alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Zebrocy/Zekapab Reporting to CnC M3"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla|20|v5.1|20 28|Windows"; depth:21; http.request_body; content:"regid="; depth:6; content:"%20FIXED,%20TOTAL|3a|%20"; distance:0; content:"%0AHost%20Name|3a|%20%20%20%20%20%20"; distance:0; content:"%0AOS%20Name|3a|%20%20%20%20%20"; fast_pattern; content:"%0AOS%20Version|3a|%20%20%20%20%20%20"; distance:0; reference:url,unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/; classtype:targeted-activity; sid:2026762; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_07, deployment Perimeter, malware_family Zebrocy, malware_family Zekapab, performance_impact Low, confidence High, signature_severity Major, tag APT28, updated_at 2020_08_27;)