alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING LuminousStealer Legitimate Traffic Impersonation"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Sec|2d|Fetch|2d|Dest|3a 20|empty|0a|Sec|2d|Fetch|2d|Mode|3a 20|cors|0a|Sec|2d|Fetch|2d|Site|3a 20|cross|2d|site|0a|Sec|2d|Ch|2d|Ua|3a 20 22|Not|5f|A|20|Brand|22 3b|v|3d 22|8|22 2c 20 22|Chromium|22 3b|v|3d 22|120|22 2c 20 22|Google|20|Chrome|22 3b|v|3d 22|120|22 0a|Sec|2d|Ch|2d|Ua|2d|Mobile|3a 20 3f|0|0a|Sec|2d|Ch|2d|Ua|2d|Platform|3a 20 22|Windows|22|"; fast_pattern; http.host; pcre:"/(?:google|bing|duckduckgo|yahoo|reddit|twitter|facebook)\x2ecom$/"; reference:url,bitdefender.com/en-us/blog/businessinsights/apt36-nightmare-vibeware; classtype:trojan-activity; sid:2068052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_03_06, deployment Perimeter, deployment SSLDecrypt, malware_family LuminousStealer, performance_impact Significant, confidence Low, signature_severity Informational, updated_at 2026_03_06, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1036, mitre_technique_name Masquerading; target:src_ip;)