alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phantom Captcha Client Checkin"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"|2f|cptch|2f|"; fast_pattern; startswith; pcre:"/^(?:[a-zA-Z0-9]{2})$/R"; reference:url,sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/; reference:md5,61660f072008998bf57f8ad602408b68; classtype:command-and-control; sid:2065359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_10_23, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Critical, tag c2, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:src_ip;)