alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GachiLoader Staging HTTP Request"; flow:established,to_server; http.uri; content:"/richfamily/"; startswith; http.header; content:"x-secret|3a 20|gachifamily"; fast_pattern; nocase; http.method; content:"GET"; reference:url,research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/; classtype:trojan-activity; sid:2066446; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_12_23, deployment Perimeter, deployment SSLDecrypt, malware_family GachiLoader, confidence High, signature_severity Major, tag c2, updated_at 2025_12_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)