alert http $HOME_NET any -> any any (msg:"ET MALWARE HATVIBE C2 Beacon"; flow:established,to_server; flowbits:set,ET.HATVIBE.Beacon; http.method; content:"POST"; http.uri; bsize:11; content:"/engine.php"; fast_pattern; http.request_body; pcre:"/^[a-z]{9}\x3d[^\x26]*?\x26[a-z]{9}\x3d\x7b\x22/"; reference:url,www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled; classtype:trojan-activity; sid:2062593; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_05_27, deployment Perimeter, confidence High, signature_severity Major, updated_at 2025_05_27; target:src_ip;)