alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Maldoc Activity"; flow:established,to_server; http.uri; content:"/nt.php/?dt="; startswith; content:"-EX-1&ct="; distance:0; fast_pattern; reference:md5,be9bd8ed8a4c052be5cedb0266f50c0d; reference:url,twitter.com/ShadowChasing1/status/1439929215919411206; classtype:trojan-activity; sid:2033987; rev:4; metadata:attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_24;)