alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE GETA RAT Obfuscated Payload Inbound"; flow:established,to_client; http.response_body; content:"|3d|String|2e|fromCharCode|2c|i|3d 5b 5b|65|2c|91|5d 2c 5b|97|2c|123|5d 2c 5b|48|2c|58|5d 2c 5b|43|2c|44|5d 2c 5b|47|2c|48|5d 5d 3b|for|28|z|20|in|20|i|29|for|28|r|3d|i|5b|z|5d 5b|0|5d|"; fast_pattern; content:"|22|NMSOW|5f 24 5e 2a 24 5f|68923|5f|MOXOE|22 3b|"; reference:md5,6baf7121594b84177eec4420875908cf; classtype:trojan-activity; sid:2066655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_01_09, deployment Perimeter, deployment SSLDecrypt, malware_family GETARAT, confidence Medium, signature_severity Major, updated_at 2026_01_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer; target:dest_ip;)