ET EXPLOIT GTPDoor Trigger Packet Request

SID: 2063367Rev: 11 views

Sourceet/open

CreatedJuly 9, 2025

UpdatedJuly 9, 2025

Classificationtrojan-activity

alert udp any any -> any 2123 (msg:"ET EXPLOIT GTPDoor Trigger Packet Request"; flow:stateless,to_server; content:"|01|"; offset:1; depth:1; content:"|72 1f 18 08|"; distance:15; within:4; fast_pattern; xbits:set,ET.gptdoor.udp,track ip_pair,expire 10; threshold:type limit,track by_src,count 1,seconds 600; reference:url,doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR; reference:url,github.com/sud0woodo/detect_gtpdoor; classtype:trojan-activity; sid:2063367; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_09, deployment Internal, deployment Datacenter, malware_family GTPDoor, confidence Medium, signature_severity Major, updated_at 2025_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)

References

url	doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR
url	github.com/sud0woodo/detect_gtpdoor

Metadata

affected productLinux

attack targetNetworking_Equipment

tls stateplaintext

created at2025_07_09

deploymentDatacenter

malware familyGTPDoor

confidenceMedium

signature severityMajor

updated at2025_07_09

mitre tactic idTA0008

mitre tactic nameLateral_Movement

mitre technique idT1210

mitre technique nameExploitation_Of_Remote_Services

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!