alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (1ca43[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"1ca43.appspot.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000000; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (copy9[.]com)"; metadata: type stalkerware; dns.query; content:"copy9.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000001; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (guestspy[.]com)"; metadata: type stalkerware; dns.query; content:"guestspy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000002; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"icloudappe.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000003; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a.copy9.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000004; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a[.]exactspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a.exactspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000005; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a.fonetracker.com"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000006; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a.ispyoo.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000007; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a.thetruthspy.com"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000008; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a100[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a100.fonetracker.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000009; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a100[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a100.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000010; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a600[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a600.fonetracker.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000011; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a621[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a621.fonetracker.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000012; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a696[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a696.fonetracker.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000013; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a710[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a710.fonetracker.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000014; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a740[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a740.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000015; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a743[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a743.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000016; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a746[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a746.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000017; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a747[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a747.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000018; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a748[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a748.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000019; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a749[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a749.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000020; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a780[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a780.fonetracker.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000021; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a785[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a785.fonetracker.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000022; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a7xx[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a7xx.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000023; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a810[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a810.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000024; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a820[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a820.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000025; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a825[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a825.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000026; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a830[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a830.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000027; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a835[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a835.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000028; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a895[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a895.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000029; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a8xx[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a8xx.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000030; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a910[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a910.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000031; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a915[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a915.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000032; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a920[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a920.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000033; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a925[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a925.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000034; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a930[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a930.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000035; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a935[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a935.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000036; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a940[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a940.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000037; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a941[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a941.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000038; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a942[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a942.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000039; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a943[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a943.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000040; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a944[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a944.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000041; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a945[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a945.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000042; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a946[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a946.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000043; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync-a947[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync-a947.thetruthspy.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000044; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media-sync[.]systemserviceprovider[.]com)"; metadata: type stalkerware; dns.query; content:"media-sync.systemserviceprovider.com"; depth:36; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000045; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (media[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"media.thetruthspy.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000046; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (microtracker-1ca43[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"microtracker-1ca43.firebaseio.com"; depth:33; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000047; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"mxspy.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000048; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (my[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"my.copy9.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000049; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (my[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"my.ispyoo.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000050; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (my[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"my.thetruthspy.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000051; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (my[.]thespyapp[.]com)"; metadata: type stalkerware; dns.query; content:"my.thespyapp.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000052; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (phonespying[.]com)"; metadata: type stalkerware; dns.query; content:"phonespying.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000053; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (phonetracking[.]net)"; metadata: type stalkerware; dns.query; content:"phonetracking.net"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000054; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol[.]inospy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol.inospy.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000055; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a.copy9.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000056; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a[.]exactspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a.exactspy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000057; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a.fonetracker.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000058; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a[.]guestspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a.guestspy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000059; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a.ispyoo.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000060; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a[.]mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a.mxspy.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000061; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a.thetruthspy.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000062; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a100[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a100.fonetracker.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000063; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a100[.]phoneparental[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a100.phoneparental.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000064; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a100[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a100.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000065; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a5[.]guestspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a5.guestspy.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000066; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a58[.]guestspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a58.guestspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000067; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a59[.]guestspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a59.guestspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000068; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a6[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a6.thetruthspy.