alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 Suspicious TLS Certificate - Possible 👿 Bumblebee 🐝 🪟 flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"C=US"; content:"ST=Some-State"; content:"O=Internet Widgits Pty Ltd"; fast_pattern; content:"CN=*.malware.com"; tls.cert_subject; content:"ST=Some-State"; content:"O=Internet Widgits Pty Ltd"; content:"CN=*.malware.com"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Bumblebee, created_at 2024_02_18, updated_at 2024_02_21; sid:3301140; rev:2; classtype:command-and-control;)