alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE StealC v2 Fake 404 Page Observed"; flow:established,to_client; http.response_body; bsize:<435; content:"|3c 21|DOCTYPE|20|html|3e|"; startswith; content:"|3c 21|DOCTYPE|20|html|3e 0a 3c|html|3e 0a 3c|head|3e 0a 20 20 20 20 3c|meta|20|charset|3d 22|utf|2d|8|22 3e 0a 20 20 20 20 3c|title|3e|404|20|Not|20|Found|3c 2f|title|3e 0a 20 20 20 20 3c|style|3e 0a 20 20 20 20 20 20 20 20|body|20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20|width|3a 20|35em|3b 0a 20 20 20 20 20 20 20 20 20 20 20 20|margin|3a 20|0|20|auto|3b 0a 20 20 20 20 20 20 20 20 20 20 20 20|font|2d|family|3a 20|Tahoma|2c 20|Verdana|2c 20|Arial|2c 20|sans|2d|serif|3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f|style|3e 0a 3c 2f|head|3e 0a 3c|body|3e 0a 20 20 20 20 3c|h1|3e|Not|20|Found|3c 2f|h1|3e 0a 20 20 20 20 3c|p|3e|The|20|requested|20|URL|20|was|20|not|20|found|20|on|20|this|20|server|2e 3c 2f|p|3e 0a 20 20 20 20 3c|hr|3e 0a 20 20 20 20 3c|address|3e|nginx|2f|1|2e|18|2e|0|20 28|Ubuntu|29 3c 2f|address|3e 0a 3c 2f|body|3e 0a 3c 2f|html|3e|"; fast_pattern; reference:url,x.com/g0njxa/status/1910366345809530929; classtype:trojan-activity; sid:2061789; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_04_22, deployment Perimeter, deployment SSLDecrypt, malware_family Stealc, confidence Medium, signature_severity Major, updated_at 2025_04_22; target:dest_ip;)