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000069; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a60[.]guestspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a60.guestspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000070; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a600[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a600.fonetracker.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000071; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a610[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a610.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000072; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a610[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a610.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000073; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a611[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a611.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000074; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a611[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a611.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000075; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a612[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a612.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000076; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a614[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a614.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000077; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a615[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a615.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000078; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a616[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a616.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000079; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a617[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a617.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000080; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a618[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a618.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000081; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a620[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a620.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000082; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a621[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a621.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000083; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a65[.]guestspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a65.guestspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000084; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a69[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a69.copy9.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000085; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a696[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a696.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000086; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a70[.]guestspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a70.guestspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000087; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a710[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a710.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000088; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a712[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a712.fonetracker.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000089; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a72[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a72.thetruthspy.com"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000090; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a720[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a720.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000091; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a721[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a721.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000092; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a722[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a722.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000093; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a723[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a723.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000094; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a724[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a724.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000095; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a725[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a725.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000096; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a726[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a726.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000097; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a727[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a727.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000098; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a728[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a728.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000099; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a729[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a729.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000100; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a730[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a730.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000101; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a731[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a731.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000102; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a732[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a732.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000103; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a733[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a733.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000104; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a734[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a734.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000105; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a735[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a735.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000106; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a736[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a736.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000107; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a737[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a737.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000108; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a738[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a738.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000109; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a739[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a739.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000110; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a740[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a740.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000111; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a741[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a741.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000112; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a742[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a742.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000113; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a743[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a743.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000114; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a744[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a744.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000115; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a745[.]mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a745.mxspy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000116; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a745[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a745.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000117; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a746[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a746.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000118; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a747[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a747.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000119; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a748[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a748.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000120; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a749[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a749.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000121; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a780[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a780.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000122; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a780[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a780.fonetracker.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000123; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a780[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a780.ispyoo.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000124; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a780[.]mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a780.mxspy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000125; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a785[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a785.copy9.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000126; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a785[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a785.fonetracker.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000127; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a810[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a810.ispyoo.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000128; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a810[.]mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a810.mxspy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000129; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a810[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a810.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000130; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a811[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a811.ispyoo.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000131; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a811[.]mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a811.mxspy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000132; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a880[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a880.ispyoo.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000133; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a89[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a89.ispyoo.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000134; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a89[.]mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a89.mxspy.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000135; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a910[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a910.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000136; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a915[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a915.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000137; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a920[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a920.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000138; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a925[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a925.