alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Donot Group Related Activity (POST)"; flow:established,to_server; flowbits:set,ET.donotgroup; flowbits:noalert; http.method; content:"POST"; http.uri; content:!"|2e|"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"data="; startswith; fast_pattern; target:src_ip; reference:url,ti.qianxin.com/blog/articles/Heavy-Shadows:-Summary-of-Recent-Attack-Techniques-Used-by-Donot-Group-EN/; reference:md5,d7e123fe7fb8a5f56ec9d89f7787340d; classtype:trojan-activity; sid:2047032; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_08_03, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_31; target:src_ip;)