp $HOME_NET any -> [16.79.103.217] 10000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624996/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624996; rev:1;) alert tcp $HOME_NET any -> [18.181.166.192] 58889 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624995/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624995; rev:1;) alert tcp $HOME_NET any -> [18.181.166.192] 33389 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624994/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624994; rev:1;) alert tcp $HOME_NET any -> [15.185.100.70] 48835 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624993/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624993; rev:1;) alert tcp $HOME_NET any -> [18.199.84.29] 7547 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624992/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624992; rev:1;) alert tcp $HOME_NET any -> [35.176.240.176] 51591 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624991/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624991; rev:1;) alert tcp $HOME_NET any -> [16.79.111.44] 4840 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624990/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624990; rev:1;) alert tcp $HOME_NET any -> [3.28.40.103] 2079 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624989/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624989; rev:1;) alert tcp $HOME_NET any -> [18.119.142.209] 50060 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624988/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624988; rev:1;) alert tcp $HOME_NET any -> [18.119.142.209] 50010 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624987/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624987; rev:1;) alert tcp $HOME_NET any -> [18.119.142.209] 8010 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624986/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624986; rev:1;) alert tcp $HOME_NET any -> [51.21.220.112] 50580 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624985/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624985; rev:1;) alert tcp $HOME_NET any -> [3.28.46.212] 10261 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624984/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624984; rev:1;) alert tcp $HOME_NET any -> [108.136.142.118] 8880 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624983/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624983; rev:1;) alert tcp $HOME_NET any -> [108.136.142.118] 2380 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624982/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624982; rev:1;) alert tcp $HOME_NET any -> [18.117.72.169] 53282 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624981/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624981; rev:1;) alert tcp $HOME_NET any -> [16.50.42.150] 58075 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624980/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624980; rev:1;) alert tcp $HOME_NET any -> [16.50.42.150] 31225 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624979/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624979; rev:1;) alert tcp $HOME_NET any -> [15.229.13.42] 9301 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624978/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624978; rev:1;) alert tcp $HOME_NET any -> [16.50.178.223] 5985 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624977/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624977; rev:1;) alert tcp $HOME_NET any -> [18.197.254.86] 3306 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624976/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624976; rev:1;) alert tcp $HOME_NET any -> [51.17.138.88] 8008 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624975/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624975; rev:1;) alert tcp $HOME_NET any -> [52.66.201.169] 58507 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624974/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624974; rev:1;) alert tcp $HOME_NET any -> [18.229.134.251] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624973/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624973; rev:1;) alert tcp $HOME_NET any -> [3.99.180.42] 39878 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624972/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624972; rev:1;) alert tcp $HOME_NET any -> [51.92.46.31] 18245 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624971/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624971; rev:1;) alert tcp $HOME_NET any -> [18.231.115.134] 43735 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624970/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624970; rev:1;) alert tcp $HOME_NET any -> [16.52.166.216] 49152 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624969/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624969; rev:1;) alert tcp $HOME_NET any -> [43.216.21.133] 1723 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624968/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624968; rev:1;) alert tcp $HOME_NET any -> [13.212.89.233] 6008 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624967/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624967; rev:1;) alert tcp $HOME_NET any -> [18.200.243.189] 2083 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624966/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624966; rev:1;) alert tcp $HOME_NET any -> [15.236.146.179] 18080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624965/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624965; rev:1;) alert tcp $HOME_NET any -> [13.201.54.195] 19476 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624964/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624964; rev:1;) alert tcp $HOME_NET any -> [18.162.191.212] 6571 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624963/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624963; rev:1;) alert tcp $HOME_NET any -> [18.130.253.191] 41494 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624962/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624962; rev:1;) alert tcp $HOME_NET any -> [18.130.10.237] 37453 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624961/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624961; rev:1;) alert tcp $HOME_NET any -> [18.130.10.237] 2403 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624960/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624960; rev:1;) alert tcp $HOME_NET any -> [54.233.50.199] 43 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624959/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624959; rev:1;) alert tcp $HOME_NET any -> [15.168.175.122] 20547 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624958/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624958; rev:1;) alert tcp $HOME_NET any -> [35.183.16.202] 4242 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624957/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624957; rev:1;) alert tcp $HOME_NET any -> [51.84.206.12] 2405 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624956/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624956; rev:1;) alert tcp $HOME_NET any -> [18.162.133.98] 6006 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624955/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624955; rev:1;) alert tcp $HOME_NET any -> [13.244.95.70] 8880 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624954/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624954; rev:1;) alert tcp $HOME_NET any -> [3.75.189.177] 6443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624953/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624953; rev:1;) alert tcp $HOME_NET any -> [54.249.85.227] 20546 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624952/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624952; rev:1;) alert tcp $HOME_NET any -> [13.208.165.246] 22122 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624951/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624951; rev:1;) alert tcp $HOME_NET any -> [16.28.47.150] 56973 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624950/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624950; rev:1;) alert tcp $HOME_NET any -> [159.223.66.231] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624949/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624949; rev:1;) alert tcp $HOME_NET any -> [159.223.66.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624948/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624948; rev:1;) alert tcp $HOME_NET any -> [47.101.197.27] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624947/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624947; rev:1;) alert tcp $HOME_NET any -> [47.115.215.29] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624946/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624946; rev:1;) alert tcp $HOME_NET any -> [142.171.213.25] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624945/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624945; rev:1;) alert tcp $HOME_NET any -> [139.129.192.116] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624944/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624944; rev:1;) alert tcp $HOME_NET any -> [139.129.192.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624943/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624943; rev:1;) alert tcp $HOME_NET any -> [178.16.54.115] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624942/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624942; rev:1;) alert tcp $HOME_NET any -> [185.227.154.88] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624941/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624941; rev:1;) alert tcp $HOME_NET any -> [178.16.54.121] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624940/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624940; rev:1;) alert tcp $HOME_NET any -> [116.196.75.68] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624939/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624939; rev:1;) alert tcp $HOME_NET any -> [116.196.75.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624938/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624938; rev:1;) alert tcp $HOME_NET any -> [116.196.75.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624937/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624937; rev:1;) alert tcp $HOME_NET any -> [123.57.3.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624936/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624936; rev:1;) alert tcp $HOME_NET any -> [47.108.21.186] 7001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624935/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624935; rev:1;) alert tcp $HOME_NET any -> [47.108.21.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624934/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624934; rev:1;) alert tcp $HOME_NET any -> [106.75.12.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624933/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624933; rev:1;) alert tcp $HOME_NET any -> [39.107.54.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624932/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624932; rev:1;) alert tcp $HOME_NET any -> [39.97.48.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624931/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624931; rev:1;) alert tcp $HOME_NET any -> [106.75.33.49] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624930/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624930; rev:1;) alert tcp $HOME_NET any -> [178.16.54.122] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624929/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624929; rev:1;) alert tcp $HOME_NET any -> [212.85.27.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624928/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624928; rev:1;) alert tcp $HOME_NET any -> [45.55.189.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624927/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624927; rev:1;) alert tcp $HOME_NET any -> [178.16.54.116] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624926/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624926; rev:1;) alert tcp $HOME_NET any -> [178.16.54.114] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624925/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624925; rev:1;) alert tcp $HOME_NET any -> [147.45.112.204] 55641 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624924/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624924; rev:1;) alert tcp $HOME_NET any -> [18.191.80.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624923/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624923; rev:1;) alert tcp $HOME_NET any -> [156.238.249.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624922/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624922; rev:1;) alert tcp $HOME_NET any -> [43.142.91.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624921/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624921; rev:1;) alert tcp $HOME_NET any -> [43.142.91.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624920/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624920; rev:1;) alert tcp $HOME_NET any -> [114.67.181.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624919/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624919; rev:1;) alert tcp $HOME_NET any -> [149.88.69.118] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624918/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624918; rev:1;) alert tcp $HOME_NET any -> [43.247.134.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624917/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624917; rev:1;) alert tcp $HOME_NET any -> [172.190.244.213] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624916/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624916; rev:1;) alert tcp $HOME_NET any -> [206.189.225.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624915/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624915; rev:1;) alert tcp $HOME_NET any -> [178.128.224.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624914/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624914; rev:1;) alert tcp $HOME_NET any -> [178.16.54.113] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624913/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624913; rev:1;) alert tcp $HOME_NET any -> [60.204.224.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624912/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624912; rev:1;) alert tcp $HOME_NET any -> [23.254.228.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624911/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624911; rev:1;) alert tcp $HOME_NET any -> [23.254.228.130] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624910/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624910; rev:1;) alert tcp $HOME_NET any -> [88.80.17.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624909/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"back.k4tem.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624908; rev:1;) alert tcp $HOME_NET any -> [139.129.108.209] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624907/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624907; rev:1;) alert tcp $HOME_NET any -> [136.114.158.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624906/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624906; rev:1;) alert tcp $HOME_NET any -> [116.62.226.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624905/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624905; rev:1;) alert tcp $HOME_NET any -> [146.190.255.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624904/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624904; rev:1;) alert tcp $HOME_NET any -> [178.16.54.120] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624903/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624903; rev:1;) alert tcp $HOME_NET any -> [106.75.16.136] 28080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624902/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624902; rev:1;) alert tcp $HOME_NET any -> [185.141.24.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624901/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624901; rev:1;) alert tcp $HOME_NET any -> [91.132.129.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624900/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624900; rev:1;) alert tcp $HOME_NET any -> [122.51.26.81] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624899/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624899; rev:1;) alert tcp $HOME_NET any -> [100.27.230.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624898/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624898; rev:1;) alert tcp $HOME_NET any -> [81.70.26.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624897/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624897; rev:1;) alert tcp $HOME_NET any -> [54.226.78.147] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624896/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624896; rev:1;) alert tcp $HOME_NET any -> [98.91.17.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624895/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624895; rev:1;) alert tcp $HOME_NET any -> [206.189.178.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624894/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624894; rev:1;) alert tcp $HOME_NET any -> [143.198.82.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624893/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624893; rev:1;) alert tcp $HOME_NET any -> [54.243.19.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624892/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624892; rev:1;) alert tcp $HOME_NET any -> [13.222.128.115] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624891/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624891; rev:1;) alert tcp $HOME_NET any -> [18.170.72.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624890/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624890; rev:1;) alert tcp $HOME_NET any -> [185.241.208.212] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624889/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.i261au.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1kx.99y401874.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624887; rev:1;) alert tcp $HOME_NET any -> [5.136.108.102] 3389 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8.i924ao.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"baby.k4tem.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9.i924ao.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq.i924ao.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"away.k4tem.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j8r2.99y401874.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"updata.mgil01.workers.dev"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624877/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"service.oneipsoft.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624878/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"myoffice.techralsolution.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624873/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"helpdesk.athenatechlabs.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624874/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"afddd9d14453d4f9-1e185df7e4.ap-southeast-mnl.timcorpnet.com"; depth:59; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624875/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"back-trust-aurora.cluster-ctrjumtpbmf.mnl-east-2.timcorpnet.com"; depth:63; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624876/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.i924ao.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624857; rev:1;) alert tcp $HOME_NET any -> [45.141.215.164] 9863 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624856/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m4v.99y401874.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bd.i924ao.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"git.zionministry.org"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1624847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ob7/sdqcncdfnmv7lonta9ocxwveyo8u2c2xl8bqktpw0isw0tjdna=="; depth:57; nocase; http.host; content:"git.zionministry.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"area.k4tem.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4.i924ao.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"also.k4tem.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g.i924ao.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9.o-y3ii.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"caim7.res4ev7oy1.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h7.o-y3ii.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"able.k4tem.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wi1do.res4ev7oy1.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.o-y3ii.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gent1e.res4ev7oy1.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1.o-y3ii.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dust5.res4ev7oy1.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t2m4.rv6324.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zc.o-y3ii.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdqwrqwrwqrqw.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flow3.res4ev7oy1.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624835; rev:1;) alert tcp $HOME_NET any -> [194.33.61.249] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kx6.rv6324.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3.o-y3ii.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624832; rev:1;) alert tcp $HOME_NET any -> [209.54.103.149] 26713 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624831/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graceoppo45.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"averolucas.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.o-y3ii.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mi1d.res4ev7oy1.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.y-o7uu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"86xh43yr0x006.cfc-execute.bj.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624825/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1.y-o7uu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"176.65.132.6"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1624823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624823; rev:1;) alert tcp $HOME_NET any -> [216.9.224.26] 8780 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624821; rev:1;) alert tcp $HOME_NET any -> [193.29.13.183] 2402 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624822; rev:1;) alert tcp $HOME_NET any -> [163.5.210.61] 2568 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"actualizadoswin11.kozow.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tipseptbk.ydns.eu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"11655nightfileremciiiixxxxx.duckdns.org"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moneyexchangeworld.hopto.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624819; rev:1;) alert tcp $HOME_NET any -> [147.185.221.180] 31798 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624813; rev:1;) alert tcp $HOME_NET any -> [5.83.154.54] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624814; rev:1;) alert tcp $HOME_NET any -> [196.251.86.219] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhhgff.ydns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgam6am.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nov-cleaner.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624811; rev:1;) alert tcp $HOME_NET any -> [147.185.221.211] 12483 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7940826173:aahgqrax86ppaa3iritaoddtnqmux6y0tqw/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"second-flickr.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vxnjhdhs-35196.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cracktui-34704.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"likely-preliminary.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fresd.serveblog.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boy-racial.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uk-weight.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"football-reached.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parts-quite.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624808; rev:1;) alert tcp $HOME_NET any -> [156.247.41.70] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624797; rev:1;) alert tcp $HOME_NET any -> [91.48.43.87] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624798; rev:1;) alert tcp $HOME_NET any -> [109.172.183.242] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624785; rev:1;) alert tcp $HOME_NET any -> [196.251.81.90] 7171 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624786; rev:1;) alert tcp $HOME_NET any -> [156.247.41.70] 5554 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624787; rev:1;) alert tcp $HOME_NET any -> [51.68.244.77] 2031 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624788; rev:1;) alert tcp $HOME_NET any -> [147.185.221.25] 52946 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624789; rev:1;) alert tcp $HOME_NET any -> [91.48.43.87] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624790; rev:1;) alert tcp $HOME_NET any -> [109.172.183.242] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624791; rev:1;) alert tcp $HOME_NET any -> [147.185.221.180] 4446 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624792; rev:1;) alert tcp $HOME_NET any -> [147.185.221.180] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624793; rev:1;) alert tcp $HOME_NET any -> [109.172.183.242] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624794; rev:1;) alert tcp $HOME_NET any -> [147.185.221.180] 32793 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624795; rev:1;) alert tcp $HOME_NET any -> [196.251.81.90] 7272 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coorpfree3.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v1.authorandrewsmith.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"donationcode.ydns.eu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djaber.synology.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buy-cake.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.buildingmaterialsandclimate.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madxteam.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cause-seems.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"problem-locking.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gatex.xoilaczzzcz.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"war.ydns.eu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unnnnnnknownnnnn-49954.portmap.host"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"little-vegetables.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"campestre.ydns.eu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624769; rev:1;) alert tcp $HOME_NET any -> [147.185.221.30] 49105 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spam.authorandrewsmith.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v1.buildingmaterialsandclimate.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w.rv6324.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r7.y-o7uu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x5.y-o7uu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepo.res4ev7oy1.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p7z1.rv6324.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vk.y-o7uu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624762; rev:1;) alert tcp $HOME_NET any -> [203.202.232.37] 15407 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624760/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624760; rev:1;) alert tcp $HOME_NET any -> [203.202.232.37] 15409 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624761/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m8.y-o7uu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624759; rev:1;) alert tcp $HOME_NET any -> [91.92.241.175] 9385 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624758/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f23206eafc7f4b9f.php"; depth:21; nocase; http.host; content:"193.151.108.232"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qx2m.97ie88e7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g3c.rv6324.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624757; rev:1;) alert tcp $HOME_NET any -> [103.100.170.134] 5555 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624755; rev:1;) alert tcp $HOME_NET any -> [103.100.170.134] 9999 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.y-o7uu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gra.nadimgadget.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gra.khabeir.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624752; rev:1;) alert tcp $HOME_NET any -> [23.94.232.189] 8030 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gra.nadimgadget.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gra.khabeir.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624749; rev:1;) alert tcp $HOME_NET any -> [196.251.73.222] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624747; rev:1;) alert tcp $HOME_NET any -> [34.74.141.199] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624745; rev:1;) alert tcp $HOME_NET any -> [95.112.162.242] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624746; rev:1;) alert tcp $HOME_NET any -> [151.245.54.181] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624743; rev:1;) alert tcp $HOME_NET any -> [77.239.108.46] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624744; rev:1;) alert tcp $HOME_NET any -> [106.14.126.106] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pactohistorico2029.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coorpfree7.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myupdaterem.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"westy.karslioglu-tr.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624738; rev:1;) alert tcp $HOME_NET any -> [106.14.0.238] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a5v9.97ie88e7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q9.o-a4eu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7.o-a4eu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7eud.97ie88e7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pt.o-a4eu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0.rv6324.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624730; rev:1;) alert tcp $HOME_NET any -> [45.138.16.155] 1603 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lx0c.97ie88e7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.o-a4eu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f1y6.97ie88e7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4.o-a4eu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1m.t-pay3.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4tqm.28ae00i7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c8.t-pay3.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qk8.bl8205.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624721; rev:1;) alert tcp $HOME_NET any -> [172.245.215.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624720/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624720; rev:1;) alert tcp $HOME_NET any -> [156.238.241.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624719/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624719; rev:1;) alert tcp $HOME_NET any -> [107.174.144.204] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624718/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p0.t-pay3.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624717; rev:1;) alert tcp $HOME_NET any -> [185.208.156.168] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624698/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_22; classtype:trojan-activity; sid:91624698; rev:1;) alert tcp $HOME_NET any -> [158.94.208.177] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624699; rev:1;) alert tcp $HOME_NET any -> [192.3.136.206] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624700; rev:1;) alert tcp $HOME_NET any -> [47.115.46.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624702; rev:1;) alert tcp $HOME_NET any -> [212.85.27.110] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624703; rev:1;) alert tcp $HOME_NET any -> [123.57.134.58] 11465 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624701; rev:1;) alert tcp $HOME_NET any -> [198.244.233.32] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624704; rev:1;) alert tcp $HOME_NET any -> [216.238.83.248] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624705; rev:1;) alert tcp $HOME_NET any -> [165.227.112.177] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624706; rev:1;) alert tcp $HOME_NET any -> [13.158.228.105] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624707; rev:1;) alert tcp $HOME_NET any -> [164.132.91.125] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624708; rev:1;) alert tcp $HOME_NET any -> [4.200.25.121] 11989 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624709; rev:1;) alert tcp $HOME_NET any -> [206.198.149.78] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624710; rev:1;) alert tcp $HOME_NET any -> [164.132.91.124] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0z.t-pay3.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sr5b.28ae00i7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3.t-pay3.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1.t-pay3.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.t-pay3.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1.x-ceu8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y.bl8205.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2wpx.28ae00i7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r9.x-ceu8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bq.x-ceu8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d3j7.28ae00i7.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624692; rev:1;) alert tcp $HOME_NET any -> [60.205.155.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624691; rev:1;) alert tcp $HOME_NET any -> [47.114.216.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624690; rev:1;) alert tcp $HOME_NET any -> [106.54.49.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624689; rev:1;) alert tcp $HOME_NET any -> [18.142.177.189] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624688; rev:1;) alert tcp $HOME_NET any -> [47.90.223.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624687; rev:1;) alert tcp $HOME_NET any -> [116.62.42.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624686; rev:1;) alert tcp $HOME_NET any -> [185.196.9.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x2.x-ceu8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pc.x-ceu8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m5q1.bl8205.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m8.x-ceu8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2t.bl8205.