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000139; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a930[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a930.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000140; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a935[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a935.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000141; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a940[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a940.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000142; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a941[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a941.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000143; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a942[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a942.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000144; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a943[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a943.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000145; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a944[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a944.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000146; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a945[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a945.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000147; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a946[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a946.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000148; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-a947[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-a947.thetruthspy.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000149; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-monitor[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-monitor.thetruthspy.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000150; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol-viewer-a[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol-viewer-a.copy9.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000151; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"protocol.copy9.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000152; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol[.]guestspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol.guestspy.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000153; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"protocol.ispyoo.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000154; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol[.]mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol.mxspy.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000155; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol[.]systemserviceprovider[.]com)"; metadata: type stalkerware; dns.query; content:"protocol.systemserviceprovider.com"; depth:34; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000156; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (protocol[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"protocol.thetruthspy.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000157; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (secondclone-2d312[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"secondclone-2d312.firebaseio.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000158; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a.icloudappe.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000159; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a720[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a720.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000160; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a722[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a722.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000161; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a724[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a724.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000162; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a725[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a725.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000163; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a726[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a726.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000164; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a727[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a727.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000165; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a729[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a729.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000166; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a732[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a732.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000167; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a733[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a733.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000168; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a734[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a734.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000169; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a735[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a735.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000170; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a737[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a737.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000171; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a738[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a738.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000172; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a740[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a740.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000173; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a741[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a741.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000174; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a742[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a742.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000175; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a743[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a743.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000176; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a744[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a744.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000177; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a745[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a745.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000178; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a746[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a746.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000179; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a747[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a747.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000180; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a748[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a748.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000181; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a910[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a910.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000182; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a915[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a915.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000183; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail-a920[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail-a920.icloudappe.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000184; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (setupmail[.]icloudappe[.]com)"; metadata: type stalkerware; dns.query; content:"setupmail.icloudappe.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000185; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (support[.]phoneparental[.]com)"; metadata: type stalkerware; dns.query; content:"support.phoneparental.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000186; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (spyzee[.]com)"; metadata: type stalkerware; dns.query; content:"spyzee.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000187; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a[.]copy9[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a.copy9.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000188; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a[.]exactspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a.exactspy.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000189; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a.fonetracker.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000190; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a[.]ispyoo[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a.ispyoo.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000191; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a[.]mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a.mxspy.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000192; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a.thetruthspy.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000193; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a100[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a100.fonetracker.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000194; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a600[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a600.fonetracker.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000195; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a712[.]fonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a712.fonetracker.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000196; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a780[.]mxspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a780.mxspy.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000197; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a7xx[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a7xx.thetruthspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000198; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a8xx[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a8xx.thetruthspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000199; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a925[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a925.thetruthspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000200; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a930[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a930.thetruthspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000201; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a935[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a935.thetruthspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000202; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a940[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a940.thetruthspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000203; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a941[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a941.thetruthspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000204; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (sync-a942[.]thetruthspy[.]com)"; metadata: type stalkerware; dns.query; content:"sync-a942.thetruthspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000205; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (thetruth-db94a[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"thetruth-db94a.firebaseio.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000206; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheTruthSpy (app[.]xyspy[.]com)"; metadata: type stalkerware; dns.query; content:"app.xyspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000207; rev:1;)
