alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gremlin Stealer CnC Exfil (POST)"; flow:established,to_server; flowbits:set,ET.Gremlin.Exfil; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name|3d|file|3b 20|filename|3d|"; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}\x2ezip\x3b/R"; content:"|0d 0a 0d 0a 50 4b|"; distance:0; content:"|24|creen|2e|jpeg"; distance:0; fast_pattern; content:"Information.txt"; content:"Process.txt"; reference:md5,fccebee340a7006a339835a290922397; reference:url,unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram; reference:url,community.emergingthreats.net/t/sig-et-malware-possible-gremlin-infostealer-data-upload/2680/1; classtype:trojan-activity; sid:2061959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2025_04_29, deployment Perimeter, malware_family GremlinStealer, confidence High, signature_severity Critical, tag c2, updated_at 2025_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:src_ip;)