alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE Glassworm CnC Activity (CrowdStrike Sinkhole)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"164.92.88.210"; fast_pattern; reference:url,crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/; reference:url,koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace; classtype:command-and-control; sid:2069478; rev:1; metadata:attack_target Client_Endpoint, created_at 2026_05_28, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag c2, updated_at 2026_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel; target:src_ip;)