alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GET Request to Likely ClickFix Staging Site"; flow:established,to_server; urilen:4; http.method; content:"GET"; http.uri; content:"/win"; fast_pattern; http.host; bsize:>12; content:"booking."; startswith; content:!"booking.com"; endswith; reference:url,urlscan.io/search/#page.domain%253A(booking*)%2520AND%2520page.url%253A%2522%252Fwin%2522; reference:url,tria.ge/250429-tfr7tstqy7; classtype:trojan-activity; sid:2062027; rev:2; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_05_01, deployment Perimeter, deployment SSLDecrypt, malware_family ClickFix, confidence High, signature_severity Major, updated_at 2025_05_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing; target:src_ip;)