alert ip $HOME_NET any -> [69.64.74.239] any (msg:"PTS STALKERWARE 69[.]64[.]74[.]239 (stalkerware)"; metadata: type TheTruthSpy; classtype:targeted-activity; sid:1000208; rev:1;)
alert ip $HOME_NET any -> [69.64.81.166] any (msg:"PTS STALKERWARE 69[.]64[.]81[.]166 (stalkerware)"; metadata: type TheTruthSpy; classtype:targeted-activity; sid:1000209; rev:1;)
alert ip $HOME_NET any -> [69.64.81.49] any (msg:"PTS STALKERWARE 69[.]64[.]81[.]49 (stalkerware)"; metadata: type TheTruthSpy; classtype:targeted-activity; sid:1000210; rev:1;)
alert ip $HOME_NET any -> [69.64.81.98] any (msg:"PTS STALKERWARE 69[.]64[.]81[.]98 (stalkerware)"; metadata: type TheTruthSpy; classtype:targeted-activity; sid:1000211; rev:1;)
alert ip $HOME_NET any -> [69.64.91.29] any (msg:"PTS STALKERWARE 69[.]64[.]91[.]29 (stalkerware)"; metadata: type TheTruthSpy; classtype:targeted-activity; sid:1000212; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (1topspy[.]com)"; metadata: type stalkerware; dns.query; content:"1topspy.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000213; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (account[.]cellphone-remote-tracker[.]com)"; metadata: type stalkerware; dns.query; content:"account.cellphone-remote-tracker.com"; depth:36; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000214; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (cellphone-remote-tracker[.]com)"; metadata: type stalkerware; dns.query; content:"cellphone-remote-tracker.com"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000215; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (client[.]spyhide[.]com)"; metadata: type stalkerware; dns.query; content:"client.spyhide.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000216; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (client[.]spyhide[.]ir)"; metadata: type stalkerware; dns.query; content:"client.spyhide.ir"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000217; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (copy9db[.]com)"; metadata: type stalkerware; dns.query; content:"copy9db.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000218; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (flushdata[.]1topspy[.]com)"; metadata: type stalkerware; dns.query; content:"flushdata.1topspy.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000219; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (flushdata[.]copy9db[.]com)"; metadata: type stalkerware; dns.query; content:"flushdata.copy9db.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000220; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (flushdata[.]hellospy[.]com)"; metadata: type stalkerware; dns.query; content:"flushdata.hellospy.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000221; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (flushdata2[.]hellospy[.]com)"; metadata: type stalkerware; dns.query; content:"flushdata2.hellospy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000222; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (flushdata3[.]hellospy[.]com)"; metadata: type stalkerware; dns.query; content:"flushdata3.hellospy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000223; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (flushdata4[.]hellospy[.]com)"; metadata: type stalkerware; dns.query; content:"flushdata4.hellospy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000224; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (flushdata5[.]hellospy[.]com)"; metadata: type stalkerware; dns.query; content:"flushdata5.hellospy.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000225; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (flushdbd[.]maxxspy[.]com)"; metadata: type stalkerware; dns.query; content:"flushdbd.maxxspy.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000226; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (hellospy[.]com)"; metadata: type stalkerware; dns.query; content:"hellospy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000227; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (maxxspy[.]com)"; metadata: type stalkerware; dns.query; content:"maxxspy.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000228; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (mobiispy[.]com)"; metadata: type stalkerware; dns.query; content:"mobiispy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000229; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (spyhide[.]com)"; metadata: type stalkerware; dns.query; content:"spyhide.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000230; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (spyhide[.]ir)"; metadata: type stalkerware; dns.query; content:"spyhide.ir"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000231; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (virsis[.]net)"; metadata: type stalkerware; dns.query; content:"virsis.net"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000232; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (webservicesdb[.]mobiispy[.]com)"; metadata: type stalkerware; dns.query; content:"webservicesdb.mobiispy.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000233; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (www[.]spyhide[.]com)"; metadata: type stalkerware; dns.query; content:"www.spyhide.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000234; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HelloSpy (www[.]spyhide[.]ir)"; metadata: type stalkerware; dns.query; content:"www.spyhide.ir"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000235; rev:1;)
alert ip $HOME_NET any -> [78.47.16.3] any (msg:"PTS STALKERWARE 78[.]47[.]16[.]3 (stalkerware)"; metadata: type HelloSpy; classtype:targeted-activity; sid:1000236; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyAdvice (phonetracking-dd226[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"phonetracking-dd226.firebaseio.com"; depth:34; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000237; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyAdvice (spyadvice[.]com)"; metadata: type stalkerware; dns.query; content:"spyadvice.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000238; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (apollospy[.]com)"; metadata: type stalkerware; dns.query; content:"apollospy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000239; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (cabinet[.]ecohouse-eg[.]com)"; metadata: type stalkerware; dns.query; content:"cabinet.ecohouse-eg.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000240; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (cabinet[.]gps-monitor[.]uz)"; metadata: type stalkerware; dns.query; content:"cabinet.gps-monitor.uz"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000241; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (cabinet[.]kfnm[.]ru)"; metadata: type stalkerware; dns.query; content:"cabinet.kfnm.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000242; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (cabinet[.]vegosm[.]ru)"; metadata: type stalkerware; dns.query; content:"cabinet.vegosm.ru"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000243; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (cabinet[.]vkur[.]se)"; metadata: type stalkerware; dns.query; content:"cabinet.vkur.se"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000244; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (cabinet[.]vkur1[.]se)"; metadata: type stalkerware; dns.query; content:"cabinet.vkur1.se"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000245; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (cabinet[.]thecybernanny[.]com)"; metadata: type stalkerware; dns.query; content:"cabinet.thecybernanny.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000246; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (data[.]reptilicus[.]net)"; metadata: type stalkerware; dns.query; content:"data.reptilicus.net"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000247; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (e2c64[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"e2c64.firebaseio.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000248; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (labrador[.]ua)"; metadata: type stalkerware; dns.query; content:"labrador.ua"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000249; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (mob[.]eurotrans[.]kz)"; metadata: type stalkerware; dns.query; content:"mob.eurotrans.kz"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000250; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (phonecontrolapp-e2c64[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"phonecontrolapp-e2c64.firebaseio.com"; depth:36; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000251; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (proxy[.]reptilicus[.]net)"; metadata: type stalkerware; dns.query; content:"proxy.reptilicus.net"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000252; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (reptilicus[.]net)"; metadata: type stalkerware; dns.query; content:"reptilicus.net"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000253; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (rp[.]apollospy[.]com)"; metadata: type stalkerware; dns.query; content:"rp.apollospy.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000254; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (rp[.]dedrone[.]com[.]ua)"; metadata: type stalkerware; dns.query; content:"rp.dedrone.com.ua"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000255; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (rp[.]labrador[.]ua)"; metadata: type stalkerware; dns.query; content:"rp.labrador.ua"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000256; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (rp[.]liquidblue[.]com[.]ua)"; metadata: type stalkerware; dns.query; content:"rp.liquidblue.com.ua"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000257; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (vkur[.]se)"; metadata: type stalkerware; dns.query; content:"vkur.se"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000258; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (vkur1[.]se)"; metadata: type stalkerware; dns.query; content:"vkur1.se"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000259; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Reptilicus (www[.]reptilicus[.]net)"; metadata: type stalkerware; dns.query; content:"www.reptilicus.net"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000260; rev:1;)
