Forgive me for my insistence, I revised the detection criteria to focus on the content. Here I have added a few bytes from the TLS handshake and suggest checking the following rule:
alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy"; flow: established, to_server; content: "|10 61 62 16 03 01 00 ee 01 00 00 ea 03 03|";depth:14; classtype: command-and-control;reference:md5,8d4f9c64ba15f7cabd81936d1c8c83d4;reference:url,app.any.run/tasks/128bd923-3347-4a7f-8261-9a4c7cb29ea8;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family hydrochasma, created_at 2023_07_07;sid: 1; rev: 1;)