alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon APT Related Malicious Shortcut Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon.ico"; endswith; http.host; content:"military-ukraine."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c0d3a0ab9b47ab9bc81cf5d831053431; reference:md5,7b20e3ac2a4ebf507f6c8358245d5db5; classtype:trojan-activity; sid:2036214; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, malware_family Gamaredon, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_04_14;)