alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon/Armageddon Activity (Retrieving Remote .dot)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/prior/energy/bidding.dot"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:trojan-activity; sid:2034353; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, malware_family Gamaredon, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_05;)