alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AsyncRAT Installer Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php|3f|s|3d|"; pcre:"/^\x2f\d\x2ephp\x3fs\x3d[a-zA-Z0-9]{6,10}$/"; http.user_agent; content:"WindowsPowerShell/"; fast_pattern; http.host; content:".top"; endswith; reference:url,x.com/Unit42_Intel/status/1760426508558950518; reference:md5,0132c264b8515524ed8e8133e4035ab8; classtype:command-and-control; sid:2060669; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2025_03_06, deployment Perimeter, malware_family AsyncRAT, confidence High, signature_severity Critical, tag c2, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_03_06, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1203, mitre_technique_name Exploitation_For_Client_Execution;)