alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE lu0bot Loader HTTP Response"; flow:established,to_client; file.data; content:"cmd"; nocase; startswith; content:"new%2520ActiveXObject%2528%2522WinHttp.WinHttpRequest.5.1"; distance:0; content:"GET%2522%252Cunescape"; distance:0; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:command-and-control; sid:2033181; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_06_24;)