alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"🐾 - 🚨 Suspicious Python 🐍 urllib request to ip-api.com - Seen in 👿 BlankGrabber 🪟 attacks"; flow:to_server, stateless; flowbits:set,pptrls.pythurlipapi; flowbits:isnotset,pptrls.pythurlipapi; http.user_agent; content:"python-urllib3"; nocase; http.host.raw; content:"ip-api.com"; http.method; content:"GET"; http.accept_enc; content:"identity"; http.uri; content:"/line/?fields=hosting"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber; reference:url,https://c-b.io/blog/dissecting_blankgrabber/; reference:url,https://docs.python.org/fr/3/library/urllib.html; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family BlankGrabber, created_at 2025_03_16, updated_at 2025_03_16; sid:3321425; rev:1; classtype:trojan-activity;)