Versions (8)
Version DetailsCurrent
Rev: 2 • Oct 9, 2025, 2:49 PMSTEALER [PTsecurity] Ares Client Hello Request (APT TransparentTribe)
alert http any any -> any any (msg:"STEALER [PTsecurity] Ares Client Hello Request (APT TransparentTribe)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/api/"; http.header; content:"Accept-Encoding: gzip, deflate"; content:!"Referer"; http.user_agent; content:"python-requests/"; http.request_body; content:"|7b 22|username|22 3a|"; depth:13; fast_pattern; content:"|22|platform|22 3a|"; distance:0; content:"|22|hostname|22 3a|"; distance:0; threshold:type limit, track by_src, seconds 120, count 1; reference:url, virustotal.com/gui/file/de4b4f2ec4489ffa873465683818b7db52bf914c3387dd1b84f2dd855a9a1171/; reference:url, www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10010709; rev:2;)
Oct 9, 2025, 2:49 PM
May 13, 2026, 8:50 AM
Oct 16, 2025, 10:34 AM
May 15, 2026, 1:35 PM
rules/ptopen-malware.rules