alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Donot Group Related Activity (Response)"; flow:established,to_client; flowbits:isset,ET.donotgroup; file.data; content:".dll|3e|"; depth:20; fast_pattern; content:"|7c|"; distance:0; within:25; reference:url,ti.qianxin.com/blog/articles/Heavy-Shadows:-Summary-of-Recent-Attack-Techniques-Used-by-Donot-Group-EN/; reference:md5,d7e123fe7fb8a5f56ec9d89f7787340d; classtype:trojan-activity; sid:2047033; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_08_03, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_03, reviewed_at 2024_05_07; target:dest_ip;)