alert ip $HOME_NET any -> [176.9.42.16] any (msg:"PTS STALKERWARE 176[.]9[.]42[.]16 (stalkerware)"; metadata: type Reptilicus; classtype:targeted-activity; sid:1000261; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PhoneSheriff (mobilenannylogs[.]com)"; metadata: type stalkerware; dns.query; content:"mobilenannylogs.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000262; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PhoneSheriff (phonesheriff[.]com)"; metadata: type stalkerware; dns.query; content:"phonesheriff.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000263; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PhoneSheriff (cellmonitoring[.]co)"; metadata: type stalkerware; dns.query; content:"cellmonitoring.co"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000264; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PhoneSheriff (www[.]cellmonitoring[.]co)"; metadata: type stalkerware; dns.query; content:"www.cellmonitoring.co"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000265; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE OwnSpy (user[.]ownspy[.]es)"; metadata: type stalkerware; dns.query; content:"user.ownspy.es"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000266; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (alog[.]umeng[.]com)"; metadata: type stalkerware; dns.query; content:"alog.umeng.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000267; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (app-api[.]spyzie[.]com)"; metadata: type stalkerware; dns.query; content:"app-api.spyzie.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000268; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (app[.]api[.]spyzie[.]wondershare[.]cn)"; metadata: type stalkerware; dns.query; content:"app.api.spyzie.wondershare.cn"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000269; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (appjiagu[.]com)"; metadata: type stalkerware; dns.query; content:"appjiagu.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000270; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (b[.]appjiagu[.]com)"; metadata: type stalkerware; dns.query; content:"b.appjiagu.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000271; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (c[.]appjiagu[.]com)"; metadata: type stalkerware; dns.query; content:"c.appjiagu.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000272; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (d[.]appjiagu[.]com)"; metadata: type stalkerware; dns.query; content:"d.appjiagu.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000273; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (e[.]appjiagu[.]com)"; metadata: type stalkerware; dns.query; content:"e.appjiagu.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000274; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (f[.]appjiagu[.]com)"; metadata: type stalkerware; dns.query; content:"f.appjiagu.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000275; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (fonemonitor[.]vip)"; metadata: type stalkerware; dns.query; content:"fonemonitor.vip"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000276; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (g[.]appjiagu[.]com)"; metadata: type stalkerware; dns.query; content:"g.appjiagu.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000277; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (data-api[.]spyzie[.]com)"; metadata: type stalkerware; dns.query; content:"data-api.spyzie.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000278; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (data[.]api[.]spyzie[.]wondershare[.]cn)"; metadata: type stalkerware; dns.query; content:"data.api.spyzie.wondershare.cn"; depth:30; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000279; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (h[.]appjiagu[.]com)"; metadata: type stalkerware; dns.query; content:"h.appjiagu.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000280; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (i[.]fonemonitor[.]co)"; metadata: type stalkerware; dns.query; content:"i.fonemonitor.co"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000281; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (i[.]cocospy[.]com)"; metadata: type stalkerware; dns.query; content:"i.cocospy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000282; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (i[.]minspy[.]com)"; metadata: type stalkerware; dns.query; content:"i.minspy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000283; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (i[.]neatspy[.]com)"; metadata: type stalkerware; dns.query; content:"i.neatspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000284; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (i[.]safespy[.]com)"; metadata: type stalkerware; dns.query; content:"i.safespy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000285; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (i[.]spyic[.]com)"; metadata: type stalkerware; dns.query; content:"i.spyic.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000286; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (i[.]spyine[.]com)"; metadata: type stalkerware; dns.query; content:"i.spyine.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000287; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (i[.]spyzie[.]io)"; metadata: type stalkerware; dns.query; content:"i.spyzie.io"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000288; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (i[.]teensafe[.]net)"; metadata: type stalkerware; dns.query; content:"i.teensafe.net"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000289; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (mintrack[.]vip)"; metadata: type stalkerware; dns.query; content:"mintrack.vip"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000290; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (my[.]spyzie[.]com)"; metadata: type stalkerware; dns.query; content:"my.spyzie.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000291; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (neatspy[.]vip)"; metadata: type stalkerware; dns.query; content:"neatspy.vip"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000292; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (phonedata[.]me)"; metadata: type stalkerware; dns.query; content:"phonedata.me"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000293; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (app-api[.]phonedata[.]me)"; metadata: type stalkerware; dns.query; content:"app-api.phonedata.me"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000294; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (data-api[.]phonedata[.]me)"; metadata: type stalkerware; dns.query; content:"data-api.phonedata.me"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000295; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (spyzie-a[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"spyzie-a.firebaseio.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000296; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (mg-spyzie[.]oss-us-west-1[.]aliyuncs[.]com)"; metadata: type stalkerware; dns.query; content:"mg-spyzie.oss-us-west-1.aliyuncs.com"; depth:36; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000297; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (s[.]appjiagu[.]com)"; metadata: type stalkerware; dns.query; content:"s.appjiagu.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000298; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (safespy[.]vip)"; metadata: type stalkerware; dns.query; content:"safespy.vip"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000299; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (sp[.]kuuvv[.]com)"; metadata: type stalkerware; dns.query; content:"sp.kuuvv.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000300; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (kuuvv[.]com)"; metadata: type stalkerware; dns.query; content:"kuuvv.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000301; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (spyzie[.]com)"; metadata: type stalkerware; dns.query; content:"spyzie.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000302; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (trackier[.]vip)"; metadata: type stalkerware; dns.query; content:"trackier.vip"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000303; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (trackine[.]vip)"; metadata: type stalkerware; dns.query; content:"trackine.vip"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000304; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (trackpro[.]vip)"; metadata: type stalkerware; dns.query; content:"trackpro.vip"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000305; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (viptrack[.]pro)"; metadata: type stalkerware; dns.query; content:"viptrack.pro"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000306; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cocospy (www[.]spyzie[.]com)"; metadata: type stalkerware; dns.query; content:"www.spyzie.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000307; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE VIPTrack (android[.]viptrack[.]ro)"; metadata: type stalkerware; dns.query; content:"android.viptrack.ro"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000308; rev:1;)
alert ip $HOME_NET any -> [89.33.190.8] any (msg:"PTS STALKERWARE 89[.]33[.]190[.]8 (stalkerware)"; metadata: type VIPTrack; classtype:targeted-activity; sid:1000309; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (97[.]logger[.]mobi)"; metadata: type stalkerware; dns.query; content:"97.logger.mobi"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000310; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (account[.]logger[.]mobi)"; metadata: type stalkerware; dns.query; content:"account.logger.mobi"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000311; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (account[.]childsafetytrackerapp[.]com)"; metadata: type stalkerware; dns.query; content:"account.childsafetytrackerapp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000312; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (api[.]childsafetytrackerapp[.]com)"; metadata: type stalkerware; dns.query; content:"api.childsafetytrackerapp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000313; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (api[.]seniorsafetyapp[.]com)"; metadata: type stalkerware; dns.query; content:"api.seniorsafetyapp.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000314; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (beta-api[.]logger[.]mobi)"; metadata: type stalkerware; dns.query; content:"beta-api.logger.mobi"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000315; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (beta[.]logger[.]mobi)"; metadata: type stalkerware; dns.query; content:"beta.logger.mobi"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000316; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (easyloggerbeta[.]azurewebsites[.]net)"; metadata: type stalkerware; dns.query; content:"easyloggerbeta.azurewebsites.net"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000317; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (elcore-api[.]azurewebsites[.]net)"; metadata: type stalkerware; dns.query; content:"elcore-api.azurewebsites.net"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000318; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (inv[.]logger[.]mobi)"; metadata: type stalkerware; dns.query; content:"inv.logger.mobi"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000319; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (pro[.]logger[.]mobi)"; metadata: type stalkerware; dns.query; content:"pro.logger.mobi"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000320; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (ps97mailer[.]logger[.]mobi)"; metadata: type stalkerware; dns.query; content:"ps97mailer.logger.mobi"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000321; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (pulsesolutions-net-easy-logger[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"pulsesolutions-net-easy-logger.firebaseio.com"; depth:45; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000322; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (sandbox97[.]childsafetytrackerapp[.]com)"; metadata: type stalkerware; dns.query; content:"sandbox97.childsafetytrackerapp.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000323; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (sandbox97[.]logger[.]mobi)"; metadata: type stalkerware; dns.query; content:"sandbox97.logger.mobi"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000324; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (sandbox97[.]seniorsafetyapp[.]com)"; metadata: type stalkerware; dns.query; content:"sandbox97.seniorsafetyapp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000325; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (senior-safety-189010[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"senior-safety-189010.firebaseio.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000326; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (servicesloggermobi[.]azurewebsites[.]net)"; metadata: type stalkerware; dns.query; content:"servicesloggermobi.azurewebsites.net"; depth:36; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000327; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (waws-prod-blu-247-e7b3[.]eastus[.]cloudapp[.]azure[.]com)"; metadata: type stalkerware; dns.query; content:"waws-prod-blu-247-e7b3.eastus.cloudapp.azure.com"; depth:48; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000328; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyLogger (waws-prod-blu-247[.]sip[.]azurewebsites[.]windows[.]net)"; metadata: type stalkerware; dns.query; content:"waws-prod-blu-247.sip.azurewebsites.windows.net"; depth:47; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000329; rev:1;)
