alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Dotted Quad Host Suspected IoT Botnet Loader Shell Script"; flow:established,to_client; flowbits:isset,http.dottedquadhost; http.stat_code; content:"200"; http.response_body; content:"|23 21 2f|bin|2f|sh"; fast_pattern; nocase; pcre:"/^.*?(?:arc|arm|arm5|arm6|arm7|armv5l|armv7l|m68k|mipsel|mips|x86|x86_64|i686|ppc|powerpc|sh4|sparc)/Ri"; reference:url,www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/satori-iot-botnet/; classtype:trojan-activity; sid:2063020; rev:1; metadata:affected_product Linux, affected_product IoT, attack_target Linux_Unix, tls_state plaintext, created_at 2025_06_16, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2025_06_16, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1059, mitre_technique_name Command_And_Scripting_Interpreter; target:dest_ip;)