ET HUNTING Fake Github .com Html Footer

SID: 2067664Rev: 10 views
Sourceet/open
CreatedFebruary 13, 2026
UpdatedFebruary 13, 2026
Classificationmisc-activity
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Fake Github .com Html Footer"; flow:established,to_client; http.response_body; content:"|3c|a|20|href|3d 22|https|3a 2f 2f|docs|2e|github|2e|com|2f|en|22 3e|Help|3c 2f|a|3e|"; fast_pattern; content:"|3c|a|20|href|3d 22|https|3a 2f 2f|support|2e|github|2e|com|2f|contact|22 3e|Contact|3c 2f|a|3e|"; content:"|3c|a|20|href|3d 22|https|3a 2f 2f|docs|2e|github|2e|com|2f|en|2f|site|2d|policy|2f|privacy|2d|policies|2f|github|2d|cookies|22 3e|Manage|20|cookies|3c 2f|a|3e|"; reference:url,securitylabs.datadoghq.com/articles/tech-impersonators-clickfix-and-macos-infostealers/; reference:url,x.com/suyog41/status/2019657315486712009; classtype:misc-activity; sid:2067664; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_02_13, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Informational, updated_at 2026_02_13; target:dest_ip;)

References

urlsecuritylabs.datadoghq.com/articles/tech-impersonators-clickfix-and-macos-infostealers/
urlx.com/suyog41/status/2019657315486712009

Metadata

affected productWeb_Browsers
attack targetClient_Endpoint
tls stateTLSDecrypt
created at2026_02_13
deploymentSSLDecrypt
confidenceMedium
signature severityInformational
updated at2026_02_13

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!