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.x-ceu8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624679; rev:1;) alert tcp $HOME_NET any -> [178.87.111.177] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624678/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 95%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/casadorefratario/wp-content/plugins/wp-operating-programs/index.php"; depth:68; nocase; http.host; content:"clientes.3wpublicidade.com.br"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624652/; target:src_ip; metadata: confidence_level 95, first_seen 2025_10_22; classtype:trojan-activity; sid:91624652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0.f-xiu4.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c4.bl8205.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wz.f-xiu4.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2.f-xiu4.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q.f-xiu4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624673; rev:1;) alert tcp $HOME_NET any -> [168.245.201.184] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624672; rev:1;) alert tcp $HOME_NET any -> [168.245.200.22] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624669; rev:1;) alert tcp $HOME_NET any -> [168.245.200.188] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624670; rev:1;) alert tcp $HOME_NET any -> [196.75.62.19] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624671; rev:1;) alert tcp $HOME_NET any -> [5.95.41.132] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624668; rev:1;) alert tcp $HOME_NET any -> [45.130.60.93] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624667; rev:1;) alert tcp $HOME_NET any -> [103.237.92.236] 5986 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624666; rev:1;) alert tcp $HOME_NET any -> [68.183.167.196] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624665; rev:1;) alert tcp $HOME_NET any -> [115.190.140.220] 1443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xt.f-xiu4.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n5.f-xiu4.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.f-xiu4.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9.zm6392.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624660; rev:1;) alert tcp $HOME_NET any -> [138.199.203.93] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.nadimgadget.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.khabeir.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.v-bua0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ftp.nadimgadget.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ftp.khabeir.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9.v-bua0.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq.v-bua0.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7p4.zm6392.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.v-bua0.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d1.zm6392.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7.v-bua0.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624647; rev:1;) alert tcp $HOME_NET any -> [91.92.240.204] 10000 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g.v-bua0.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xq.2f8-2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wq0n.zm6392.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newduck1.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h7.2f8-2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624641; rev:1;) alert tcp $HOME_NET any -> [89.23.107.193] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owa.dmg-tech.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bcfremote.dmg-tech.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.dmg-tech.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624216; rev:1;) alert tcp $HOME_NET any -> [146.103.101.79] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624213; rev:1;) alert tcp $HOME_NET any -> [183.178.236.95] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624214; rev:1;) alert tcp $HOME_NET any -> [206.238.221.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624211; rev:1;) alert tcp $HOME_NET any -> [77.3.9.252] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cmsjj"; depth:6; nocase; http.host; content:"globaltechbilling.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624193; rev:1;) alert tcp $HOME_NET any -> [117.72.158.125] 8080 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624210/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/index.php"; depth:14; nocase; http.host; content:"charityjs.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/bof.js"; depth:11; nocase; http.host; content:"charityjs.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"charityjs.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xss/buf.js"; depth:11; nocase; http.host; content:"charityjs.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"archive.orlandoluxuryproperties.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624185; rev:1;) alert tcp $HOME_NET any -> [185.132.53.230] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624218; rev:1;) alert tcp $HOME_NET any -> [20.55.83.156] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624219; rev:1;) alert tcp $HOME_NET any -> [185.195.236.92] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624220; rev:1;) alert tcp $HOME_NET any -> [13.220.84.109] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624237/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hs-analytics.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"static-hotjar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mawp.us"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/pdxuoitj.e3nx5"; depth:23; nocase; http.host; content:"70.36.99.253"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"utahlvs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hollywoodquarterly.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624271; rev:1;) alert tcp $HOME_NET any -> [2.241.67.253] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.securebootupdatesystem.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624336; rev:1;) alert tcp $HOME_NET any -> [45.204.207.236] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624337; rev:1;) alert tcp $HOME_NET any -> [185.209.229.189] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624338; rev:1;) alert tcp $HOME_NET any -> [34.123.251.62] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624339; rev:1;) alert tcp $HOME_NET any -> [3.142.148.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624340; rev:1;) alert tcp $HOME_NET any -> [91.98.149.144] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624341; rev:1;) alert tcp $HOME_NET any -> [5.252.177.60] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624342; rev:1;) alert tcp $HOME_NET any -> [151.241.228.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624343; rev:1;) alert tcp $HOME_NET any -> [157.230.47.108] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l8k.zm6392.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pv.2f8-2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a1.2f8-2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"carprlce.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624636/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"logixbrands.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624633/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wisvetsmuseum.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624634/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"grossepointechamber.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624635/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"greatoldbroads.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624630/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"muld.org"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624631/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"batemanallenfuneralhome.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624632/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s3.zm6392.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pan.tenire.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624628/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zt.2f8-2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"git.zionministry.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624626/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624626; rev:1;) alert tcp $HOME_NET any -> [45.138.16.106] 1213 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624625/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"botnet.smmpower.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624624/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624624; rev:1;) alert tcp $HOME_NET any -> [5.133.102.156] 33140 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624623/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7579245280:aagsgutmmqazd10cvda1hxef34larjqqlmw/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624622/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"80806693.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624620/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"196.251.114.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624621/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f8nus4b/login.php"; depth:18; nocase; http.host; content:"178.16.54.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624619/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.230.155.117"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624618/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"144.124.228.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624617/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_22; classtype:trojan-activity; sid:91624617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3.2f8-2.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y2.lb3091.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e.2f8-2.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9.3x6-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t04m.lb3091.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2.3x6-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.3x6-7.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.lb3091.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pl.3x6-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v9x2.lb3091.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3.3x6-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.3x6-7.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624605; rev:1;) alert tcp $HOME_NET any -> [125.32.67.196] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624602; rev:1;) alert tcp $HOME_NET any -> [168.245.201.171] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624603; rev:1;) alert tcp $HOME_NET any -> [168.245.200.229] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624604; rev:1;) alert tcp $HOME_NET any -> [8.136.48.237] 8091 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624601; rev:1;) alert tcp $HOME_NET any -> [148.230.93.118] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624600; rev:1;) alert tcp $HOME_NET any -> [45.235.216.29] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624599; rev:1;) alert tcp $HOME_NET any -> [154.40.41.147] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624598; rev:1;) alert tcp $HOME_NET any -> [15.206.123.58] 59027 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624596; rev:1;) alert tcp $HOME_NET any -> [82.153.241.129] 2000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624595; rev:1;) alert tcp $HOME_NET any -> [54.79.243.51] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624594; rev:1;) alert tcp $HOME_NET any -> [23.227.196.110] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624593; rev:1;) alert tcp $HOME_NET any -> [181.162.132.220] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624592; rev:1;) alert tcp $HOME_NET any -> [129.28.97.90] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624591; rev:1;) alert tcp $HOME_NET any -> [45.133.180.162] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624589; rev:1;) alert tcp $HOME_NET any -> [164.68.120.30] 50 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624590; rev:1;) alert tcp $HOME_NET any -> [94.237.86.175] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624587; rev:1;) alert tcp $HOME_NET any -> [34.74.141.199] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624588; rev:1;) alert tcp $HOME_NET any -> [101.34.60.34] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624586; rev:1;) alert tcp $HOME_NET any -> [158.94.208.144] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624585; rev:1;) alert tcp $HOME_NET any -> [101.35.131.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624584; rev:1;) alert tcp $HOME_NET any -> [122.51.243.50] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624582; rev:1;) alert tcp $HOME_NET any -> [42.51.34.56] 8021 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624583; rev:1;) alert tcp $HOME_NET any -> [139.155.143.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624581; rev:1;) alert tcp $HOME_NET any -> [81.70.97.41] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1z.lb3091.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8.9b9-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9.9b9-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tq.9b9-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q5.lb3091.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.9b9-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bd.9b9-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4.9b9-7.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9r.8d9691.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g.9b9-7.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u0b.8d9691.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624569; rev:1;) alert tcp $HOME_NET any -> [178.16.54.118] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624568/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_22; classtype:trojan-activity; sid:91624568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9.1vd-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h7.1vd-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m7y1.8d9691.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.1vd-z.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1.1vd-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zc.1vd-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3.1vd-z.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p.8d9691.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a.1vd-z.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a3zq.8d9691.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q1.0vs-r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1.0vs-r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f6.8d9691.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r7.0vs-r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.0vs-r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vk.0vs-r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m8.0vs-r.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s.0vs-r.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rz3.5m9081.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1.9wb-k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3.9wb-k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q9.9wb-k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624546; rev:1;) alert tcp $HOME_NET any -> [172.111.244.100] 2889 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624545; rev:1;) alert tcp $HOME_NET any -> [158.94.208.159] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_22; classtype:trojan-activity; sid:91624544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7.9wb-k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g0x8.5m9081.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pt.9wb-k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z1.9wb-k.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w4.5m9081.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4.9wb-k.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t5.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t1va.5m9081.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x1.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624355; rev:1;) alert tcp $HOME_NET any -> [45.201.0.201] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624353/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624353; rev:1;) alert tcp $HOME_NET any -> [45.201.0.201] 8888 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624354/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a4.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7p.5m9081.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"83.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n9.5m9081.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2.s61y5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y.d55u5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"44.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j.5h4553.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g9.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xb0n.5h4553.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5n.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8.d55u5.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q2.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1k.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d5.5h4553.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624325; rev:1;) alert tcp $HOME_NET any -> [166.88.11.112] 5985 (msg:"ThreatFox DOPLUGS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624323; rev:1;) alert tcp $HOME_NET any -> [166.88.11.112] 443 (msg:"ThreatFox DOPLUGS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0a.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c7.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h4.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qz1a.5h4553.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"90.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip-5-199-166-102.003.ptr.cherryservers.net"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624316; rev:1;) alert tcp $HOME_NET any -> [185.93.89.63] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3.k59ee.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624314; rev:1;) alert tcp $HOME_NET any -> [64.188.94.173] 88 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624313; rev:1;) alert tcp $HOME_NET any -> [45.201.0.201] 8000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.cdn.tripleclickads.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624311; rev:1;) alert tcp $HOME_NET any -> [167.99.70.133] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624309; rev:1;) alert tcp $HOME_NET any -> [87.121.84.14] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624310; rev:1;) alert tcp $HOME_NET any -> [209.222.4.175] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624308; rev:1;) alert tcp $HOME_NET any -> [146.103.101.79] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624307; rev:1;) alert tcp $HOME_NET any -> [192.227.235.212] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624306; rev:1;) alert tcp $HOME_NET any -> [195.3.223.146] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624305; rev:1;) alert tcp $HOME_NET any -> [83.172.151.118] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624304; rev:1;) alert tcp $HOME_NET any -> [39.107.242.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624303; rev:1;) alert tcp $HOME_NET any -> [8.137.123.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624302; rev:1;) alert tcp $HOME_NET any -> [68.64.177.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624301; rev:1;) alert tcp $HOME_NET any -> [47.110.67.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624300; rev:1;) alert tcp $HOME_NET any -> [158.94.208.151] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624297/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624297; rev:1;) alert tcp $HOME_NET any -> [158.94.208.154] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624298/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624298; rev:1;) alert tcp $HOME_NET any -> [47.110.67.64] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z8.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2.5h4553.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"05.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h2k.4y328.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b.c70ye.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"84.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p9y3.4y328.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"22.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.4y328.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7.c70ye.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624285; rev:1;) alert tcp $HOME_NET any -> [94.154.35.160] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624284/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_21; classtype:trojan-activity; sid:91624284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b0t.4y328.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624283; rev:1;) alert tcp $HOME_NET any -> [54.183.167.86] 1234 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624282/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_21; classtype:trojan-activity; sid:91624282; rev:1;) alert tcp $HOME_NET any -> [44.206.195.131] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624281/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_21; classtype:trojan-activity; sid:91624281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"99.r46eu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624280; rev:1;) alert tcp $HOME_NET any -> [199.217.99.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624279/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_21; classtype:trojan-activity; sid:91624279; rev:1;) alert tcp $HOME_NET any -> [144.172.115.60] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624278/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_21; classtype:trojan-activity; sid:91624278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qm4z.4y328.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3a.r46eu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x.r46eu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagesecurelongpolllocal.php"; depth:29; nocase; http.host; content:"337598cm.nyash.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w7.4y328.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"08.r46eu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624272; rev:1;) alert tcp $HOME_NET any -> [139.180.171.110] 22599 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624265; rev:1;) alert tcp $HOME_NET any -> [188.132.197.88] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"22312mandayyyyyreymcuxe.duckdns.org"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w2.r46eu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"71.r46eu.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9s.qcet8.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624261; rev:1;) alert tcp $HOME_NET any -> [23.94.252.123] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4.r46eu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ry.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624258; rev:1;) alert tcp $HOME_NET any -> [144.31.191.75] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n2.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624256; rev:1;) alert tcp $HOME_NET any -> [89.110.87.119] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.filtergoyrdo.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.goolagstalinmore.top"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.shimoneaprel.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.managerfjo.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.khljokas.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624250; rev:1;) alert tcp $HOME_NET any -> [185.107.74.119] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624249; rev:1;) alert tcp $HOME_NET any -> [193.233.126.171] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624248; rev:1;) alert tcp $HOME_NET any -> [85.209.129.19] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1w.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624246; rev:1;) alert tcp $HOME_NET any -> [94.74.164.175] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"holyrms.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gallgqu.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjellyb.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pabuloa.asia"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"j5.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zdj.qcet8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5t.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"81.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3l.s61y5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uf8.qcet8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624233; rev:1;) alert tcp $HOME_NET any -> [49.13.38.160] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sip.nadimgadget.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sip.khabeir.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sip.nadimgadget.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sip.khabeir.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"84.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624226; rev:1;) alert tcp $HOME_NET any -> [45.155.69.188] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624225; rev:1;) alert tcp $HOME_NET any -> [185.236.231.185] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624224; rev:1;) alert tcp $HOME_NET any -> [172.245.95.3] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624222; rev:1;) alert tcp $HOME_NET any -> [158.94.208.58] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624223; rev:1;) alert tcp $HOME_NET any -> [107.174.33.18] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"55.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"64.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p6v3.1397u6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"01.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"12.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"77.d55u5.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h4n0.1397u6.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"04.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d5r.qcet8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"32.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"08.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xdv.qcet8.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"76.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"10.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shineo.sys7yn0iy5.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"93.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"41.k59ee.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softs.sys7yn0iy5.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"89.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uk.1397u6.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gr0w.sys7yn0iy5.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a9.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"us.1397u6.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"30.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r1se.sys7yn0iy5.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"27.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s0lar.sys7yn0iy5.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.4kdownload-en.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624025/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"4kdownloade.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624026/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ninjaone.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624027/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"metatreadar5.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624028/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"is-www.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624029/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"app-microsoft.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624030/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"wondershars.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624031/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"manageengines.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624032/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"manageengines.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624035/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.ninjaone.pw"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624033/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"manageengine.space"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624034/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"apps-microsoft.pro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624036/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"wondershared.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624037/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"wondershared.store"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624038/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"adspower.pw"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624039/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"4kdownloade.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624040/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.apps-microsoft.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624041/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"12.c70ye.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z.1397u6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.is-www.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624042/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"ferrariworldabu.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624043/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"video.4kdownload.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624044/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"metatradeer5.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624045/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"metatrader5.tech"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624046/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"cllcktlme.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624047/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"bamboohre.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624048/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"www.in-www.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624049/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 90%)"; dns_query; content:"in-www.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624050/; target:src_ip; metadata: confidence_level 90, first_seen 2025_10_21; classtype:trojan-activity; sid:91624050; rev:1;) alert tcp $HOME_NET any -> [123.173.5.236] 56510 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624091/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_21; classtype:trojan-activity; sid:91624091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"k.gooigle.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624129/; target:src_ip; metadata: confidence_level 80, first_seen 2025_10_21; classtype:trojan-activity; sid:91624129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dezhoni.icu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"31.10.5.24"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1624163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"31.210.171.6"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1624164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"31.210.170.70"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1624165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.75"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1624166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.10"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1624167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.162.9.58"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1624168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.90"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1624169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.89"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1624170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"188.165.208.154"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1624171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"157.250.195.74"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1624172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1.1397u6.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mo0n.sys7yn0iy5.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"60012.c70ye.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624161; rev:1;) alert tcp $HOME_NET any -> [152.42.184.125] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624160; rev:1;) alert tcp $HOME_NET any -> [206.238.221.168] 7788 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624159; rev:1;) alert tcp $HOME_NET any -> [5.45.95.240] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624158; rev:1;) alert tcp $HOME_NET any -> [203.24.92.71] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nsfcoatings.vip"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rose2.tuful32io3.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624155; rev:1;) alert tcp $HOME_NET any -> [65.109.242.123] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624153; rev:1;) alert tcp $HOME_NET any -> [116.203.15.9] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pt.t.nadimgadget.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pt.t.khabeir.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pt.t.nadimgadget.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pt.t.khabeir.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2215.c70ye.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dream5.tuful32io3.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"740.c70ye.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sti11.tuful32io3.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"06342.r46eu.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sk1es.tuful32io3.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"719.r46eu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624142; rev:1;) alert tcp $HOME_NET any -> [122.114.8.235] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624141; rev:1;) alert tcp $HOME_NET any -> [202.144.144.92] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624139; rev:1;) alert tcp $HOME_NET any -> [101.126.149.