detection rulesuricata

C2 VoidLink agent binary download (fleet-agent-linux)

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataC2 VoidLink agent binary download (fleet-agent-linux)

alert http $HOME_NET any -> any 3100 (msg:"C2 VoidLink agent binary download (fleet-agent-linux)"; \
  flow:to_server,established; \
  http.method; content:"GET"; \
  http.uri; content:"/downloads/fleet-agent-linux-"; \
  classtype:trojan-activity; sid:1000231009; rev:2; \
  metadata:created_at 2026-06-07;)

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Egress · TCP/3100 · SID 1000231009
The agent self-updates by fetching new builds from the C2's distribution endpoint at `/downloads/fleet-agent-linux-{arch}`. Pinned to port 3100 to avoid false positives against legitimate fleet-management tools on standard HTTP ports.
2026-06-10