Rule History

SID: 10012100 • Source: ptrules/open

Versions (8)

Version DetailsCurrent

Rev: 2 • Oct 9, 2025, 2:49 PM

Message:

STEALER [PTsecurity] WorldWind Exfiltration

Rule:

alert tcp any any -> any any (msg:"STEALER [PTsecurity] WorldWind Exfiltration"; flow:established, to_server; stream_size:server, <, 3; content:!"|00 00|"; depth:2; content:"|00 00|"; offset:2; depth:2; content:"{|22|id|22 3a|"; within:8; content:"|22|filename|22 3a|"; within:16; content:".txt"; within:24; content:"|22|content|22 3a|"; within:16; content:!"|20|"; distance:1; content:!","; distance:0; content:!"."; distance:0; content:!"|00|"; distance:0; reference:url, https://www.virustotal.com/gui/file/84d52de2b69e14f26259da07297e02eb2c4ac32045a690f65a267fe931da0433/detection; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10012100; rev:2;)

Created:

Oct 9, 2025, 2:49 PM

Updated:

Feb 13, 2026, 3:29 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

Mar 2, 2026, 1:34 PM

Filename:

rules/ptopen-malware.rules