alert ip $HOME_NET any -> [172.67.81.216] any (msg:"PTS STALKERWARE 172[.]67[.]81[.]216 (stalkerware)"; metadata: type EasyLogger; classtype:targeted-activity; sid:1000330; rev:1;)
alert ip $HOME_NET any -> [104.25.28.15] any (msg:"PTS STALKERWARE 104[.]25[.]28[.]15 (stalkerware)"; metadata: type EasyLogger; classtype:targeted-activity; sid:1000331; rev:1;)
alert ip $HOME_NET any -> [104.25.29.15] any (msg:"PTS STALKERWARE 104[.]25[.]29[.]15 (stalkerware)"; metadata: type EasyLogger; classtype:targeted-activity; sid:1000332; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (a[.]hw[.]cab)"; metadata: type stalkerware; dns.query; content:"a.hw.cab"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000333; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (hw[.]cab)"; metadata: type stalkerware; dns.query; content:"hw.cab"; depth:6; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000334; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (a[.]hwa[.]cab)"; metadata: type stalkerware; dns.query; content:"a.hwa.cab"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000335; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (account[.]refog[.]com)"; metadata: type stalkerware; dns.query; content:"account.refog.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000336; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (dev[.]hoverwatch[.]com)"; metadata: type stalkerware; dns.query; content:"dev.hoverwatch.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000337; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (dev2[.]refog[.]com)"; metadata: type stalkerware; dns.query; content:"dev2.refog.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000338; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (downloads[.]refog[.]com)"; metadata: type stalkerware; dns.query; content:"downloads.refog.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000339; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (hover[.]watch)"; metadata: type stalkerware; dns.query; content:"hover.watch"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000340; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (hoverwatch[.]com)"; metadata: type stalkerware; dns.query; content:"hoverwatch.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000341; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (hwa[.]cab)"; metadata: type stalkerware; dns.query; content:"hwa.cab"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000342; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (hwm[.]cab)"; metadata: type stalkerware; dns.query; content:"hwm.cab"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000343; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (hws[.]icu)"; metadata: type stalkerware; dns.query; content:"hws.icu"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000344; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (hww[.]cab)"; metadata: type stalkerware; dns.query; content:"hww.cab"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000345; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (i[.]hoverwatch[.]com)"; metadata: type stalkerware; dns.query; content:"i.hoverwatch.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000346; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (i1[.]hoverwatch[.]com)"; metadata: type stalkerware; dns.query; content:"i1.hoverwatch.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000347; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (office[.]hw[.]cab)"; metadata: type stalkerware; dns.query; content:"office.hw.cab"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000348; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (rec[.]hw[.]cab)"; metadata: type stalkerware; dns.query; content:"rec.hw.cab"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000349; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (test[.]refog[.]com)"; metadata: type stalkerware; dns.query; content:"test.refog.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000350; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Hoverwatch (a[.]syncvch[.]com)"; metadata: type stalkerware; dns.query; content:"a.syncvch.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000351; rev:1;)
alert ip $HOME_NET any -> [104.236.73.120] any (msg:"PTS STALKERWARE 104[.]236[.]73[.]120 (stalkerware)"; metadata: type Hoverwatch; classtype:targeted-activity; sid:1000352; rev:1;)
alert ip $HOME_NET any -> [149.56.26.44] any (msg:"PTS STALKERWARE 149[.]56[.]26[.]44 (stalkerware)"; metadata: type Hoverwatch; classtype:targeted-activity; sid:1000353; rev:1;)
alert ip $HOME_NET any -> [158.69.24.236] any (msg:"PTS STALKERWARE 158[.]69[.]24[.]236 (stalkerware)"; metadata: type Hoverwatch; classtype:targeted-activity; sid:1000354; rev:1;)
alert ip $HOME_NET any -> [188.130.241.205] any (msg:"PTS STALKERWARE 188[.]130[.]241[.]205 (stalkerware)"; metadata: type Hoverwatch; classtype:targeted-activity; sid:1000355; rev:1;)
alert ip $HOME_NET any -> [198.100.150.203] any (msg:"PTS STALKERWARE 198[.]100[.]150[.]203 (stalkerware)"; metadata: type Hoverwatch; classtype:targeted-activity; sid:1000356; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE LetMeSpy (letmespy[.]com)"; metadata: type stalkerware; dns.query; content:"letmespy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000357; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE LetMeSpy (remotecommands[.]com)"; metadata: type stalkerware; dns.query; content:"remotecommands.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000358; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE LetMeSpy (zdalnakontrola[.]pl)"; metadata: type stalkerware; dns.query; content:"zdalnakontrola.pl"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000359; rev:1;)
alert ip $HOME_NET any -> [91.196.212.202] any (msg:"PTS STALKERWARE 91[.]196[.]212[.]202 (stalkerware)"; metadata: type LetMeSpy; classtype:targeted-activity; sid:1000360; rev:1;)
alert ip $HOME_NET any -> [91.196.212.201] any (msg:"PTS STALKERWARE 91[.]196[.]212[.]201 (stalkerware)"; metadata: type LetMeSpy; classtype:targeted-activity; sid:1000361; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (api[.]snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"api.snoopza.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000362; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (app[.]snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"app.snoopza.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000363; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (app2[.]snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"app2.snoopza.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000364; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (dev[.]snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"dev.snoopza.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000365; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (flower[.]snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"flower.snoopza.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000366; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (get[.]snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"get.snoopza.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000367; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (my[.]snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"my.snoopza.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000368; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (my2[.]snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"my2.snoopza.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000369; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"snoopza.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000370; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Snoopza (viewer[.]snoopza[.]com)"; metadata: type stalkerware; dns.query; content:"viewer.snoopza.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000371; rev:1;)
alert ip $HOME_NET any -> [178.62.59.165] any (msg:"PTS STALKERWARE 178[.]62[.]59[.]165 (stalkerware)"; metadata: type Snoopza; classtype:targeted-activity; sid:1000372; rev:1;)
alert ip $HOME_NET any -> [217.182.250.165] any (msg:"PTS STALKERWARE 217[.]182[.]250[.]165 (stalkerware)"; metadata: type Snoopza; classtype:targeted-activity; sid:1000373; rev:1;)
alert ip $HOME_NET any -> [46.105.57.148] any (msg:"PTS STALKERWARE 46[.]105[.]57[.]148 (stalkerware)"; metadata: type Snoopza; classtype:targeted-activity; sid:1000374; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (cell-tracker-green[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"cell-tracker-green.firebaseio.com"; depth:33; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000375; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (cell-tracker-updated[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"cell-tracker-updated.firebaseio.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000376; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (key-logger-90fff[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"key-logger-90fff.firebaseio.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000377; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (message-tracker-98822[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"message-tracker-98822.firebaseio.com"; depth:36; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000378; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (smsandcalltracker[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"smsandcalltracker.firebaseio.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000379; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (spyaudiorecorder[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"spyaudiorecorder.firebaseio.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000380; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (trackmyphones-pro[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"trackmyphones-pro.firebaseio.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000381; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (trackmyphones[.]com)"; metadata: type stalkerware; dns.query; content:"trackmyphones.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000382; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (video-recorder-c0419[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"video-recorder-c0419.firebaseio.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000383; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackMyPhones (www[.]trackmyphones[.]com)"; metadata: type stalkerware; dns.query; content:"www.trackmyphones.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000384; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (admin[.]flexispy[.]com)"; metadata: type stalkerware; dns.query; content:"admin.flexispy.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000385; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (api[.]flexispy[.]com)"; metadata: type stalkerware; dns.query; content:"api.flexispy.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000386; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (client[.]mobilefonex[.]com)"; metadata: type stalkerware; dns.query; content:"client.mobilefonex.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000387; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (djp[.]bz)"; metadata: type stalkerware; dns.query; content:"djp.bz"; depth:6; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000388; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (dmw[.]bz)"; metadata: type stalkerware; dns.query; content:"dmw.bz"; depth:6; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000389; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (dmw[.]cc)"; metadata: type stalkerware; dns.query; content:"dmw.cc"; depth:6; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000390; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (ecom[.]flexispy[.]com)"; metadata: type stalkerware; dns.query; content:"ecom.flexispy.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000391; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (mflx[.]biz)"; metadata: type stalkerware; dns.query; content:"mflx.biz"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000392; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (portal[.]flexispy[.]com)"; metadata: type stalkerware; dns.query; content:"portal.flexispy.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000393; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (push[.]mobilefonex[.]com)"; metadata: type stalkerware; dns.query; content:"push.mobilefonex.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000394; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (test-client[.]mobilefonex[.]com)"; metadata: type stalkerware; dns.query; content:"test-client.mobilefonex.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000395; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FlexiSpy (trkps[.]com)"; metadata: type stalkerware; dns.query; content:"trkps.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000396; rev:1;)
