Versions (9)
Rev: 5
Dec 4, 2025, 9:34 PMRev: 5
Oct 16, 2025, 10:34 AMRev: 5
Oct 10, 2025, 6:36 PMRev: 4
Oct 7, 2025, 5:34 PMRev: 4
Jul 14, 2025, 6:34 AMRev: 4
Jun 19, 2025, 11:34 AMRev: 4
Jun 11, 2025, 11:34 AMRev: 4
Apr 9, 2025, 4:34 AMRev: 2
Dec 3, 2024, 4:43 PMVersion DetailsCurrent
Rev: 5 • Sep 25, 2025, 2:40 PMLOADER [PTsecurity] SteganoAmor Operation
alert http any any -> any any (msg:"LOADER [PTsecurity] SteganoAmor Operation"; flow:established, to_server; http.uri; urilen:>100; content:".doc"; nocase; offset:32; content:"_"; content:"/"; pcre:"/^[@a-z]{30,}[_]{2,}[@a-z]{10,}([_]{2,}[@a-z]{10,})?\.[dD][oO][cC](\?|$)/RU"; http.method; content:"HEAD"; http.header; content:"Connection: Keep-Alive"; content:"User-Agent: Microsoft Office"; reference:url, tria.ge/240517-b29pwsbd2w/behavioral1; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011372; rev:5;)
Sep 25, 2025, 2:40 PM
Nov 7, 2025, 10:12 AM
Oct 16, 2025, 10:34 AM
Dec 4, 2025, 9:34 PM
rules/ptopen-info.rules