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624140; rev:1;) alert tcp $HOME_NET any -> [190.104.11.22] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624138; rev:1;) alert tcp $HOME_NET any -> [150.95.83.34] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624137; rev:1;) alert tcp $HOME_NET any -> [66.222.133.234] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624136; rev:1;) alert tcp $HOME_NET any -> [192.159.99.174] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624135; rev:1;) alert tcp $HOME_NET any -> [139.180.155.56] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624134; rev:1;) alert tcp $HOME_NET any -> [172.237.128.48] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624133; rev:1;) alert tcp $HOME_NET any -> [172.111.139.178] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624132; rev:1;) alert tcp $HOME_NET any -> [142.171.245.211] 31246 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flame4.tuful32io3.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3499013.r46eu.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"55728.r46eu.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"120984.r46eu.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624126; rev:1;) alert tcp $HOME_NET any -> [81.69.220.187] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9031.r46eu.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/250/secv56fghgh56n67878700hhhkhjvdgfdfg90fgf6555f56656.vbe"; depth:59; nocase; http.host; content:"216.9.227.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624123/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624123; rev:1;) alert tcp $HOME_NET any -> [216.9.224.128] 1240 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b7lx.6362o9.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"482.r46eu.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"office-winemagbk.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624119/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"office-winemag.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624118/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ultrauraniummirai.ddns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624117/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"us.bootcdncache.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624116/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624116; rev:1;) alert tcp $HOME_NET any -> [14.163.140.193] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624114/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624114; rev:1;) alert tcp $HOME_NET any -> [82.153.241.166] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624115/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624115; rev:1;) alert tcp $HOME_NET any -> [14.163.140.193] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624113/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"development-tour.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624112/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"167.172.107.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624111/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kawt2qxfppuenm/login.php"; depth:25; nocase; http.host; content:"91.92.242.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624110/; target:src_ip; metadata: confidence_level 50, first_seen 2025_10_21; classtype:trojan-activity; sid:91624110; rev:1;) alert tcp $HOME_NET any -> [185.93.89.62] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.93.89.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"50.201.34.202"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"217.119.139.117"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624106; rev:1;) alert tcp $HOME_NET any -> [217.119.139.117] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624104; rev:1;) alert tcp $HOME_NET any -> [50.201.34.202] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drift.1-byhih-05-ey.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w9r2.6362o9.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deb1t.1-byhih-05-ey.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"above55.7-nenop-38-oy.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drain5.5-juzeb-0-io.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3mta.6362o9.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"al1ve.1-mafus-044-e.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brand.7-nenop-38-oy.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"am.d.nadimgadget.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"am.d.khabeir.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"am.d.nadimgadget.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"am.d.khabeir.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yk8q.6362o9.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fiber.5-juzeb-0-io.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clean.5-milod-931-o.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624087; rev:1;) alert tcp $HOME_NET any -> [119.29.246.105] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624088/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_21; classtype:trojan-activity; sid:91624088; rev:1;) alert tcp $HOME_NET any -> [37.221.67.185] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624086/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_21; classtype:trojan-activity; sid:91624086; rev:1;) alert tcp $HOME_NET any -> [162.251.122.87] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greet4.0-we-fid-707-i.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c2d1.6362o9.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brlef33.1-byhih-05-ey.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"death.7-doxok-46-eu.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f9m0.7i091.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"me9x.9z2503.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fresh.5-milod-931-o.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624078; rev:1;) alert tcp $HOME_NET any -> [168.245.201.12] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624076; rev:1;) alert tcp $HOME_NET any -> [168.245.201.16] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624077; rev:1;) alert tcp $HOME_NET any -> [168.245.201.15] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624075; rev:1;) alert tcp $HOME_NET any -> [123.57.105.98] 443 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624074; rev:1;) alert tcp $HOME_NET any -> [194.163.134.116] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624073; rev:1;) alert tcp $HOME_NET any -> [200.51.85.86] 44347 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624072; rev:1;) alert tcp $HOME_NET any -> [191.93.113.21] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624071; rev:1;) alert tcp $HOME_NET any -> [196.251.117.100] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624070; rev:1;) alert tcp $HOME_NET any -> [185.243.216.43] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624069; rev:1;) alert tcp $HOME_NET any -> [27.254.164.197] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624068; rev:1;) alert tcp $HOME_NET any -> [107.155.68.162] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624067; rev:1;) alert tcp $HOME_NET any -> [150.109.57.72] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624066; rev:1;) alert tcp $HOME_NET any -> [196.251.115.54] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624064; rev:1;) alert tcp $HOME_NET any -> [27.102.127.136] 2401 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624065; rev:1;) alert tcp $HOME_NET any -> [151.244.72.245] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624063; rev:1;) alert tcp $HOME_NET any -> [123.60.52.128] 14444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624062; rev:1;) alert tcp $HOME_NET any -> [203.195.159.67] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624060; rev:1;) alert tcp $HOME_NET any -> [8.152.222.31] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fla5h.2-fyzog-201-e.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r4h8.9z2503.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"keeniy8.5-milod-931-o.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624057; rev:1;) alert tcp $HOME_NET any -> [116.203.166.186] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sd.e.airproservices.vu"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sd.e.airproservices.vu"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"angry.5-juzeb-0-io.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1gzu.9z2503.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lover.0-we-fid-707-i.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624051; rev:1;) alert tcp $HOME_NET any -> [95.217.240.62] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624023; rev:1;) alert tcp $HOME_NET any -> [49.13.33.192] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nv.d.nadimgadget.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nv.d.khabeir.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nv.d.nadimgadget.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nv.d.khabeir.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1624020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kitty58.5-kafaq-7-io.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fa1se4.5-milod-931-o.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g7k.7i091.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"issue.2-fyzog-201-e.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624015; rev:1;) alert tcp $HOME_NET any -> [89.117.109.250] 443 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1624014/; target:src_ip; metadata: confidence_level 75, first_seen 2025_10_21; classtype:trojan-activity; sid:91624014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vj3c.9z2503.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flour.1-mafus-044-e.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swmgcamgigkoeoym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swwywwymysoosecy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugyskuqgsecogmws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouuskcgsqcsqeaea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaygkkqaaomigeag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ockieeauuccikoom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aagkumoeiiuwgcmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywuyikoycygyekoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyawycgcgawuuggu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amimoaukyccwiiuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaiekqwwkwmmcmcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmkccyaywogycika.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaueecsoycuwyeym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scoquuogswecawyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuuiauyuaqskoikc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywyowqusaouwakaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asgkogguuwqeswae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amcoaamuokkuaiim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiegcaqscmimaqmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkicsyekaiqgsike.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkqyycemwyowmemu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycoumekgecwceaki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmwuocamqskikssi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmaumugqiqeyscek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiossggsomokycwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euaokciwiscoggms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ammksqmawiuigiak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckwywiaymkoycawu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gseaucaogwegkgma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmecagoqocgwmcgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sksmasusomqsuaks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywcmusqkqsecswuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkgsmwgmuewmiues.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1624004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91624004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgyuguiocoogoaqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scksmumaeygeycws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiqoqwgwquwkwkec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swewcuiwioykeocc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qycmggosiqsyqeei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asamccekqygyaiac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaoasgikuakmyqmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cewkckyqqamqimwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eicgmakuucoymmuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsiamqakyuqekkeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqemuwiaaksyooco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eusgiosuyequgmee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycemcyyqeaeuwmes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckuuwcmwememeyqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaggoyewkgyqssoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiwcqycgkkkoewwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgqkcumqquwmkyma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asyiwwscsmmyayoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cquumuisyegsocaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amgeysakqwqyaqqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eacessagkeyuyoue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugywwcuakiqkuays.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmggcmmokqkksqea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsyiwwiaqekewgmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkcuaaeqoiuiucca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsqycegygmwyiugu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoymuqqyimccymka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geuciqogsqckemgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmemosewuagoeyga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iquugaoqcysqmugm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geeaoqiciggsiseq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amuoywcqegayoeoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euuiysseumcagmoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmmaoogiwcaqmisk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouikysisiuukcegi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuywqoweeyseeoow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aakimguyswswaukw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywkcwowoioysmaka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwqsaaikmesokssa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkyewmwisgmsyucm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icyywkmoouusqqmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycgcaaciwyksmwka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kagmeyowkoikmywg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qywskgkggagcecis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmssuqkamcowccmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gekqeckucieuuyku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqiiamieemsaeqes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eikicwsouokqemyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiuiwueymwwykwuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwegacwgoockcuio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uasymysgswcuysoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaueeayyciwquugw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kauyuyagowykwmci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqegqcokmssmokyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qygiswmeiimywuuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocogkwkcsoiuwkyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmyauomowwueaqgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ousgwwwuusuuuwuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyqecaggymcamyuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkeaccaemmgeymew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqqmywcwcskumauo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yommmmoswykocoqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyimeyuiqauemkyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocgqussywgiqsmcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skcquagsucykaksy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqmogycykwmooask.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqwqiokiwquoemcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yieogqimmuisiemo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amokukwqcqcyagsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yogsuuiqceuoeaia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugqskmcqaikeqyys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuauyicwscygsaym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuacyyswccgumwsa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aauakomkyskwguic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mesociiyeyiewiwe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiaskaiskigyugym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiwmgckmgkeqqscm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uusyqkmeasawwoig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqqeekuoiysmuyse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asyyymkiqikwoqim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kumcekgsqaqaqqgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywkcswoyqiseqeqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aseowmieoeuyceaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euoeesekwcaiegoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsaykscswquqskag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gekmioeaseigmcoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meiswkcsyasiiyco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gswqqguamsikeawe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkwuemsuweckimms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiugwgicwoaoeekg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsaymkmeoqkweqom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwiacaoimsyeqaog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uamakekeaywqekgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooekayaacssukiua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugqgkugimuecauwy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouckwugumkuywyuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckqeymmcckqcmkge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceeuaeusouywueoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuoswqosgsygwgyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyqoigwsysyguymq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgoywwoecuuuesss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amuqaagqgucwqawu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwwekcmkukkcqugg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwcwguweoqciuios.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkoouwucmogmymmm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceciiwkcomkuwmsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocouuisyeywqgoii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwcgsgeuuqueoiue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkumoqggwumacocg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wysuwyukekuekkoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiqqekccamcaacea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmcyyyuacccgoyoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycagqsysaimeucmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eusmqcgoycueqceo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iciyesoumayeqmca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwyumwamkamkygsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsiauogciekwcumq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouessuiamsmyiaeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmyceuoawemqeaog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaguiaoegcugwycm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scwwokqksssasqau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swsiueyimeyieuas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqyemuequosaoeoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwsikwcyikaoyyew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmgucwqacuamieoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsigykwceqgcyqeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skiisgwsuegicesc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgumaymeqcgamoqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycyyggkueyiigsau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweyikswmwssiiyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgkequuwciqcwyga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqkycwgigqmuiagw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scgaoiaouigscmgg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaoseciimsqaukae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amwkmegkqkwsosys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugmisuusguiuqogs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugemyeykskqskygk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwgakqyesuewcqcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaeskoiogyuoiiys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aakmagcessyikmsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwgcemyaiwokgguw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oooaacyqwkeqsyge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icaocoomwsewakec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyqqwokkciqysoes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiuqogmeismuygem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouaomegeqccoqcmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiwqsecgysmsumww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceqgkakksuqissss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmiamicwwgaamyks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqqcmwmqccoiusei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wekocacgywqowiee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scqkkawwaeiuycuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swauwimmmissmcms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwgmiewcewkgkkqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckgqosiuuwqaqygc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scgukyykcmyomkci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsieiqmcwqocyusa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceimmkygecccckoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouieaoyseyqwiiya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wewukkwqsqyakayg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaqeceyckomekqog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scsscmswgggeywyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmaqyicgmmmmaiuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mekqiiisagweyoou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wssmawikkqqauegg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qggcqyeowiscciqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycaiaygqekiewgqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oomwquaskiukqwgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icksacmyguyywoei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agqyccsmsqskmumm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oisqwyieguqiueko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sccaaeoqyugimqcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocuaucauimyykgqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmwgasiacysyossq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geecgqqmoieoakok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwyomgkswswwqqoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uookygcsymgckkam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aacuiqmqaiqyoyys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiwumogkikcwsykc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgcoieckuccqksis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weeagiiucyysiagk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiciquqaaikuismy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiqycewuuyiimciu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoauiuaukyqssgoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceocikqwyqgsqusu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aayewisqiiwgcaca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qysmqymoqkgacmok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oowumwuwkicakmya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgkyeekeiuyocqas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"easkemuwwccgaiuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asmuaogcoukimgye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmccmioyoicqeaie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywmmakciemuuamqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kusgqkiiiausmcoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uumggimemkkwaoae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqiiuiioioiwqimk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckwsgcqyeokqgmoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckuemewioukyuqgw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scsgmogsimwwsmci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ociyykwkywcgiyyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmmmeqiweugkscim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoamwsqkqecsqiak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wesgcoaoioyysmsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgcukwuaawsygeke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaiuqkcoseoegogc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aswmmqikumcgcgis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meqomgsakqugsqcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aacwmeqkgoouwimu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiwkccyoaswiuowq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmiuuueksmgoesys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wecusossiessimes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euowsamwkmciamek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmwsgiagsuamcwui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyiewaoawmgqyqqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkcmemeeoewcmsmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skmoaaiquceogqou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoomuiusqaayyiag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyskcswqiqwmqygg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiokmeaeumsouwkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eukcqqekisosueqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmkaoqassqwiiqgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyeomeumqiqsucsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceioouyescacusam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoiwameagqsouaog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycucgwkgaykgegko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsasqkuaisouukeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ickguksagkouasmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycqsumqucumqqewg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wykesscioqssgsgg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwkksumkecuagygk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywkkekkigcmcyske.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmooumomqkayomki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uggwekaokcicociy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgauegcwuouyuyqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weuooasoqeeiqaqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouayeueuaywwyemu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eacoiemqessaeaqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uusiywouyuwiosuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocaoaeyyqiugqyye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eikaoggkgokmieao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eosewymswesqsguy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gymokcoqccqkgcsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icigmaigekmmeeso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qywgyesskoiyosse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsaiyywwesiaguyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuuugqwscqeumoki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uguiecwmywkooqiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euwyyqscyycuyqkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyuuiqmiksmsyegc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asgmmoacqememywg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qykmiacakyeuusis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agmmcecssugequmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmiamgeakwaksesq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsskiuymmqisiokc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyisaigemckkswwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsgwuugkswcgwoqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oowkocoaqqaqekic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycyomaweoayewwwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiuaceawkswcweia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouacuwscyuuecwku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myuwuisoqwgggoew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mywqemyegckmscqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asakqugqquoagcya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgkyckcyayegqcma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icoqokmmyqiagoew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scoiisokaeycsgoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eogooiqeouoougkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgiikguckuggkuqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkauigugcaoicymm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiooeuioqewgeyia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mecmwogmuqiggaik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouyyqsseywwuekqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywsggqkqmmiggaoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywgsucussesagikq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ascasmmyussayysc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqgmmwkmcwmiwuka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swwuaqoamkksecge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugsauaciiyuaomqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkmkqieiyucwykge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmickmwaakkqoguw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgucwqcowwiucqec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wswaysmegacgogqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaiwuuokqsoaiakm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gymouiiiimwsaqqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amwcwueewgemuquw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycawimkuoqyicqkk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiacmaasgsqeiaek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqsqokqaeyoywock.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sceemewqmiikuoiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kamkguwakwcamoya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuueaqqweiimquks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaocuwcuwiaocuiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyewiuiiaeaaecwy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euiegeyseyqyuyge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsimseuayguucygo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyusaicykuaeyske.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wykmumusqaqqgqgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qycokamiqogyqgmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywqkemwuesimamga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceqikkgqigmayyoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoeuiqiqyiyawcgg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gysccowmiqcoqaas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qseqkmwmwiskmsim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqauyawuyemomgmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyeqmaogcqaiuuga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckywwseueguwyyye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skamuccygiqoqock.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsesyccsskgeqau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cekcciaawcksagks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eacecoguuecwakss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqggokcqsmyouwos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooigsiugkoimyasy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scomgmqaosaocqau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asqoamkwackwaeom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmsomaweaymcqikg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mymmcqaaegiceaoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqskeyyecuqysiwe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoyamacygskkyuae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eucyiakiwusykgeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swimcyiskqcooayc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoqkwsawwqkiecmm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyckyysqyowgamga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaqyymuqcceqyasw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aamgkumciccakioe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceyoagkmaoaauiyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoiyagiwkyuscuik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euyywugygymaygms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyeiwookikuwqwyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkqccoigegeaosme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oogeycuwcakgicwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaeqgugwooikaqmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gskmcmiawywuwake.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugackmayyokuisya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiaaeaesuwyuqkam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmamgosakeqegcek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyiyauieimmseowc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qskusagqsousoycg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsqgwyemuycmuqcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scmyquyoaumgkcik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmuiaaiqykcmwygs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqsyykycgkuckuwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqckeqqemcgoasqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mymssuweuwioskai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyiukkqyekkswsai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyqssmwciuyiogom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wekauykisssmaaoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmgawkemgguucuyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaqqykckugouuikw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sckgusqaookqause.