alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Validator Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a 0d 0a|"; fast_pattern; bsize:48; http.content_type; content:"application/octet-stream"; bsize:24; http.content_len; byte_test:0,=,33,0,string,dec; reference:md5,b458e336911f092177a64d07b0bf1c76; reference:md5,fed5ff0f9460fea41a8278fffa4c2ddb; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf; classtype:trojan-activity; sid:2049690; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_12_14, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_14; target:src_ip;)