alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Atomic Stealer Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p2p"; bsize:4; http.header.raw; content:"Host|3a|"; content:!"|20|"; within:1; content:"|0d 0a|uuid|3a|"; fast_pattern; content:!"|20|"; within:1; http.request_body; content:"PK"; startswith; content:"rootPK"; distance:0; reference:md5,8a2f7bacd04659f0d838e5b6c892b962; reference:url,www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version; classtype:trojan-activity; sid:2050278; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2024_01_22, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_22; target:src_ip;)