alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InvisibleFerret CnC Activity (GET) M6"; flow:established,to_server; urilen:<17; http.method; content:"GET"; http.uri; content:"/load/"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9]{5,10}$/R"; http.user_agent; content:"python-requests"; startswith; http.connection; content:"keep-alive"; http.header; content:"|0d 0a|Accept|2d|Encoding|3a 20|gzip|2c 20|deflate"; reference:md5,97f393aa0083ea0866b5db95f78f3f07; reference:url,mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505519&idx=1&sn=594229f2c0123673d1fa9c6cf729858b&chksm=f9c1e566ceb66c701d875de8481fe02d89654d4b56cfc51088de6e421cb701437cdab52a0851&scene=178&cur_album_id=1955835290309230595; reference:md5,2a8e4281213e4aaa485612f9ded261a2; reference:url,any.run/cybersecurity-blog/invisibleferret-malware-analysis; classtype:command-and-control; sid:2060587; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2025_03_04, deployment Perimeter, malware_family InvisibleFerret, performance_impact Moderate, confidence High, signature_severity Critical, tag Lazarus, tag c2, updated_at 2025_03_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:src_ip;)