alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Clearfake Set-Cookie Inbound M1"; flow:established,to_client; http.cookie; content:"3445a25f23472ac97543677e8cd9631d="; fast_pattern; pcre:"/^[A-Z0-9]{50,300}\x3b/Ri"; reference:url,rmceoin.github.io/malware-analysis/clearfake/; classtype:exploit-kit; sid:2069918; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Minor, tag Exploit_Kit, tag ClearFake, tag compromised_website, updated_at 2026_06_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:dest_ip;)