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuyqymgswkicaoie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asciqygsawkwgeig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyakqwocyaucaguk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqaqkcoomukaasoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cewsouosgkiuakou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oioiamiskqkcsigu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oowmoamiyeeuicog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooyweawmyguqoumm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meyyyogogweeemek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eowkwooyakkowoku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoyeowegskgyeigs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skmegkkesmiucqqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgmoqgkggiycoeem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqeeukocqkkyoiyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qskeuiaqmggkcgkc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amaegcuysasmqqcq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assksumawamqycum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqumccokieqasmqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kasacogqgiiiaswm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skycecsmkqwymqmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgogygycqkacoaeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agoamgkwoqwimusg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqwmkouaaqkwigcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skymgyissemgeseg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gecscueqwoyummya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgycaewyegisyggw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icgckmiwcuyugame.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyeecsomseumyqko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"askowksuogwyuogi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eowscyiguugyueso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsaucqikaascqyco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsgkaqeucgswcyau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwqukwcyawyoqueg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkkakossueqewwkk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooooyamuaaeemsgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwmgougwkaukiiuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agikwekycywyyiak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oucwawsguqsoyowm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiwecgsggmoamicw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuiqmmyseswoeeko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmcqwemqcywemwwy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ookmuuwmoqmumueg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqsmccyawymamwyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yomaoyceoswiwoue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uomgwcugyayskkwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skuiceyumkusucmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsaosqukyaqsmuce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooswmewcicmaoisy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgeykcmsqgkosgcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycweuyyukgyewksw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oigakugegoggsqcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iickgicasqsiwauo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eikocykiuasceeoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iquocemmieiusayk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youckywkcogwgyys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icwawukewoqseugy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amaysymmyywqiuuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ascmkwwoiacimgak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yogccgoqossywyyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaaqsuoysgiwcwmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecgsoawsoccuasy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceysoogkggkwicem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqoygsaegscmeaii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkiqywikmqqksqew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooqsueceweqiukwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyygmiaaseaceuqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuagmqgqguouwoys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqyamequmemiwqek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyakakeciaggiaku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyassaqsquqgaswk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oukqaqgeysesaqki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eakikqeqqqgiauag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsayqmqciyoimgqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skawyuqmciygsiaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceoqkucwuaiciimq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyiuemsioueuyiok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yikckuwmawcwagqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ameksysaugiueiok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kagysmucqwwsegku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuaeacqsicywogsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scauwqkmigiwkicc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqasayuyymgikcaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kueocoosysmcqeyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoqawmmqqkiciyqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkaoymumaoaueksm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgcwameykaicgsqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoewmgsqwqsoaqys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oueeoiecuccgwgys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kawgmaqsigewcgke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwwqkogaioooeuyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gscimcgwoyqemuog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ousukqcsyaogmcsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqssogkkuywqiisg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgcemsmqaugccmky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwisyaikmaaqwamc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaoqiaawiuwieege.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icykwasuaacgwaee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyguimkmeokusgky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ougmaoekgyauausg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wygciamkccyqwycs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skycwasymcaiwuwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgyyuwoqeowmguew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwkwaaggciocikwy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooyuuqgqygqeoqwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euqqyogkiwgmcsci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckcyiqqwgqymksii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycsmmcwioqwigimw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oueyqioaeykqmcqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgwsomsqymkcmiaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqcsiosakqwimimi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqeqicuisykeasck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuqgqiiyoeiqsiwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmmyyequceqmsika.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqqqaiuoogwkugka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oioqoeiyameqegas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiswgmcemycqqaes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iceiwmgsqkewgaeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuoumkiccuqmmswu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmwskasumegeguqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmqeeqoiogwwggws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceogmsymuuqgeewi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuukomqeusawwqyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geuagkcgyqswgyuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqyakeeeycumymma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsmkwaiieiemsowy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkewkqiyaqeeksuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asmmyakcckqsssys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaoceymuieueakue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myukomuskauwcsks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywskisigcwaaewug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmgqgsmygaywuyuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eumgumiuiuyyseyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gywugqkaaaykwkoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoymseiyiioeuwkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myuwwuiuweqcucmw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqwemgogmosacuqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gymossqgigmmwcse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amaaymyseygywisu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asmacgkmgymgeokw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmkaimceayoegqcq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meqaumiukcgoewkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aasesukmoeugkgom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocmysucieswskgcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoyagkwmowiooumc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weisqkcuskossucm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyqaskqigooaumoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckskugowqmauqgks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmeowauemeagwusc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkiokuykuwmaiygc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaiaugmkkieswias.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocowckaykqoqmmmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmigoymaawmcmeeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqgsuiqwukcygoym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uamekwieguoakekq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoecakimkauaaiug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youuswgkqeoqsckc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ookiaueqiiagcccg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meissswgwqcwqcsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agkacceusukyauqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwgamaaiwskaiwoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmgcuwqmqaeswwuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgmcsceaoegkgmmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqwssuisoeukemke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqkmmugmegswiyig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkkemammskoaooia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiammimscuyeoymg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aseueekuosowqssc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meuemwguyykwooeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmmigukyamgcmugw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocyiuwyugkmcuqmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eokieyckaoyiskcq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsygwgwikeqckgiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yisgkysuykysiqgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agcoquqkqewamcko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoukskaqosmsuasq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkukqeeuyyekmeki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycmaoqaaiwcemicw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqaqkawmciuqkyek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywicuwoqwoecswcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwqikwkkuiiymimi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsecoecmsyiaeuec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsesmoqkeqimkgko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kawwmkeomocyuoki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meucowoiiauygwim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scsckqqqgwcgwoke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uouwkiyqsoemyyuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywiiaouqogogugci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sciumamwimkaswuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsoymmioyasemwqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiqwcgukumyuqgqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwwaigiuaqymssgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oumswgimawqeause.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuwkikuuymqukoeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaqioewgoeegoyom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skaociskuqmkgemk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oimycyykisesayci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euakeicowcemekeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uggmsouwumgygqee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sccgqiuwmgcuwoia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agiausoqqqiegsqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywmyicsgscuyseum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mykgmukmuqiaoemq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kawokwywmaqqccwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icmkwggkyyywaiiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weacwmqwaiaqouqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoauaqaccgaewiky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmmsmsgyomkiwciy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqummsegswyiouyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqeecaoskeikomme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaeykcaqusesoysq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qycokyeimwogquqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amwqacasqgiwksym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amewywgwciyacsso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouguqgikyuuimeue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouqyaokukoswyicw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyygqkuckawayeqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqwosayocyomicma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwsgkkqqesegecqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycauiaswuygigoea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skmaiikwmywcmigm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaosggyucmygsww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwiyyckuwumyaewm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amwscicsoqayokug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkmccciakgsckcky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmcwykygwgogweue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmgmukiwewyiiaoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaisskgoikcwuyag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiakisykwamsygsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgwyowemcegieaam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qymockqecaqgseie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkaksmkgwcwgagsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiqmcuwmmkswqmye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmoimkoeygusussm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amogkeeeieeskymm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmoykyowyeumcsmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiqysswawcmyagww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eisgacmckiowmcwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuoiisoiokewkusg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaeygimikqskkcga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsuqiumkimgmaysa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mesmmkwsogysqcgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckoggmmowiwsugkc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yosoygsgcuawoeia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kukiksiqawiuaeoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qggqkgiykkykaqwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocwuisckykkgaais.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouskeocuycaksocm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaqukskwsqwmqeku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iceuwegeqqaeqseg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwkcmyggaememgog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwumoqqcomccoagg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oisasiuuyoyiwmwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqesyawoaasigsey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myqyqqgkgiuoooui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuicqsqwaiugcmuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqcgqwaqcoesqeas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eusyaocuyqsussuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiiowwciwksuqqgg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meqyygqiikcqymae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkkgmaeiaougeiog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uocqgkuuewiiyeua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mymiqiuckkmsmsqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaagwewyeiswmwac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icywigaokmewuuyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkecogyoscikqkeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwscqmagucawokws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwgeygkamuwaiyus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqywkouyeesmscmm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckqimeceiegymgkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gswmaeymicaiycia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugqaoicaiisueyag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myiskcemogyakmcm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoaugqmgceeaciai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiyicsuiaiyciauy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaoisisysskqaskg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaoauwwioiawsowu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwmyommiqcwauegm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iicoioeaewosauie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsecegcigyiaoqgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmiukywwooeuumus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aagcgekugkkgmwmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckesmqaawwiwuymm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyyegmyoqesioqii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkmmskkukqgmqism.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyugwuosuwcqucoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoqemoawgikwikmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiyswoqmsiouaacs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skqsaoscqcywiqqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqggigykumoycssg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsgckqekmeogooei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwguswkueycuoeio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiaicosgikiuaicm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkowegcqyiakuwow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aamyuyasecoegwss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgckkukaiioecaom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouecaqeqkiwkygak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkyguayygycgqmco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyiweggimywqciqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkyougmcwyssauui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyeumokkeoougaee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uumgwcsoasaaymkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmomuwegkksiusqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uowuicmumiscaecy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kameegwwygsqimcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaaqkkkmeaikqmak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeakoemukkyqwom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywigsomyekqcwowu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agmuukmgcugysakc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icayyssoikqykmmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swsgoeyygsuwuooo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyeuwsiawigaquky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsekwokweacsmkis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asoqcqcymamwumkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqouyaeuaocyuawc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmmeuiuseeycwkgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkkaakwmkkamooqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooyeoasemmqyoeiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaqsuoymewwkiagw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yowkweauqkwoewae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmswaiaykyukiuka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqoaiigqiiygkomq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocswecquqmcqqoyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgykmmaigaowkgau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqwaoesouogyyyaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaeuuiiqoiusqkei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiesiismqaqsyeqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asigeoogwgsakweo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqmueuywwiossoma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsakmuwuggqekce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocswsssamecuyyus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyeogmsossiqqcce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooimgucgsmqyckuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgcmsqcaeeeweoom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsssqawksgmeosio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uucaoagmiauaqemy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiquawcuimowweci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uowsskyycuqkywug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoquwwcgikokqewo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwkqcqggmekaagyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eusowgqiekwkgemy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eukooycososmowou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwcmkkoiwesieeeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cweesqaiqqacmwos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oieuceuumkgykisc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsimkecwaiywyymu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swmoomuacyoocgwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yowoikgkcqaqycec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugmggwcwegwkwwmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmoyeogsuwuousoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wskgqwessgwiaamq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocqgaysmigqemywg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agmceiesyaueoiyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amqaskmekkwqkwiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaciuoscacuycauq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmumsmkgiqsssogu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckgqygyyiuaqakug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmqwqqwuoggecsei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mycqoaeeoqewewuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skqqmmuccuqiowuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoewcqugqwieuywg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eukwmcwswmiiuwmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckksmwsysaaouewo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agguuwgaysasmumk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoqcgsumgmaikois.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cequeayyosuesgma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceeiaskumqycqsgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmmwmmokayacqsos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyksqageokuycuqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyskuykyguimcmgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmmiesuaaqiagykg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sccmaeieukoygaaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqemcgkqouoiaeog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aamkkyyokugieamw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaieyymcyuiysqou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyqiswckqkymssgg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gygumayikyumwqqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amkiucmwaagmyukm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uussksckoooesmou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oicyayiqcgqewwgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugswkeiqaoiymmcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skiuggogkgycmswm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myqwgseuewgiusyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiueikascyumgook.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmogygcagsomaqio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uggqaeussgqymmae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiwwgouqmwiwkqys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiycwqwuywqkwiow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmkcocageewaeeyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuagiwmuoiuacueo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swagiukoogqsawcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyogowiakukeceeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckiuyamakwuaamey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckwmuwkiesieceyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qygyoekciekiqsuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myswewuwckssuuey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqkacoksmswmikwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qygwwkwgcqmsesoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weqqwcwgsgwmuqoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wecgygswksqwkisq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmcgomakuoiikcyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugmmaqigimcgqmyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmmqoaimycaewucq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocskcmkyomeymkqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myocugksiqwuimuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyecugiccgcewsua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uagsgemmciosukma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkwmeuqqiekkqkga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiyyegmuswyyqyig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouiawimesyqwikgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cekeigikgaegekmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiaykoqiueckcwgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwgkwacwesiwqiqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkcwaigkqcucysyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiiykiwugcgmsugg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geyyegoaguiyakoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqqiyqsyeiuwuqoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaqogyqwamcgogai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuuauicaiuwcmoqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceumwewqqugykcmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kagsyykysgoakeou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ickqywquiwcqogyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weweamwkwciuuwas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycecaygqusgwkiue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmgieqscuomwimem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkcyywmwuiciuiim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mywescoykuiqksma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uogmowmuwkyoyeuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eawqqiqaacissiiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euqwwkyoqegyqasm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqyikiacwsgsyqyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiycuawakywokkem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amgquqsgqaywweag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oougyaycugqogyma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yckqsouqaycoaemo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"memukqwoogwosuky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqkkocseqmqgiqsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eikysqyuisuseiae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgwgysiieukauiqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scweaisgweecuwsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ammmeiisacwkusci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swqqwksiuuoiaowg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugogamiqkeeaauyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oumuouekasmyuuuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsseakqiwmiaqcck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kusmywkmikcycokw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsqgiycmoammkmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyuccyuyqqoocwsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qskymeqiioycauau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iceymoosgecukosm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuiasiguauaummiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaqmyeeigqeyaoea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wemgoieimwkuwuki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugwciqomuwsocmuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scekkugeyiqgsyya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuismwewweckgcua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaowaugsmgmeuaya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuoiscaekuuewgek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuymguqwuwemgiuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yigueawiwoeqgqwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ickogmwckqqiiqsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsmuoomcgoguesuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gssqeoeimyqqwkgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qywicgcsoawekaqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mygecimusmicawug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoioaiwmgyuwkuee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkmyssasuakyyimy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweykuemqkykyciu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oogwioyuskmaamqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqqwkywcccaoeusa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaesicsukqasuuiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mekmkwcgsgkqesom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiskwuqqqeqcywwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skwioosccgmoakay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqwoemykegsaomgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gemysceqmquseisu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wskiswymwsmywskg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocecmucooowgsuqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqwmgqyckssqeaac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiyyciceiwuoscoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amqgoooyyeigiaou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qymwyogeggcyqmqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asweouqeoeooccau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyewowgcgwaemwos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aayyoaomogeeyqeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsuqmywmcqeawuys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckweqskaikeowcio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsucyquqqkmuqeog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gycigaiwoueuouew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmeowicggwmkagmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycucegaqkmgewsms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouosgumeusayayki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuyicyqoucacoyoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsgawyuoayakksme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qygwcmwcoeswgaqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ockiiaqoiyqgquke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiuuqeqeomommqii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgcikemiigosscck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euswyqisamaosums.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agmmkmcqckiysiiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmsqukskyssecqcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geiegauqayqoysmm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqmsckikykaeuyqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceagasaamwmaaqoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouuoksimsekaqwoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eusmsicogmwquyoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkoeyigawygqiqse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mquqewggeeoymyey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqmysuoiikeoauqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iweuqemgykuscmwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceayagiwcmgkgwsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuqyigaioiwgoosi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckggyeacqkuewaay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swweicewicgugice.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqcayeqekecoemmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmqscgqmieysqime.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yickgqscyeymaogu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugyyskiwoewoqoki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugwqykckkqaiqgeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uugwqyugaeaekggo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsqogeaegwoiauyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqeiakaaqecqwiym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agoacmscywiwaqkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eukegeioesigwkui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yimaosyeyocaokao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oigwoycoiykysgey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyoisyuekwaoccou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asosayguoamgasey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqwmwoakgccgoyie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eioeiecuuwssmamy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouigeoowkcysiicq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsmqceqyugiukkos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amssweawgiysgaiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwueoocegccwsegi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyeskcuacmwosiaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckeeqwossgmyasgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuuigawssgmuoakc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwwemecgwksewyqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywyekkskgwamckuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wssykomcyagwsuye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiuokqcyqgeasmas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euqcgameuicaeuiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amwaswigyuyaueeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqaesugcyusuegco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asogagikayyqwmsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoyyqewiayaiuimo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmymcgakwmwcgokm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myiiweyiogagqgqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oikwocikycoawkaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swocgwccgeakeqka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkuueuiosyqkeuua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckiaecewseqeaowu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsgqccwomwiuuimi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaiyauucmguicmis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skmcwsssieusmsem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skeeuqqocmowmsai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkuskwmgoicuecmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swuqogymwqukqgkc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyqucsaiusiauwsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsimqeeskmqawcec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwakoommwkioouek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sckcgscieukceess.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myeugmmaqgseeewi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wskgugiicumyyeig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asmwkccwgcoqsicq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yimeiugeggssskqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgwqogwagmsqqawg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qysamoukgeqwywsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scyqiocswuqicqiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agsqyookkqgouauk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeaeisamesyqkeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmoegcqyyaiqgiow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmsgaguiymwmqkqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weeqeaogcsywkcci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooqeuymkeuguwccs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyowgiicscqkqiqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycqciiiuogymaoss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mysmouqemisiaess.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckqaagoisemqcsac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oocgggssueyqukmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgmsqcoyuaeiamcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiscsqmymmyakqgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmuiayaowkguoees.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yomkucgggwycyekw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aakgcieqswsimkeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"occsgaosgocoqoie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yosggmamkkcqcgmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkgimayegawwuosq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ameiimaueegyycku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oummecouoqueayiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ousuecesskqckkka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuoieayiekaqsmkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cekimuacwueqmuas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skcsmowaumuiyoio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cksmwgykwcckciqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooymqqseyuuuiecg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkcgicccqimqygwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyawseckioygqayk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwmgakiaswummska.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckweicukgkkooaqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmmemossiigyciio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsciiccgoqckkwui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agkqosoiuiwkqowm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icmqwgoommeyysgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kggyuekakcocqoeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuqomsqqciewqmei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiaguekwmmmcuose.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aseamacuakimgewg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywmiwwugmuyomuak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmuusguwumkawywg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwwcomqqgqmgeccg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiogcqaemmymuqae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swouwsakeisgegiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qygowwwwacqqwuis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ascoswoooqmccokg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycyeyegwuekkyqwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oceicwoomiaoimmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiuiugqaekwqacuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugceyaewcgyuqkio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyqagkweiawgssmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weacumkguscewsku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geqkuoaqsumigyyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ougeawmakwicieaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wysyosmmioowimou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaoqugugsqoaoeao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiqcouqmaoaumikg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kawcksocueuaycoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooyquyosaqqgcwio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eucwqoqieuosiksi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oicyayyiuykseyag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eomiceiqssukimss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qymisgwaumuoakwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgckeqeymcqkokik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywseuekyqawqiowo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqucyaiwewkqaimy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icgiekeaekyciasg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1623013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91623013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oicqkwakmikcykmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwkewmkkykqkmeuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wssgwaaumwsegeoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoqukwescaieasck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugcwecmmwwgeigse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qswcmkacmauowqcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iccouiewowcgmkks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yogaaegwsiucyugw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geoeakaoswcsgcyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eomuismywiyicyoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsqiikisyqceoosa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgswcygmsycoowak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meymoiqyoqwuisso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weucmeqqyuguamue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiucyseowsiyquom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckoasgeimsekmwcm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycwgcgoyewemewmm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sccmqqwqcecyiwum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qguaagkouguosqga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsigmimyiiiicqca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuqgkiiwcuyuucke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaeiusmwqemguakm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gykeqoeiiymckwqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqoeauyqqwwocqgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uukkgsiawyscsmim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwkyaesowuoqsciu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywkskaiyoiaqmmso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqkwucggmciiwmwm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmiaoqysaggssiio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qssueyqmeysscgsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weamyyeoyoqsumks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwuukqgmmimuyiua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugaioyqiicmcwcgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uumkcimioiokmogq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eimwuggukswscwme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqgsayuoumkiemgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kawqwggomwmmiuqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkugoyqscqwakgas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icmmgoaciysqmmgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kasyweiomoggmgoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqmkuyecsyemqsuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqsmgwqqeuuosusu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaeokkguegioaaae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugqcsewsucaagkak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meckaiomywekycwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmgsosiqwcsmewss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoscscioeauyioqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqkigiaukmewukkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swmysykcmyskyaek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsgoomcskemmwaki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycqsoequcosicmye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyiqwmuisiauiccg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oumimkwggegacgsa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uosiaeussuogmiic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myyaqaegcumskqwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwqweiuwsiscecoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyouoyoamgsgqkuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uasoquqggmmmuqua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugoeiogqmyqwqamk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scawooooacuceyqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eougmskmkseiqeem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mycymoskosmemuye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uagkokwuimeokmmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsakcgyqswousoui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kasoqkiymyygcqmm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aswsgiauomcmymae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uokaygiaseqggqik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgoaquwsyauuceew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geysasyuaocskgsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uacimkisiqsgqguo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swuiwewyiogiowea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiokismyigokyaoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwyqkaikwikiugoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agasmwwgoqwuoiai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocmggowuicgmeeqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skwiecokmiiqgmom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meugcygwcuwoqgis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swgusaiyieoiygsg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swywymmswicqiwos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsygswmieqoyciwk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oimuweomwswocyuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scuacgmigmuaiwga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kusyuyseeomiyksw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocyisiswcuskcsyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwqwegswqgqkwgoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asqoegqeyaqsyswy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmeqcogymogqeeak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaoisqckkysmicy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skcccqgsoeoqcowy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622891/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiqysecscyyyewgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622892/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weuacyygamwyesyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622893/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cquomgceyyecswmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622894/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiwocuwwoasyeuec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622895/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoocoyyyeuaqmewu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622896/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scmswyoowaoayogs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622897/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uosuioguuwuqgycq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622898/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skkeyoegiaosasua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622899/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmmcwmwciocaesea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622900/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyiemkscyagsgyqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622901/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uayeqaysciiqkuwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622902/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouaqguoigskgsawc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622903/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scuwckmomykiamey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yciumkugkkiqyeee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsgogiecscyoicsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmaiyuyougegsqqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqycguccyiaoqesc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iceamemcwkmsuumk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geuscwogyyueuami.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622865/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skioeuggawquukug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622866/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eikgwuyeuguksiqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622867/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eauwmueyiaemageg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622868/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiiwwaimsiksacug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622869/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qswsgsaosueociee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622870/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaoowgqsyaeeygws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622871/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmqusmkokciiywcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622872/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaciwqyciwieqayq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622873/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kumsacuioagikoye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622874/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myeiasyeycgakqes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622875/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agywyyggkmaaasko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622876/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiauweeigoyasgwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622877/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgigaygiqsyykssg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622878/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiwcoucmayowwiac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622879/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wywcqswuccsaicsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622880/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiiqkioeqioywokg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skmesyyoeasmceqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wscgocoquaaikguw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"askokooegwuckmec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqwqcwqamuuequya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icwkgaqkgygqsyis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmiemquqgaicqaeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyccussoyagmqsyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622844/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wewcogmkakqkemys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622845/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swaqsgcamsceowwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622846/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eosqwcguqisscyuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622847/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyyemecyiwmcuuka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622848/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ououeokuaemgmwks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622849/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuousugeswcsqeuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622850/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceoiueyucuacewsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622851/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmucueciagkucsgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622852/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qswgismkceakcquc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622853/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkgaycsesmaamkei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622854/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scqgmowgwkumiosw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622855/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqqckeyssewciqgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622856/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwimciqikkmqsoca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622857/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqkaouksyegmewse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622858/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgusiiiimqayioeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622859/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyiqwsimwsmygmga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622860/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkcwqsoiymocigyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622861/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqiockamygwyoeiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622862/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsogewooecuogaam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622863/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uucmyuseugqyasci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622864/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkqqyuquyiwyqquy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622823/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiqgggmiwoskwwqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622824/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmeegwyayawkwsgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622825/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuyccyaaooayasgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622826/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaqusoouguqgeikk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622827/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agisiioumgkossgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622828/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qskcsogwciymgmiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622829/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amgcwmigkuogkqgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622830/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eomowwywaeqmuymi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622831/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoqooqkkqgkyqmke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622832/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eagsquywiycquogq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622833/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsgicgsegiqikcyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622834/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aauioaccqcywwoqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622835/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiwwcgqisciwaiew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622836/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgmciogwiycykwce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622837/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsuyaucsqqiswsya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622838/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmusymmkqyscamoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622839/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geamgqmeseksiwiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622840/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eomsaiiqcuqcqeia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622841/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsioamssimgcyeyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622842/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aakqageckseiaauu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622843/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkaeyyysoqqmqiee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622801/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skiukmiwkmemciwe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622802/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eikksqiqqogmgsew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622803/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugeosgigwmwgqyiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622804/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyygeggwyowsqgcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622805/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gywkigesesaoqoau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622806/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yowqqkqeywimqyue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622807/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouqowuqyukygccoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622808/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycycyegsgsicmqgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622809/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmesmaecssysweaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622810/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqkmgkewcqgkisco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622811/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaqucaeiikoecggo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622812/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgimeosymaeykygc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622813/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wegycakeiswacqwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622814/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uusumugsiugwmcys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622815/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyywwiamggsuwewk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622816/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouuokqiwicesamya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622817/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myaecmyccycsocys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622818/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgymgaasuamgaeea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622819/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"easoemomuukuyisa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622820/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgsyuegmokckymoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622821/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swgqeeeogoiysasw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622822/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swkkkmquewakasue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622781/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgyyawcycyqeseie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622782/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uucyqiwcaouagwwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622783/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycqmewqqmiwckuoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622784/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugocmqkokqaaowww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622785/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mymmoooikksakski.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622786/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kumayeusaueyckgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622787/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmqqagewysucmikc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622788/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amiiygsekiwgmyam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622789/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swciuoyswogmikku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622790/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiceocgcsueuqyyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622791/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqwymisaeyyaqkqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622792/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwwymmiymmcmaesy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622793/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocsceieomeqwooam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622794/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myweukommegmqosq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622795/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yciyeeiqwymsqcss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622796/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyagseaewikmwasm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622797/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swsuoukaqcuegcme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622798/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoqcyqqiowcsasye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622799/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agkuqgwqwosueumm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622800/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wegeuuymegyquiag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622758/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ougykycygiocgomi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622759/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yogqesyakgueuquo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622760/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiwqkiiuewcemgis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622761/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aayowmowcemucyay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622762/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocuywqsocewwmeus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622763/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoequmgayugiyiqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622764/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqumgemskyoscgyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622765/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsgimgomisgoaaos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622766/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmoueauokcccaiao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622767/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiqawowuuisuiyoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622768/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eauggoiqgseamcmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622769/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocsegqcgmgoagosa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622770/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqgsiawsaamageye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622771/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwqiksmquisuwuay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622772/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqqgciyyauuewkms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622773/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqeeqkismssewsca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622774/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwwucqcaqqcwgemi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622775/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoyowqisyykwecce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622776/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iweyycoegwkseeye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622777/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skcweioikwsgeomy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622778/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uockiaeekwugwesg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622779/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuyeqooiggmywmsk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622780/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsmqqoyqocweqeai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622733/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooikawqecuqcuski.