SIG: ET MALWARE Gamaredon TryCloudFlare Activity - Known Delimiter in User-Agent

kevross33 · May 22, 2025, 5:55pm

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE Gamaredon APT TryCloudFlare Activity - Known Delimiter in User-Agent”; flow:established,to_server; http.host; content:“.trycloudflare.com”; http.user_agent; content:“|3B 3B|/.”; classtype:trojan-activity; reference:url,Inside Gamaredon's PteroLNK: Dead Drop Resolvers and evasive Infrastructure - HarfangLab | Your endpoints, our protection; sid:154001; rev:1;)

Kind Regards,
Kevin Ross

ishaughnessy · May 22, 2025, 10:40pm

hey @kevross33 - thanks for sending our way! Here are the sid details:

  2062541 - Gamaredon APT TryCloudFlare CnC Activity - Known Delimiter in User-Agent

Topic		Replies	Views
ET MALWARE Gamaredon.APT TryCloudFlare Activity Rule Signatures	2	156	January 7, 2025
SIGS: Possible Gamaredon APT Delimiter Rule Signatures	2	100	April 25, 2025
SIG: ET MALWARE LitterDrifter Gamaredon.APT HTTP POST Rule Signatures	1	30	May 22, 2025
SIGNATURE: MalDoc/Gamaredon CnC: (ADMIN- prepend) Rule Signatures	2	325	July 27, 2023
New Signature: MalDoc/Gamaredon CnC Activity Rule Signatures etopen	1	206	May 19, 2023