REMOTE [PTsecurity] Possible PupyRAT
Sourceptrules/open
Fileptopen-malware.rules
CreatedOctober 9, 2025
UpdatedOctober 9, 2025
Classificationtrojan-activity
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"REMOTE [PTsecurity] Possible PupyRAT"; flow:established, to_client ; content:"200"; http_stat_code; content:"Content-Type: text/html|3b| charset=utf-8" ; http_header; content:"Connection: keep-alive" ; nocase; http_header; content:"X-Poll-Required: true" ; http_header; fast_pattern; content:"Server:" ; http_header; content:"Content-Length:" ; http_header; pcre:"/^(?:[A-Za-z0-9\-\_]{4}){10,}(?:[A-Za-z0-9\-\_]{2}[AEIMQUYcgkosw048]|[A-Za-z0-9\-\_][AQgw])$|(?:[A-Za-z0-9\-\_]{4}){11,}$/Q" ; reference:url, https://github.com/n1nj4sec/pupy/ ; reference:url, rules.ptsecurity.com ; classtype:trojan-activity; sid:10008452; rev:2;)
References
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!