alert http any any -> any any (msg:"STEALER [PTsecurity] StomExfiltrator (APT Mysterious Elephant)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/upload"; startswith; endswith; http.header; content:!"Referer|3a|"; content:"X-Username|3a|"; nocase; content:"X-SystemName|3a|"; nocase; fast_pattern; content:"filename|3a|"; nocase; threshold:type limit, track by_dst, count 1, seconds 120; reference:url, app.any.run/tasks/28d9b047-852f-4d2d-853e-c7a085869ee4; reference:url, securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10015442; rev:1;)