detection rulesuricata

C2 VoidLink agent enrolment (POST /api/agents/enroll)

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataC2 VoidLink agent enrolment (POST /api/agents/enroll)

alert http $HOME_NET any -> any 3100 (msg:"C2 VoidLink agent enrolment (POST /api/agents/enroll)"; \
  flow:to_server,established; \
  http.method; content:"POST"; \
  http.uri; content:"/api/agents/enroll"; \
  http.request_body; content:"\"mode\""; content:"\"token\""; distance:0; within:120; \
  classtype:trojan-activity; sid:1000231007; rev:2; \
  metadata:created_at 2026-06-07;)

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Egress · TCP/3100 · SID 1000231007
The agent registers with the C2 via `POST /api/agents/enroll` on TCP/3100. The enrollment body carries a distinctive `"mode":"root"` (or `"non-root"`) field alongside a `"token":` credential. The rule stacks three independent anchors (port + URI path + body fields) to minimise false positives against legitimate agent frameworks.
2026-06-10