alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE MOONSHINE payload C2 activity"; flow:established,to_server; http.uri; content:"/ws?whisky_id|3d|"; fast_pattern; http.header; content:"Upgrade|3a 20|websocket"; http.user_agent; content:"hots|20|scot"; depth:9; reference:url,citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits; classtype:trojan-activity; sid:2028622; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_09_25, deployment Perimeter, malware_family Android_Moonshine, confidence High, signature_severity Critical, tag Android, updated_at 2020_09_02;)