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622734/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agiqaegwwqcqyuek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622735/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiquuqsgegcagymc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622736/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geggkeuesqseqeym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622737/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsockoysqmwsumwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622738/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsacwoaqicegeeuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622739/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asyeawykwguwwmic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622740/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgscsagwswwkugas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622741/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgskyyaiuiusgyks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622742/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwqyyeeaiyysyyia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622743/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scykcekwmyoeekss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622744/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uugwkwoueiqqkayo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622745/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uowaoyeoacwqegay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622746/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywygcicqgmoesqee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622747/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yccysgsaayqaugoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622748/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiycuygekyuscemw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622749/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euoewuemuiygmyyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622750/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqouosiwyymmcimi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622751/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycykasiciouugcio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622752/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwesosyqyyosgekk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622753/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mykgaguksmsscayq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622754/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqyuyiiqmmeemkag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622755/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eacisqakiqkokciq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622756/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgmycykauuqmamky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622757/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyeqmmcymqgysugg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622711/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uguumwcsikkogaew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622712/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmwueqgiqaieqwkc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622713/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocgkawsaisawicgq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622714/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywgwkieiuwiougwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622715/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqceiuewgcmugsac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622716/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qssiswamekksqqck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622717/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqysaiuuuuaokacw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622718/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqoaimqcosacauqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622719/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuqcuqegeyeeckam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622720/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sciweaiogamcasce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622721/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsgaqucquugosgww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622722/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoaciuemesammwau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622723/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ousiokuwosimemuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622724/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqiyqyaccmiqcaei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622725/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyseaagyigmawgmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622726/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqmkoauysaqiisig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622727/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"easiaoaqkuuoukyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622728/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mekucigeumaymcww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622729/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aagqqimiusmqwawe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622730/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuwkeeouqaaueaqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622731/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqsecwwgwweagqqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622732/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqyiweauysksumqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622690/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skwescwiqqauuuoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622691/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugcoyokokqgqasmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622692/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weoyouiqaqwkgwci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622693/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amwyayiwwokagoss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622694/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aswgeqsmacycueyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622695/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmecmsoqsqoogeow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622696/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meoecyuemmeiqoia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622697/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kukoyksmkaqswgcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622698/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kugssqwakigisgqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622699/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuckomuaigsqeieq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622700/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icocgmoykkmsgkkk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622701/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgciukaemigywues.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622702/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cksawaqosguwmqsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622703/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuqkgwigakoyogmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622704/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugssseoeuomiwkqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622705/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocemuwgogagmwkio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622706/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsyqkywoceiegaem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622707/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoiqswsggckikuoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622708/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qswyigqekaaiuiqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622709/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amgceawwigeywkwe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622710/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iceoisqukumsmokw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622669/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkgyeyqyqiasyqsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622670/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uukuikogawukgewc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622671/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycyycaymwqiymkmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622672/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoeeseowioycemki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622673/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaeukqkokyemqgso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622674/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uooqqkagcgmqaace.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622675/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaoyuocswysewsia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622676/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqgiqqwkqoecwkmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622677/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amgkmmiekscsmegg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622678/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkaggmqiciquksic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622679/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmiaaasmumiogsim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622680/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwkasuyyaosouaoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622681/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocgysiswmgqmiics.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622682/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aameyuomyumkacuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622683/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaeuwgcmwwesaayk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622684/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkcmymcywqsiqwsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622685/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weckawegqgmqqmoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622686/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckkqkcwkkgamyygg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622687/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwqmqcygigcocseg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622688/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scysgswqoaekgoig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622689/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqcaqusqesuecmgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622648/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckeooaemkeeqosow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622649/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiwocqmeygakwuow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622650/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocemmwaaiqmegwyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622651/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kacqygoikuqkuuya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622652/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiqgkkecaauomuym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622653/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsieyiaickymyocu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622654/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqiigckwkqeqcqqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622655/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycwkyikcukaassig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622656/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwousyauiswaiemy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622657/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mysaoqaqakaymicc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622658/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmqyiqumkeoisakc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622659/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkuqqeycsuismesm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622660/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ammeskmcagaoqcos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622661/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooygksqssiesssea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622662/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwkcmuymcgwiqqiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622663/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwgqueeegkwgyoye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622664/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agegymukewmuycqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622665/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skiagwoqksqacogg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622666/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ociiyicmqukugyoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622667/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kacscwoyiiiemkie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622668/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsuqiqggewwgqyqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622627/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugoqgeyosayuucuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622628/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gywwwosuyaaggyim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622629/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oocyiwqskisqemgi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622630/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkwkgsgwosscyqmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622631/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geoaecmssquuiiqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622632/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiosgqgoicgimyqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622633/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqsuiyssiqgcuuug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622634/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmgaisisekuwqioi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622635/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eosqwcaucqoauggs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622636/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qswakegwqmmcwsik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622637/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaaeayayysiamgac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622638/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoweueqqauuyqgoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622639/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwkmiyuuegsmakmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622640/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"askicosywqscgyga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622641/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wseiukeoggiqksoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622642/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myesuogwmqucyqmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622643/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uggaiaauyymmeack.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622644/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amicgegscaocqasq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622645/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqgkeyykoumyiscq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622646/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scomgoewukmyokmy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622647/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amwgqgokgwqmmiie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622606/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agugwcuqkeougyie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622607/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckisuagwawucsywo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622608/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqggemqaimsgukou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622609/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aasicsuowuwieqea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622610/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iquckqioqgcywoee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622611/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkeacwkiiuwcceio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622612/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amiwimammswyccca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622613/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gykoywoawagaeysw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622614/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugmioeemqwswmsay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622615/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkomacagwocmmoka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622616/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aguaiymmwmeeiqsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622617/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skigkiocawcowwym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622618/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kugqimywicacyqyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622619/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwakmyuoqkokammw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622620/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euqqmayiiyyamauy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622621/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqsksgscguogomka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622622/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaguaqoqciweoocs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622623/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmiaeiyyasasiwgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622624/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmsaqimoqowyiekc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622625/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiiesgaygayuquwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622626/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoismocimkoekawy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622585/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsomywewaucieiii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622586/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgoocuwsicsoqoai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622587/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kawioogawyiyqakg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622588/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oomakmuegkqkeuew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622589/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wecwgoogaqgekyec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622590/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsocekcoewaaeugs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622591/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eougwmewqyeyisko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622592/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"easuiuwgymskwmyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622593/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skoycwkoicggggsa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622594/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqsikqkyyumkyuka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622595/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mquawouasegygkuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622596/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gysweeasaqcwsygy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622597/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weiceuwkgiskgkki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622598/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iigicckkukugsmay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622599/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asuoeogecssqgeua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622600/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckguaecogswusiuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622601/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiskmmokmgcsogyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622602/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuuwasosygeaumom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622603/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uucwsuwcgyogmaqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622604/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyaoyuueymsemmac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622605/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmoyieimycouwaas.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622564/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wemkkmeacikcqkaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622565/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amwsogsqyaqowykk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622566/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eakckycgegqmayco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622567/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gewsacewoewciwga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622568/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wywwoakuisomyuis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622569/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuuigiwamcuuoumc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622570/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiawomuoiogaskoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622571/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqcsaeggykigwuem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622572/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkaoieikmwecqeyi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622573/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amokwyskwsciwyse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622574/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meyiqiiogkckecsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622575/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wywsqiyqqueuiuso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622576/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugeemuokssekyeae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622577/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsccygwcukyouimy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622578/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqamiagcmaauiqym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622579/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eakwcuaoioecsuya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622580/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkwimiuqemoswqim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622581/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uagywgywmimgimgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622582/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwcuoskaycswigyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622583/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqeguysmgsiicamw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622584/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wycqmcwauuuakicw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622544/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmwsigqwigkgcmeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622545/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoquocskyueycsqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622546/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmgooigmkicamoai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622547/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqiggcuuuousswwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622548/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkygkkckeeskkkoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622549/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgcqmegugiaemami.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622550/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmusaumcoogyiquq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622551/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asmwcoasgqsikqom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622552/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"squiikkksywsgqow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622553/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wseowugweegagqss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622554/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiiwcoyaycigwimk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622555/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aggeiikqikmicies.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622556/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amyoieauesyqaemk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622557/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyqsguqoeseysqik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622558/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqoeyckycuwkcgmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622559/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycugueewscouwugm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622560/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwsuysqskckoawoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622561/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cekwmaoqmsaymeey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622562/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmisiwwgkekseswu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622563/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wykoiysauaaigkwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622521/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgimmeoeimsocyei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622522/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aauwsuiiekcquoec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622523/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwyquegmgqyikkcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622524/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euyiugcyqoagwuwc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622525/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swscqmkyskqiawam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622526/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoioioseigwsmwcw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622527/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oisqkoacsqimwgoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622528/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouiyyocseoekocim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622529/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocoiiesmqimumcui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622530/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiggygggwsqisiyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622531/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qywgeqkamgauwmmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622532/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yioykqwmywoysmem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622533/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsqecmmqcymuucey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622534/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkcyqwwgcqoyecoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622535/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gekqimuuewwuiagu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622536/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuasiiyyaycusyqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622537/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaemqmwisiegyiko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622538/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eikcaaimkaecgwoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622539/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwkgacugaaemccuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622540/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uacoisiqcoyiiego.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622541/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgaisgyooscecgik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622542/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oicqeccouucwiiqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622543/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsgasseeakeycsui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622498/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqmeasuccsssiggi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622499/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiiauwiiumwgokyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622500/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsamewmaieyoemcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622501/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyyiwqyyyymossew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622502/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmqaoocyesagqgmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622503/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmuogogiqscocuoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622504/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqwegsyymkeiqmym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622505/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqegwuoaoeosqeww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622506/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoyiywamcqcamyaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622507/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meiqewqkkoikygeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622508/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uakusqeceiiyaqui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622509/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgacycegiiyeqcga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622510/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meyymukkckoqeags.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622511/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycawswmeywiksgki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622512/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sckmssycqwaiqamw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622513/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qguoscskywaamcik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622514/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"occoyasgeqgcywgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622515/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geooqweeecaeuoqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622516/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooyakgymmekgoako.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622517/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amkiwsmyigomkumg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622518/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqussskiksiuiswu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622519/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uggkkuygmsooqwgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622520/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmqwockuikgwoakq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622476/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsywcocgqgommcci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622477/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ookqmwkkaomekqcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622478/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsawaqyysukeiiaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622479/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuumeuqmamoqaeso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622480/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugymicsueuaikmkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622481/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skugaekqiyuyaamq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622482/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eigocwywqaqoikkk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622483/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iisuugsaiqkyakmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622484/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euyygeuqscacqeko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622485/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkcoiwcsiqqauoaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622486/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoimekgwsyksoyyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622487/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugyeemqgcmeiaouq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622488/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yccsuiqsiqwumasw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622489/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmsawamaqmsoysce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622490/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqqwwcwmseyaswis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622491/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqsoswycqiegmwko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622492/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cquaesmssuwwooum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622493/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgwoeymawcaucqss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622494/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meeikwqkwiogoiqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622495/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiicqocoouoomqua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622496/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qymaeaguqiiiegqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622497/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weqgoggmiuscecss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622454/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ougemmuiqewuusok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622455/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eacqyoaoymyyiimm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622456/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oicoyqugwywqaisk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622457/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuqmkikmcaamgymy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622458/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eimaqcmogcskagks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622459/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meoaeaqqisqaassy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622460/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amasiakuauqwumke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622461/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icacwoqmqmmwksiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622462/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wycuekmuekwiasgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622463/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuikcggqcgqickom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622464/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sckokcqsuwwsyice.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622465/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgykoiscuiuaycwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622466/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmkmygkeyimaywsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622467/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wksgiyegmacsukom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622468/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euuyuymceckwuemg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622469/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iciisgucgeyysaqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622470/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugkcywgwawciigiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622471/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiyceqmukagwksyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622472/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsokismaeqccyuew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622473/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mycoewaksumyuqae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622474/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsqmwkyuysoyymu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622475/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icqygiuqacyucysi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622429/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wekayewsgiweqsuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622430/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meuyykcukweuosok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622431/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckakgeiwaegocwes.