alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gamaredon CnC Activity (POST) M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?=Write"; isdataat:!3,relative; fast_pattern; http.user_agent; content:"|3b 3b 2f 2e|"; content:"|2f 2e|"; endswith; http.accept_lang; content:"ru|2d|RU|2c|ru|3b|q|3d|0|2e|8|2c|en|2d|US|3b|q|3d|0|2e|6|2c|en|3b|q|3d|0|2e|4"; bsize:35; reference:url,scpc.gov.ua/api/docs/19b0a96e-8c31-44bf-863e-cd3e0b651f22/19b0a96e-8c31-44bf-863e-cd3e0b651f22.pdf; reference:url,unit42.paloaltonetworks.com/trident-ursa/#post-126209-_kwk9f3k7n6vn; classtype:trojan-activity; sid:2044128; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_02_06, deployment Perimeter, deployment SSLDecrypt, malware_family Win32_Gamaredon, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_11, reviewed_at 2023_11_17;)