Back to Rule

Rule History

SID: 10011449 • Source: ptrules/open

Versions (4)

Rev: 6
Dec 4, 2025, 9:34 PM
Current
Rev: 6
Oct 16, 2025, 10:34 AM
Archived
Rev: 4
Oct 7, 2025, 5:34 PM
Archived
Rev: 2
Dec 3, 2024, 4:43 PM
Archived

Version DetailsCurrent

Rev: 6Sep 25, 2025, 2:40 PM

LOADER [PTsecurity] SteganoAmor Operation

alert http any any -> any any (msg:"LOADER [PTsecurity] SteganoAmor Operation"; flow:established, to_server; http.uri; urilen:>100; content:".doc"; nocase; offset:32; content:"_"; content:"/"; pcre:"/^[@\.\-a-z]{30,}[_]{2,}[@\.\-a-z]{10,}([_]{2,}[@\.\-a-z]{10,})?\.[dD][oO][cC](\?|$)/RU"; http.method; content:"GET"; http.header; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate"; content:"Connection: Keep-Alive"; content:!"Referer"; reference:url, app.any.run/tasks/aa5684e6-a51b-4667-9202-c128478db7a4; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011449; rev:6;)

Sep 25, 2025, 2:40 PM

Nov 7, 2025, 10:12 AM

Oct 16, 2025, 10:34 AM

Dec 4, 2025, 9:34 PM

ptopen-info.rules