alert tcp-pkt any any -> any any (msg:"REMOTE [PTsecurity] KongRAT Requesting Payload"; flow:established, to_server; stream_size:client, <, 43; content:"MPK1"; startswith; fast_pattern; content:"|00|H|05|"; distance:0; content:"|ff ff ff ff|"; endswith; threshold:type limit, track by_src, seconds 180, count 1; reference:url, www.virustotal.com/gui/file/ed68397183e72e7113c8ac4aceddf2051abf55d7c62b6fa69f62cbda11324ab8/detection; reference:url, www.esentire.com/blog/multi-stage-seo-poisoning-campaign-targets-chinese-speaking-developers-with-kong-rat; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10017435; rev:1;)