Versions (2)
Version DetailsCurrent
Rev: 1 • Nov 25, 2025, 12:00 PMET EXPLOIT_KIT Mirai Variant Payload Inbound
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Mirai Variant Payload Inbound"; flow:established,to_client; http.response_body; content:"|2e|x86|5f|64|7c 7c|curl|20 2d|O|20|http"; fast_pattern; content:"|7c 7c|busybox|20|wget|20|http"; content:"|7c 7c|busybox|20|chmod|20|777"; reference:md5,a3f22f1acce4d1473bea36d86c82e448; reference:url,trendmicro.com/en_us/research/25/j/rondodox.html; classtype:attempted-admin; sid:2065911; rev:1; metadata:affected_product Linux, attack_target Server, tls_state plaintext, created_at 2025_11_25, deployment Perimeter, malware_family Mirai, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Nov 25, 2025, 12:00 PM
Nov 25, 2025, 12:00 PM
Nov 25, 2025, 9:34 PM
Nov 26, 2025, 10:34 PM
rules/emerging-exploit_kit.rules