alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Obfuscated Clickfix Javascript Payload Inbound"; flow:established,to_client; http.response_body; content:"|3c|script|3e 3b|Function|28 22 27|"; startswith; content:"|7e|"; content:"|5e|"; content:"|2f|g|2c 5c 22 5c 22|"; content:"|5c 5c|162|5c 5c|145|5c 5c|160|5c 5c|154|5c 5c|141|5c 5c|143|5c 5c|145|5c|"; distance:0; fast_pattern; reference:url,app.any.run/tasks/364c5c6e-0805-42c5-815a-f1cb704c5d9b; classtype:trojan-activity; sid:2059260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_01_15, deployment Perimeter, deployment SSLDecrypt, malware_family ClickFix, confidence Medium, signature_severity Major, updated_at 2025_01_15, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information; target:src_ip;)