alert ip $HOME_NET any -> [119.8.35.235] any (msg:"PTS STALKERWARE 119[.]8[.]35[.]235 (stalkerware)"; metadata: type FlexiSpy; classtype:targeted-activity; sid:1000397; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cerberus (api-project-999803017449[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"api-project-999803017449.firebaseio.com"; depth:39; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000398; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cerberus (cerberusapp[.]com)"; metadata: type stalkerware; dns.query; content:"cerberusapp.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000399; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Cerberus (www[.]cerberusapp[.]com)"; metadata: type stalkerware; dns.query; content:"www.cerberusapp.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000400; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (a-qa3[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"a-qa3.thd.cc"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000401; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (a[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"a.thd.cc"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000402; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (alter757[.]info)"; metadata: type stalkerware; dns.query; content:"alter757.info"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000403; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (api[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"api.thd.cc"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000404; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (apiv4[.]alter757[.]info)"; metadata: type stalkerware; dns.query; content:"apiv4.alter757.info"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000405; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (b55y[.]net)"; metadata: type stalkerware; dns.query; content:"b55y.net"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000406; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (bbrp[.]co)"; metadata: type stalkerware; dns.query; content:"bbrp.co"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000407; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (bi[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"bi.thd.cc"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000408; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (cp[.]mspyonline[.]com)"; metadata: type stalkerware; dns.query; content:"cp.mspyonline.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000409; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (eyezyapp[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"eyezyapp.thd.cc"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000410; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (getmspy[.]net)"; metadata: type stalkerware; dns.query; content:"getmspy.net"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000411; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (hz-service[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"hz-service.thd.cc"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000412; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (hz7[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"hz7.thd.cc"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000413; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (idevs[.]co)"; metadata: type stalkerware; dns.query; content:"idevs.co"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000414; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (jailbreak-gateway[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"jailbreak-gateway.thd.cc"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000415; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (kypler[.]com)"; metadata: type stalkerware; dns.query; content:"kypler.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000416; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (m-media[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"m-media.thd.cc"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000417; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mcloud-api[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"mcloud-api.thd.cc"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000418; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mi[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"mi.thd.cc"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000419; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mlite-app[.]livekit[.]cloud)"; metadata: type stalkerware; dns.query; content:"mlite-app.livekit.cloud"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000420; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mlite-app[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"mlite-app.thd.cc"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000421; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mlite-socket[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"mlite-socket.thd.cc"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000422; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mliteapp[.]alter757[.]info)"; metadata: type stalkerware; dns.query; content:"mliteapp.alter757.info"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000423; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mobile-gw[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"mobile-gw.thd.cc"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000424; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mspy[.]alter757[.]info)"; metadata: type stalkerware; dns.query; content:"mspy.alter757.info"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000425; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mspyonline[.]com)"; metadata: type stalkerware; dns.query; content:"mspyonline.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000426; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mspytrackercom[.]alter757[.]info)"; metadata: type stalkerware; dns.query; content:"mspytrackercom.alter757.info"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000427; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (mtechn[.]zendesk[.]com)"; metadata: type stalkerware; dns.query; content:"mtechn.zendesk.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000428; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (my[.]kidsecured[.]com)"; metadata: type stalkerware; dns.query; content:"my.kidsecured.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000429; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (my[.]mspyonline[.]com)"; metadata: type stalkerware; dns.query; content:"my.mspyonline.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000430; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (my[.]phonsee[.]com)"; metadata: type stalkerware; dns.query; content:"my.phonsee.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000431; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (my[.]securechildren[.]online)"; metadata: type stalkerware; dns.query; content:"my.securechildren.online"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000432; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (pipe[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"pipe.thd.cc"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000433; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (project-323448153542050953[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"project-323448153542050953.firebaseio.com"; depth:41; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000434; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (q12z[.]net)"; metadata: type stalkerware; dns.query; content:"q12z.net"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000435; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (repo[.]mspyonline[.]com)"; metadata: type stalkerware; dns.query; content:"repo.mspyonline.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000436; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (rockalab[.]com)"; metadata: type stalkerware; dns.query; content:"rockalab.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000437; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (s3[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"s3.thd.cc"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000438; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (sentry-01[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"sentry-01.thd.cc"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000439; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (sentry-02[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"sentry-02.thd.cc"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000440; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (sentry-03[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"sentry-03.thd.cc"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000441; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (sentry-04[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"sentry-04.thd.cc"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000442; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (sentry-05[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"sentry-05.thd.cc"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000443; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (sentry-06[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"sentry-06.thd.cc"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000444; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (sentry-07[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"sentry-07.thd.cc"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000445; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (sentry-product-new[.]bbrp[.]co)"; metadata: type stalkerware; dns.query; content:"sentry-product-new.bbrp.co"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000446; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (thd[.]cc)"; metadata: type stalkerware; dns.query; content:"thd.cc"; depth:6; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000447; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (tracking[.]mliteapp[.]com)"; metadata: type stalkerware; dns.query; content:"tracking.mliteapp.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000448; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (tracking[.]mspyonline[.]com)"; metadata: type stalkerware; dns.query; content:"tracking.mspyonline.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000449; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (update-service-7e59f[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"update-service-7e59f.firebaseio.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000450; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (webrtc[.]thd[.]cc)"; metadata: type stalkerware; dns.query; content:"webrtc.thd.cc"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000451; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (www[.]mspy[.]com)"; metadata: type stalkerware; dns.query; content:"www.mspy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000452; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE mSpy (www[.]mspyonline[.]com)"; metadata: type stalkerware; dns.query; content:"www.mspyonline.