alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Lumma Stealer 👿 HTTP request 🪟 to C2"; flow:to_server, stateless; flowbits:set,pptrls.lumma-stealer; flowbits:isnotset,pptrls.lumma-stealer; http.method; content:"POST"; http.user_agent; content:"|4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 31 30 39 2e 30 2e 35 34 31 34 2e 31 32 30 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36|"; http.request_body; content:"Content-Disposition"; content:"form-data"; content:"uid"; content:"pid"; content:"hwid"; content:"file"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Lumma_Stealer, created_at 2026_03_21, updated_at 2026_03_21; sid:3321481; rev:1; classtype:trojan-activity;)