alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING EvilGinX Fake Captcha JS Resource Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cdn-cgi/challenge-platform/"; startswith; fast_pattern; content:"/main.js"; endswith; classtype:credential-theft; sid:2066879; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_01_21, deployment Perimeter, deployment SSLDecrypt, malware_family evilginx2, confidence Medium, signature_severity Major, updated_at 2026_01_22; target:src_ip;)