Check reference for packets and samples. There is an existing mintsloader sig but relies on the old &s=mint where this varies now. Hopefully this should better match it with the key digits then S being any name but it ends on it in the URI.
The HTTP head is also quite minimalist with URI, User agent and Host and occasionally other headers too but as this could change I did not focus on this.
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE Possible Mints.Loader GET Request”; flow:established,to_server; content:“GET”; http_method; content:“.php?id=”; http_uri; content:“&key=”; http_uri; content:“*s=”; http_uri; content:“WindowsPowerShell/”; http_header; fast_pattern:only; pcre:“/&key=\d{10,}&s=[a-z0-9]{1,}$/Ui”; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf; sid:156001; rev:1;)
Kind Regards,
Kevin