alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VoidLink C2 API Requests Outbound"; flow:established,to_server; flowbits:isset,http.dottedquadhost; http.uri; content:"/api/"; pcre:"/^(?:v(?:1\x2f(?:notifications|settings|analytics\x2fevents)|2\x2f(?:sync|heartbeat))|health\x2fcheck|metrics|plugins\x2f[\w\.]+|sideload(?:\x2f[\w\.]+)?)$/R"; http.header_names; bsize:52; content:"|0d 0a|Host|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; fast_pattern; http.content_type; content:"application/json"; reference:url,research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/; classtype:trojan-activity; sid:2067196; rev:1; metadata:attack_target Client_Endpoint, created_at 2026_01_30, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2026_01_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)