detection rulesuricata

C2 VoidLink bootstrap install script fetch

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataC2 VoidLink bootstrap install script fetch

alert http $HOME_NET any -> any 3100 (msg:"C2 VoidLink bootstrap install script fetch"; \
  flow:to_server,established; \
  http.method; content:"GET"; \
  http.uri; content:"/api/bootstrap-install-script?key="; \
  classtype:trojan-activity; sid:1000231010; rev:1; \
  metadata:created_at 2026-06-07;)

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Egress · TCP/3100 · SID 1000231010
The initial infection retrieves the install script from a keyed endpoint. The `?key=` parameter is the shared enrollment token.
2026-06-10