alert http 193.3.19.163 any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Likely ClickFix Related Staging Domain"; flow:established,to_client; http.response_body; content:"is|20|ready|2e 20|The|20|content|20|is|20|to|20|be|20|added|3c 2f|title|3e|"; content:"|20 d1 82 d0 be d0 bb d1 8c d0 ba d0 be 20 d1 87 d1 82 d0 be 20 d1 81 d0 be d0 b7 d0 b4 d0 b0 d0 bd 2e 20 d0 a1 d0 be d0 b4 d0 b5 d1 80 d0 b6 d0 b8 d0 bc d0 be d0 b5 20 d0 bf d0 be d1 8f d0 b2 d0 b8 d1 82 d1 81 d1 8f 20 d0 bf d0 be d0 b7 d0 b6 d0 b5 22 3b|"; fast_pattern; distance:0; reference:url,urlscan.io/result/019650b0-2135-70d8-ae79-c99765f42b52/dom/; classtype:trojan-activity; sid:2061866; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_04_24, deployment Perimeter, deployment SSLDecrypt, malware_family ClickFix, confidence Medium, signature_severity Major, tag compromised_website, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_04_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer; target:dest_ip;)