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622432/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iicumyeekmkogkuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622433/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skgmuasqumoyimks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622434/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mywmumyogoymgces.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622435/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouegguqmumeeuuuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622436/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icgiiumswkaussgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622437/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgukwmyecogguqyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622438/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqiwwoecqckkgoyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622439/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwemosgyecuaccgm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622440/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycgcoiaaegyeyyug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622441/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skggmeiyewuwamow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622442/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoseqcoamasceuks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622443/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycggioisgsawsyuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622444/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eumacsgkmocqweoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622445/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooqecmayoeessguo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622446/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycgukyqesomumikg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622447/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckwicskesuymkyic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622448/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asewwwkaeagwgqau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622449/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ociikeaukowiksaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622450/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cekoayeggwoacigq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622451/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asywmockuqywsecm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622452/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyogcogaaogggucw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622453/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugseumscmocusyee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622408/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"memeykasuqacusic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622409/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqkkuaakakusoucy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622410/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iquiokmuacqwqwii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622411/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsswsauwiwcagaoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622412/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qskuycyaqmqssioe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622413/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gykuuqekoicueecm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622414/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoywuwwsmauuwucw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622415/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaqkgccqwqeckuem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622416/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkcymwqkkaiswekq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622417/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmsigymwcgkoqkou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622418/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuqmakmckmgiokyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622419/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkwakywqsigmwaca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622420/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqisimmcwaywiyeq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622421/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uawucyqkukowokyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622422/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaekkygwoqqaiwok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622423/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geusoogaeoymacyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622424/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mekyaqsmwgoiuqam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622425/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocqmyqoeywsweukc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622426/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skaigkqeugcwesem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622427/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyssmcuwuqqskmyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622428/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eimyeymumyqguicw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622386/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceiiggmecieoswog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622387/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwkakugioaoumywu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622388/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiamogemoommaqma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622389/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uasecgsiyymwewqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622390/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geooqeckkswqcwsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622391/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwyqwkgmycsimsyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622392/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megiswiweuqmekoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622393/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kukcqsmcqowwaqyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622394/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgakcwwuceoauoea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622395/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmuwoaymuysuggaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622396/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oouaamqygqmkqige.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622397/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaasyeuqoqkagomg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622398/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiuiiuckyaaeoeka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622399/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsgwwwqmisceawwk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622400/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoqeosqcygasmkku.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622401/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmywoaycoqsiskie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622402/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"occosmsimggeyqko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622403/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaauqskkomkeaoqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622404/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsuimwaycciskmcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622405/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyuoasckycesuaaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622406/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gewawaaesaygsqkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622407/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckgiagoseayeeowc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622364/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaqyiogmqcsckakg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622365/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqmomisckgcsyqcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622366/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsmkmukkykmygwik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622367/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckaikuowoesmscia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622368/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouakcmyesmgeguee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622369/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmqiwcoywumeasgc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622370/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqeacucqkocegakk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622371/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sceigymmuowsawyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622372/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqqmywkagymeocca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622373/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yigkywwcioyscokw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622374/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqcoqqocoqugeimg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622375/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqgckoeseemsiywk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622376/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oicocqqeyaagmkok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622377/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaoiuaueaggkmgcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622378/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmceyqkcakiaoogq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622379/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wykcckeyyyyaccmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622380/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyqgmiccacysamos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622381/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amkkwywomsimoosy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622382/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsimeimssakcoiky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622383/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmwcqgmqwsawooqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622384/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eagmgkcqgwoguwgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622385/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqewgqqakuqiwsga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622343/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geamweuswcicogsc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622344/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meuksckqaqoacosk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622345/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywqguaoomougyaek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622346/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywuqkqmwgycgooae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622347/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kacasgwicccywewc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622348/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkiskgkacmcakmqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622349/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icwawueyamkucuaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622350/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eocmksmuwgakeiio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622351/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kagqumgiugumokcu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622352/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"askucqieisyeakek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622353/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmewwimsouoocimc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622354/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmgiyuugwwuiccuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622355/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaqkwsekgwiwueki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622356/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qscoockuimkacqau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622357/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amuysaamiocsqmmi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622358/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmccqgesciyqowyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622359/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scoeqgkuaaeamiwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622360/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oioqoaqmwicyowwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622361/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqycwocqyygkkgyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622362/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocescowyokqyqeqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622363/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwmgeseekgmsyqeu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622319/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsigaomuayquqwwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622320/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geiooyyeasisokky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622321/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmuwmcguawkawooc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622322/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaogqekocagewcic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622323/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmkomawyuwcgqyei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622324/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eucmcwomoemceqek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622325/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiyugqyqaasciygm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622326/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqigmsoueomgkoca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622327/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aseoosiaewwywike.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622328/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oicsiycwoaooewcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622329/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myuygmuqkywemogk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622330/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsaceysuoiyuewwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622331/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uumaakcmsmauogyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622332/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooicgcicaiekcqey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622333/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amuyoykckoqwieka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622334/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwqegmaossqooqqy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622335/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwiiksugggiwkcqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622336/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asyokauugeueqcoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622337/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgooimqqqccaokiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622338/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiqkoygaouayqsck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622339/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scwaeqiwkeaoyqwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622340/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icwiugoqscacoqko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622341/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqeowiccyassacgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622342/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmugsmyiowigcgog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622295/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"askiigyykawkqkco.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622296/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyyuwewkiyegmwse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622297/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmemqsskiagoguiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622298/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uocuiysseyossyia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622299/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckimgmsowewgcicq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622300/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyuiciimawycuium.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622301/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiwmcwwgeyokogsu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622302/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqkumykgsoiquyyo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622303/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmycygsioswggocq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622304/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwoesuegeogomysg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622305/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgswqiamimcacqki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622306/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aauqmgwasyeaeyom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622307/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asesskcqauoqqosc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622308/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyuwcammywwiaiyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622309/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wegwyewyaookigqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622310/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eagquaawkwycmyak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622311/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaiwyqoqwiqqwoyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622312/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eokyeukeiweawaai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622313/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqicooewceueciss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622314/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiswiaugesuoawai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622315/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwwwiqmaukwwkyma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622316/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgiaugwwgqwocqoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622317/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkymkuoaqccycsqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622318/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwokaicumkqeaeme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622273/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eisqeysmqksaeqmg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622274/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgkouemsossquuyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622275/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmgyaoiuougkaski.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622276/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqkgiwuoceguioei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622277/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oomwugawmsckcakm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622278/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eagimiwoowwmygia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622279/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scyguuacwkqwswms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622280/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckusckeqigwuyigk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622281/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myscwmsskwkamyyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622282/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uokmsamcciismwoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622283/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmaeowwkyiugoesc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622284/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uagsimymikoaugqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622285/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uawoyymikgkcsaaa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622286/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqwuwkooywocuski.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622287/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agsokgiawwawyuqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622288/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"easqseuokyeoymwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622289/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywokoaiukumamaki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622290/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aakgqagcckqsyaew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622291/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asyocqgoseuckwyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622292/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkqaiqegycukgmsw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622293/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaackikossweioos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622294/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceiaeyoqysywagkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622250/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgewcwmokwuwqgcq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622251/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsiikkasykswiyya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622252/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgemiugoimosmqmw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622253/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooosckscwgcwwsyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622254/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eocsqiuscaeqguoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622255/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyqwwsyoaqqqwawa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622256/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sccqeqyggyicscak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622257/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaseoewwqcsguqwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622258/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywuouyqeaukmeouw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622259/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ascuykwiusogyouo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622260/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oomoooyiiwukqsim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622261/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kguyaeeksqcqyoey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622262/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmmmwqoccggoqowo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622263/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwsqguioggaoauwa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622264/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyqmygkuckyqaqoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622265/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqykwygwuqqwyiau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622266/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqqqemgwwiqamgoy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622267/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uusgekecmkeaiwiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622268/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oomueaowesammggq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622269/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiisqqugiawosqkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622270/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwmsoquiocaaiuse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622271/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsywsoemmmgekyka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622272/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myymmymemiwyoewg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622227/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyeckegcweqaioqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622228/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amcmsskuyuasswig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622229/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgymsuemiyqmkumg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622230/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqiokeyckawauacs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622231/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouqkowuogasaekcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622232/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuiqowcamiwuqoka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622233/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuqyaauiagckuyow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622234/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmwsckgwsemuaacc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622235/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwmqywuuyoyaagkq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622236/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amkssewcmweyicim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622237/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uagcacigasyqgiqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622238/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uukisqweocukekuc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622239/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agayagckwyqckmiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622240/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouwoaimagmuaoikg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622241/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeskmqcuqmoqgai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622242/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgicumywoqcykgig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622243/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eascuakmmsmwgyce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622244/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amusquaeeuukeqoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622245/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgioieikmicmocyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622246/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugisigyskequykaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622247/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yosakqwiiiwqwook.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622248/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuoiemaewsiwamac.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622249/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gskogiukyycsqcue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622208/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iimkyeeqeugicuws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622209/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmacmcqqaeyiqwie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622210/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmwwqgaigwuwmmqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622211/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geysckgyiiqaaqek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622212/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swqoskewmcokqwak.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622213/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgiqiwewiacgkswk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622214/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmkamswyuuscksyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622215/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eawkyyakumqeygcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622216/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsseegmsoeewauaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622217/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywequqoksggayiis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622218/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaywuykyewmeccuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622219/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycuyaywmyqquswce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622220/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amokisymokgkkmuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622221/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oowgisaoqicoqcum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622222/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meqmgqackyyksega.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622223/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwkkmowgememcsoc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622224/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouumouicauycyoig.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622225/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoygoocymauuaeqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622226/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocykykimokyqeyaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622187/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agawwqwcocccicei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622188/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsicqosiecgqcqeo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622189/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkyyusiwqecesgke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622190/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmiiiawomogqmgcc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622191/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aguwuieqaiqgoaoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622192/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwwuemigqgcyemog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622193/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqmwgkeumugmeqqw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622194/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmygiuaacieoaiqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622195/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uguugmgackgomeoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622196/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oogsgcocusiqywkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622197/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gycsiyuiseiaguca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622198/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwusikkusiqwkgka.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622199/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geekauwaiaeqgimy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622200/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqwmiyemyeicqceo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622201/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiswuqkymciggiuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622202/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgicsqyyaosggmuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622203/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsscosaoigcycmow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622204/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swyueeocqqqaegoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622205/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqgweyugwgoqeoqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622206/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwikiegcqemoskgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622207/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"easeskyukakkssok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622168/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agguqykmmceakeqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622169/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsseugymmgqoseag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622170/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceyugyuwucoawwuu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622171/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwausuyueeaiygoa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622172/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqamsceuwqowqewi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622173/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icuawuogcygcogam.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622174/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uukwgueyaoouiyqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622175/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oicqaaeyaqqosqww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622176/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugguyiuiqqocmmse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622177/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wskoggaaoeeigmos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622178/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aakkuysmuoesweoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622179/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geicssmomgskquci.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622180/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oossyeskymucasoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622181/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gywmucaoacgoagum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622182/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uguiaeuymsqowsma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622183/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqooayqmkyceokkk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622184/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiwqggeaqumegiws.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622185/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uosuigmuqieyoooe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622186/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqcuwcawoqsocyys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622156/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiyygiicayumqkuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622157/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqeomequeeeeysgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622158/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycqeccgisusoyemk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622159/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megiiaeomsmgwywu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622160/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouqokqmkicayggcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622161/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgcqswmikwkqeaae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622162/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mycwiueueagaoqee.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622163/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qywkaqiqcoicqcwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622164/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amqqaauewseqowiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622165/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaemusigikyqaeso.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622166/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asmimoogusysyoie.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622167/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsuoysmyewmyeiwg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622146/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceuwcgcemuoqommm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622147/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geawiyaceyccmsec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622148/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsqequaocwqowouu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622149/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weoyuaokqwciegqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622150/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiogsoeuksewaqae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622151/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iikguwcckkysseeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622152/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckakgimyegcemksy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622153/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uockwuoiaskimaya.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622154/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywiuiqowugcekacg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622155/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uagkquwqwqckewew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622125/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uawwugqgqgiegsqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622126/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kawoiawekmgckese.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622127/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wymmicyciooicwiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622128/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugwcwygiqymyimck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622129/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqgqgimiegyccuys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622130/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqkiimoagwcsygqm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622131/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugkesasuyiagcsmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622132/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqyuekosksgyamma.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622133/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icyigamgcqwweois.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622134/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouwwqmywkauiyyou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622135/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoeowwkkgkiwciki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622136/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsiaiguwcgsoiwoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622137/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsimoccmkcciogse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622138/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myceekimoooeyqcy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622139/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agymosymgyiksiua.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622140/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wewsquuwaywymywm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622141/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkuwiouyceooeicw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622142/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckuuewcogywskueu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622143/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwusoeicomiskqgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622144/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asausuowoumyyssg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622145/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yokswcwaqcmiygcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622104/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kakciaaccasaamau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622105/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqauuqioicumieik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622106/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iquoosqyeimgayym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622107/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aggqceoaeccuocum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622108/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgssqasoqewwsmwi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622109/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mksiaiyccmccuecw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622110/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eosacgqcgwwkgouw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622111/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmaeqawiyksquusi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622112/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qymwqauowagyemey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622113/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aakmqmkaqggoggoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622114/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywmcokgguckaeaui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622115/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiwugsuseemymuem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622116/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkekweuswgcqwacy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622117/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooyaeaysgqesakki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622118/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqywaekkmkessgao.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622119/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugkciseuesckgisy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622120/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwwiogqqwcwoqkau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622121/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoiyeqassqigoime.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622122/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgmuikmwiwiwsswa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622123/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiaoykwkikeqqwsm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622124/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geusywaqmggskeqa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622084/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqqmqsusykegyugy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622085/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yimmyssqoeugoeia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622086/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iicoukoycyowiggw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622087/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmegyqewcgyoeemk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622088/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqykcewawakewyye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622089/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoqekweacwecwkgs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622090/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoqwacywasyeeowk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622091/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuewauqkaeuwwqcs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622092/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gycqeyqoqoiykykg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622093/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uakiuqugeyiegcsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622094/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyameswuymsuyuis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622095/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoweuguooeeumuuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622096/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ascmgqwyqkwwmuio.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622097/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoqyemwwysauquec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622098/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoamgwumekwcqkcm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622099/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwqsqygggkwqsiok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622100/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgeimkisuikqoewe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622101/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooisygssiwaqmowm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622102/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoyoaigaaiciuowy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622103/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eowiqaikgaaeuweo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622063/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oissacweacagsiiy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622064/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwqyaysukcosgauw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622065/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsuyuyymeoaaoemg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622066/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocaoysmuakqaqwge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622067/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouqqesiygioaommi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622068/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqacuamqckyiamsi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622069/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mksmcuysmweqsemo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622070/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwsusaucwesauqkw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622071/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scmcaqeyyaeoksuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622072/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycyummmeiqiiwwug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622073/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wscgsqwsoqqqiauo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622074/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywgmqwsgacyuekgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622075/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yceaacuwywikocmc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622076/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgeceqaaumwcucgu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622077/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgaqsmaiuewqagce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622078/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqsuequaaiwmaesi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622079/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycwqgooyuqgaoiwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622080/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iioqagimwasugwca.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622081/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmuckkusawmkkwkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622082/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgwmegwaaekoomqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622083/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agamggmimsmcekcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622041/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skswukgeakmcemgw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622042/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skmooyyeicyqycim.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622043/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"squucmgqegqgsuyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622044/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amwkygawuiygkscw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622045/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgmeqcsmcemwkqaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622046/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuayaqwygisyigus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622047/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agceceaqmwquoyce.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622048/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkgikmekmamqmuau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622049/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skuguwkeyaaqiiks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622050/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skseuiceskwmyqgy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622051/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwyiikiwykigwkeg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622052/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgwwaqikomaemuuk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622053/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsoqcoiiwumggsik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622054/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geuwumqkgokkqwou.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622055/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asocqyeggeaoumis.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622056/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eosokkwqaokauicm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622057/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uokqkcqwmgiawwwu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622058/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoqqessmeuegimqu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622059/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckwosakwwkimoqow.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622060/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icqcaoauwygyoiyg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622061/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weycmigcomkmgkic.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622062/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqqmcikgoigaeuoq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622018/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywyqiuyccuisaawo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622019/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asigemmcuaewmkai.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622020/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uawakkosogygemqc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622021/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsowyycwgqqeykmu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622022/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iigiyakwekaoqmii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622023/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sciyyskmqwkiiecm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622024/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiqgqkgacamsyssa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622025/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cegeygeqcaoiacsy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622026/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myuoeoawoiceiosy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622027/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cksmoicoikksqmii.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622028/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkeikwycgmsowqew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622029/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgecwgaaigqumyey.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622030/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meaquomwkooceieu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622031/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmyooiqeeomussem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622032/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scuumyqkyuaoiwew.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622033/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywwmwoqmgyqgokay.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622034/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywkiiwmqmaiwaeiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622035/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyuiwycqaiocqskw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622036/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiwmqwgoqsqceyko.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622037/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgkwisawcogaaacq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622038/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geiqkceamaoaiiaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622039/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yomkeaisuyksyyww.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622040/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icoucuwwmeyoyauk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621997/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsmoewyuyeuksgyq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621998/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqoqumkywgowgikk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621999/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eomkwokqcsgkamiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622000/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqkwouwuueuoyaqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622001/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywueyakacegogyug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622002/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kusogyockcqieqgk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622003/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qykqcyigmyqieium.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622004/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swseqkcceiemwoks.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622005/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gysisesiqqssyqiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622006/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyuqesuimyyymoos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622007/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sciswaieycmagokq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622008/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmcewcayimieguog.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622009/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mycamwookoeossuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622010/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myoogewsawqmiugu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622011/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoqwwwummaooausa.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622012/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgwmewmamukaeige.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622013/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weuqkuieuuwwysqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622014/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eoakkickimeywyik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622015/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meyiausymesymuqq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622016/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yowucqscmmcmmuyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1622017/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91622017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scimiseieuiyiagu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621975/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gekiocyqsokgwqmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621976/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oioeemqkweyqocuo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621977/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocggwuieqaceeeom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621978/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ociigusgsoauaysm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621979/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yckkuuquoqaiegiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621980/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weyokgoiyeqaommu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621981/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uagcuyqkqcmcwkyw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621982/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oigmwqmigsyeqewo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621983/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wykguygusqmggaqg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621984/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoquomeiokwgoqea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621985/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skqukeeykqcesgea.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621986/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iqsgkqkomaquqyiq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621987/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyuiycaauaqgqwke.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621988/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euwumueayqaksmaq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621989/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyacgqyysyyquaqi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621990/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geuqggmocyisayug.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621991/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkokaoaooukymqoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621992/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eouyuuuimeaucewm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621993/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgqwaqoiagiyksgo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621994/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywgwkusaioagmmmo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621995/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eogcamggqmcoauue.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621996/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouqwwykegmwqgags.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621953/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wswkgoqcaocyucuy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621954/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myesyumkisquscqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621955/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkmeieqysqywkqoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621956/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weimomuuuksiguki.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621957/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icwsqyagkmicmiga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621958/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqyouwekgciuywqo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621959/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asguacsqcaumsiqe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621960/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meowwsmkqggcagys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621961/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iquoucsysikggowo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621962/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myqoiygoswukocum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621963/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqeweqgecgmyeeei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621964/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swsekmsoqyggseoi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621965/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amuegoouwguoeoga.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621966/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eokyayaeowsowgiw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621967/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwskaqewaeayuksc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621968/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugoqcoqkmmkaiaem.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621969/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aakgyeokkmegmcsq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621970/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuikccwiciasqyqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621971/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asuwkaukgkgwiyok.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621972/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gygwcmowmykqccum.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621973/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooegoasouiueamym.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621974/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sckcawcwkmmqaywg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621928/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqsosaaekgawykmk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621929/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceumyskwssagmmkm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621930/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywkusmeeqkwgwqwe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621931/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agwkmsckqekwacyu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621932/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaumiiwamequusyk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621933/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uagamemuyqeskkek.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621934/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uukosueyacsgcesy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621935/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyiswayukugikcck.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621936/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eakikckgyokmwugm.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621937/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"occiasooqqqsuuqk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621938/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywcawqisaqgyoacs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621939/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwgkwoaeowiesigu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621940/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amaieuyoseoqaywg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621941/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uayaeeewqagyqusw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621942/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugyikuquesqysukg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621943/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aswyckgewwokoouq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621944/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaqaymyoewyuqoag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621945/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aagoiegqgqgqwmom.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621946/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywokyocuqqeqcewc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621947/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wyqsywmygguumocw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621948/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqessommgeeaymkg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621949/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqcumqgieyimasye.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621950/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oicccisgoguaemuq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621951/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycyaecwcuckscoqs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621952/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gseyskiwoiqmoqky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621904/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwaweqieycwqiqui.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621905/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qggiqsqcqooqaiaw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621906/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myuuwuayoyeqasms.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621907/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyusaomkuqyougus.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621908/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weokimigqyyekwge.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621909/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsaeamgkeoowoegg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621910/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asksucqecakcwkei.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621911/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiycgwcimyomwkse.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621912/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckewmsecwmusmkmw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621913/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceeigcigkgmagcoe.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621914/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuwimmkeksmemywq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621915/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uugsagogkwcoqwik.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621916/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyyyeuicciiwuqcg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621917/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eueciuuwecmkcack.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621918/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqokscceiwgcemys.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621919/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqaoqykkuyigwyky.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621920/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkgqsauqawkqyuyy.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621921/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eiqskmsgukssscmq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621922/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsueegsmiymwoegs.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621923/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qysaqqkeaacqmyyc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621924/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euyyascegeqmaymc.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621925/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euugmkqkguacogau.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621926/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouciyosoesycesag.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621927/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uuwgckaucikckqwo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621881/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uoikyywmmgcwigwq.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621882/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaqmgomqaoisakia.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621883/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsoeieawusmeeism.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621884/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgamousgsiweucuw.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621885/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eumymuoeiykyisss.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621886/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eociysuimsouukiu.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621887/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmskuiuciyoyoskg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621888/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqgaaqoqicqsqwae.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621889/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywoeeoaamekscieg.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1621890/; target:src_ip; metadata: confidence_level 100, first_seen 2025_10_21; classtype:trojan-activity; sid:91621890; rev:1;) alert dns $HOME_NET a