Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Lumma Stealer Related Fake Captcha Page Inbound M3"; flow:established,to_client; http.response_body; content:"not|20|a|20|robot"; content:"recaptcha-box"; content:"textToCopy|20 3d 20|"; fast_pattern; pcre:"/^(\x22|\x60)/R"; content:"powershell"; within:11; nocase; reference:url,x.com/kddx0178318/status/1846908706518155520; reference:url,urlscan.io/result/09e5b99e-b240-4780-bf2b-fd344bde4969; classtype:trojan-activity; sid:2056732; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_10_18, deployment Perimeter, deployment SSLDecrypt, malware_family lumma, confidence High, signature_severity Major, updated_at 2024_12_11, reviewed_at 2025_05_14;)