alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER CoinMiner Exfiltration via IRC Config Inbound (Italian)"; flow:established,to_client; http.response_body; content:"|2f 2f 20|Configurazione|20|del|20|bot|20|IRC"; fast_pattern; content:"|2f 2f 20|Sostituisci|20|con|20|l|27|indirizzo|20|del|20|server|20|IRC"; distance:0; content:"|2f 2f 20|Username|20|del|20|bot"; distance:0; content:"|2f 2f 20|Realname|20|del|20|bot"; reference:md5,8524f6f843902e2d19f29a578f76adf6; classtype:trojan-activity; sid:2059794; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_01_31, deployment Perimeter, confidence High, signature_severity Major, tag Coinminer, updated_at 2025_01_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking; target:dest_ip;)