alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hyperion Obfuscator Payload Inbound"; flow:established,to_client; http.response_body; content:"from|20|builtins|20|import|20 2a 3b|"; startswith; content:"|5b 27 5c|x64|5c|x65|5c|x63|5c|x6f|5c|x6d|5c|x70|5c|x72|5c|x65|5c|x73|5c|x73|27 5d|"; distance:0; fast_pattern; content:"|5b 27 5c|x65|5c|x76|5c|x61|5c|x6c|27 5d|"; distance:0; classtype:trojan-activity; sid:2039716; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_11_04, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_11_04, reviewed_at 2025_10_24;)