Versions (8)
Version DetailsCurrent
Rev: 4 • Oct 9, 2025, 2:49 PMSTEALER [PTsecurity] Ares Initial Connection (APT TransparentTribe)
alert http any any -> any any (msg:"STEALER [PTsecurity] Ares Initial Connection (APT TransparentTribe)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/api/"; http.user_agent; content:"python-requests"; http.header; content:"Accept-Encoding: gzip, deflate"; content:"Content-Type: multipart/form-data|3b| boundary="; content:!"Referer"; http.request_body; content:"Content-Disposition: form-data|3b| name=|22|uploaded|22 3b| filename=|22|list.txt|22|"; depth:120; fast_pattern; threshold:type limit, track by_src, seconds 120, count 1; reference:url, virustotal.com/gui/file/de4b4f2ec4489ffa873465683818b7db52bf914c3387dd1b84f2dd855a9a1171/; reference:url, www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10010710; rev:4;)
Oct 9, 2025, 2:49 PM
May 13, 2026, 8:50 AM
Oct 16, 2025, 10:34 AM
May 15, 2026, 1:35 PM
rules/ptopen-malware.rules