alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GTPDoor Ack Beacon Request (TCP)"; flow:not_established,to_server; tcp.flags:A; seq:0; window:1024; xbits:set,ET.gptdoor.tcp,track ip_pair,expire 10; reference:url,github.com/haxrob/gtpdoor-scan; reference:url,doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR; classtype:trojan-activity; sid:2063377; rev:1; metadata:affected_product Linux, attack_target Server, tls_state plaintext, created_at 2025_07_09, deployment Perimeter, deployment Internal, deployment Datacenter, malware_family GTPDoor, performance_impact Significant, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)