Ursnif Malware C2 URL Pattern

Jun 12, 2025 · attack.initial-access attack.t1566.001 attack.execution attack.t1204.002 attack.command-and-control attack.t1071.001 detection.emerging-threats ·

Share on:

Detects Ursnif C2 traffic.

Sigma rule (View on GitHub)

 1title: Ursnif Malware C2 URL Pattern
 2id: 932ac737-33ca-4afd-9869-0d48b391fcc9
 3status: stable
 4description: Detects Ursnif C2 traffic.
 5references:
 6    - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
 7author: Thomas Patzke
 8date: 2019-12-19
 9modified: 2021-08-09
10tags:
11    - attack.initial-access
12    - attack.t1566.001
13    - attack.execution
14    - attack.t1204.002
15    - attack.command-and-control
16    - attack.t1071.001
17    - detection.emerging-threats
18logsource:
19    category: proxy
20detection:
21    b64encoding:
22        c-uri|contains:
23            - '_2f'
24            - '_2b'
25    urlpatterns:
26        c-uri|contains|all:
27            - '.avi'
28            - '/images/'
29    condition: b64encoding and urlpatterns
30falsepositives:
31    - Unknown
32level: critical

References

New Ursnif Variant Spreading by Word Document

FortiGuard Labs recently captured a number of Word documents that were spreading a new variant of the Ursnif trojan. Learn more about how it operates and the techniques it uses. …

Read More

Ursnif Malware C2 URL Pattern

Sigma rule (View on GitHub)

References

New Ursnif Variant Spreading by Word Document

Related rules