Versions (9)
Version DetailsCurrent
Rev: 6 • Sep 25, 2025, 2:40 PMLOADER [PTsecurity] SteganoAmor Operation
alert http any any -> any any (msg: "LOADER [PTsecurity] SteganoAmor Operation"; flow: established, to_server; http.uri; urilen: >100; content: ".doc"; nocase; offset: 32; content: "_"; content: "/"; pcre: "/^[@\.\-a-z]{30,}[_]{2,}[@\.\-a-z]{10,}([_]{2,}[@\.\-a-z]{10,})?\.[dD][oO][cC](\?|$)/RU"; http.method; content: "GET"; http.header; content: "Accept: */*"; content: "Accept-Encoding: gzip, deflate"; content: "Connection: Keep-Alive"; content: !"Referer"; reference: url, app.any.run/tasks/aa5684e6-a51b-4667-9202-c128478db7a4; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011449; rev: 6;)Sep 25, 2025, 2:40 PM
Nov 7, 2025, 10:12 AM
Oct 16, 2025, 10:34 AM
Dec 4, 2025, 9:34 PM
rules/ptopen-info.rules