alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Darcula Credential Phish Landing Page M2 2025-02-27"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|27 e5 bd 93 e5 89 8d e6 ad a3 e5 9c a8 e8 87 aa e5 ae 9a e4 b9 89 e9 aa 8c e8 af 81 e9 a1 b5 27|"; fast_pattern; content:"|27 e5 bd 93 e5 89 8d e6 ad a3 e5 9c a8 61 70 70 e9 aa 8c e8 af 81 e9 a1 b5 27|"; content:"|27 e5 bd 93 e5 89 8d e6 ad a3 e5 9c a8 e9 aa 8c e8 af 81 e7 a0 81 e9 aa 8c e8 af 81 e9 a1 b5 27|"; content:"|2f|verify-ba"; content:"|2f|verify-sm"; content:"cula-js"; content:"darcula-ap"; content:"darculaApp"; content:"darcula|5c|x20ap"; content:"darcula|5c|x20ta"; content:"nitilize|2c 5c|x20"; reference:url,bleepingcomputer.com/news/security/darcula-phaas-can-now-auto-generate-phishing-kits-for-any-brand/; classtype:credential-theft; sid:2060403; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_02_27, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Phishing, tag Darcula, updated_at 2025_02_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)