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000453; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MeuSpy (servidor[.]in)"; metadata: type stalkerware; dns.query; content:"servidor.in"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000454; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MeuSpy (n[.]servidor[.]in)"; metadata: type stalkerware; dns.query; content:"n.servidor.in"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000455; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MeuSpy (l[.]servidor[.]in)"; metadata: type stalkerware; dns.query; content:"l.servidor.in"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000456; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MeuSpy (s[.]servidor[.]in)"; metadata: type stalkerware; dns.query; content:"s.servidor.in"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000457; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MeuSpy (play-store-3bb64[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"play-store-3bb64.firebaseio.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000458; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AppSpy (api[.]free-spy[.]com)"; metadata: type stalkerware; dns.query; content:"api.free-spy.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000459; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AppSpy (app[.]appspy[.]net)"; metadata: type stalkerware; dns.query; content:"app.appspy.net"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000460; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AppSpy (appspy-net[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"appspy-net.firebaseio.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000461; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AppSpy (appspy[.]net)"; metadata: type stalkerware; dns.query; content:"appspy.net"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000462; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AppSpy (freemobilespy[.]net)"; metadata: type stalkerware; dns.query; content:"freemobilespy.net"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000463; rev:1;)
alert ip $HOME_NET any -> [167.114.114.207] any (msg:"PTS STALKERWARE 167[.]114[.]114[.]207 (stalkerware)"; metadata: type AppSpy; classtype:targeted-activity; sid:1000464; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (api1[.]easydoc[.]info)"; metadata: type stalkerware; dns.query; content:"api1.easydoc.info"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000465; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (api3[.]easydoc[.]info)"; metadata: type stalkerware; dns.query; content:"api3.easydoc.info"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000466; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (apk[.]mtf[.]re)"; metadata: type stalkerware; dns.query; content:"apk.mtf.re"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000467; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (celltrackernew[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"celltrackernew.firebaseio.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000468; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (d-app-apk[.]com)"; metadata: type stalkerware; dns.query; content:"d-app-apk.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000469; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (d[.]d-app-apk[.]com)"; metadata: type stalkerware; dns.query; content:"d.d-app-apk.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000470; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (easydoc[.]info)"; metadata: type stalkerware; dns.query; content:"easydoc.info"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000471; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (loverman[.]net)"; metadata: type stalkerware; dns.query; content:"loverman.net"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000472; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (mobile-tracker-data[.]com)"; metadata: type stalkerware; dns.query; content:"mobile-tracker-data.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000473; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (mtf[.]re)"; metadata: type stalkerware; dns.query; content:"mtf.re"; depth:6; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000474; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (myappmobile-537f7[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"myappmobile-537f7.firebaseio.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000475; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (n6sm2m[.]celltracker[.]io)"; metadata: type stalkerware; dns.query; content:"n6sm2m.celltracker.io"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000476; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (olurdaolurdediler[.]shop)"; metadata: type stalkerware; dns.query; content:"olurdaolurdediler.shop"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000477; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (sapient-flight-837[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"sapient-flight-837.firebaseio.com"; depth:33; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000478; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTrackerFree (mobile-tracker-free[.]com)"; metadata: type stalkerware; dns.query; content:"mobile-tracker-free.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000479; rev:1;)
alert ip $HOME_NET any -> [51.15.183.209] any (msg:"PTS STALKERWARE 51[.]15[.]183[.]209 (stalkerware)"; metadata: type MobileTrackerFree; classtype:targeted-activity; sid:1000480; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iKeyMonitor (83dd4[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"83dd4.appspot.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000481; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iKeyMonitor (awsapi[.]io)"; metadata: type stalkerware; dns.query; content:"awsapi.io"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000482; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iKeyMonitor (em[.]awsapi[.]io)"; metadata: type stalkerware; dns.query; content:"em.awsapi.io"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000483; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iKeyMonitor (ikm[.]awsapi[.]io)"; metadata: type stalkerware; dns.query; content:"ikm.awsapi.io"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000484; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iKeyMonitor (emcpanel[.]com)"; metadata: type stalkerware; dns.query; content:"emcpanel.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000485; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iKeyMonitor (users[.]easemon[.]com)"; metadata: type stalkerware; dns.query; content:"users.easemon.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000486; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iKeyMonitor (ikeymonitor[.]com)"; metadata: type stalkerware; dns.query; content:"ikeymonitor.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000487; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iKeyMonitor (ikeymonitor[.]fr)"; metadata: type stalkerware; dns.query; content:"ikeymonitor.fr"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000488; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iKeyMonitor (users[.]awosoft[.]com)"; metadata: type stalkerware; dns.query; content:"users.awosoft.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000489; rev:1;)
alert ip $HOME_NET any -> [172.67.82.183] any (msg:"PTS STALKERWARE 172[.]67[.]82[.]183 (stalkerware)"; metadata: type iKeyMonitor; classtype:targeted-activity; sid:1000490; rev:1;)
alert ip $HOME_NET any -> [104.25.170.109] any (msg:"PTS STALKERWARE 104[.]25[.]170[.]109 (stalkerware)"; metadata: type iKeyMonitor; classtype:targeted-activity; sid:1000491; rev:1;)
alert ip $HOME_NET any -> [104.25.169.109] any (msg:"PTS STALKERWARE 104[.]25[.]169[.]109 (stalkerware)"; metadata: type iKeyMonitor; classtype:targeted-activity; sid:1000492; rev:1;)
alert ip $HOME_NET any -> [104.26.15.56] any (msg:"PTS STALKERWARE 104[.]26[.]15[.]56 (stalkerware)"; metadata: type iKeyMonitor; classtype:targeted-activity; sid:1000493; rev:1;)
alert ip $HOME_NET any -> [172.67.73.2] any (msg:"PTS STALKERWARE 172[.]67[.]73[.]2 (stalkerware)"; metadata: type iKeyMonitor; classtype:targeted-activity; sid:1000494; rev:1;)
alert ip $HOME_NET any -> [104.26.14.56] any (msg:"PTS STALKERWARE 104[.]26[.]14[.]56 (stalkerware)"; metadata: type iKeyMonitor; classtype:targeted-activity; sid:1000495; rev:1;)
alert ip $HOME_NET any -> [172.67.194.85] any (msg:"PTS STALKERWARE 172[.]67[.]194[.]85 (stalkerware)"; metadata: type iKeyMonitor; classtype:targeted-activity; sid:1000496; rev:1;)
alert ip $HOME_NET any -> [104.18.54.129] any (msg:"PTS STALKERWARE 104[.]18[.]54[.]129 (stalkerware)"; metadata: type iKeyMonitor; classtype:targeted-activity; sid:1000497; rev:1;)
alert ip $HOME_NET any -> [104.18.55.129] any (msg:"PTS STALKERWARE 104[.]18[.]55[.]129 (stalkerware)"; metadata: type iKeyMonitor; classtype:targeted-activity; sid:1000498; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PanSpy (panspy[.]me)"; metadata: type stalkerware; dns.query; content:"panspy.me"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000499; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PanSpy (panspy[.]com)"; metadata: type stalkerware; dns.query; content:"panspy.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000500; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PanSpy (ali[.]panspy[.]com)"; metadata: type stalkerware; dns.query; content:"ali.panspy.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000501; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PanSpy (c1[.]panspy[.]com)"; metadata: type stalkerware; dns.query; content:"c1.panspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000502; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PanSpy (d1[.]panspy[.]com)"; metadata: type stalkerware; dns.query; content:"d1.panspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000503; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PanSpy (s1[.]panspy[.]com)"; metadata: type stalkerware; dns.query; content:"s1.panspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000504; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PanSpy (u1[.]panspy[.]com)"; metadata: type stalkerware; dns.query; content:"u1.panspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000505; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PanSpy (panspy-1[.]oss-us-west-1[.]aliyuncs[.]com)"; metadata: type stalkerware; dns.query; content:"panspy-1.oss-us-west-1.aliyuncs.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000506; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidLost (androidlost[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"androidlost.appspot.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000507; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidLost (androidlost[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"androidlost.firebaseio.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000508; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidLost (androidlost[.]com)"; metadata: type stalkerware; dns.query; content:"androidlost.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000509; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidLost (www[.]androidlost[.]com)"; metadata: type stalkerware; dns.query; content:"www.androidlost.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000510; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidLost (test[.]androidlost[.]com)"; metadata: type stalkerware; dns.query; content:"test.androidlost.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000511; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidLost (new[.]androidlost[.]com)"; metadata: type stalkerware; dns.query; content:"new.androidlost.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000512; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Metasploit (foreverspy[.]com)"; metadata: type stalkerware; dns.query; content:"foreverspy.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000513; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Metasploit (app[.]foreverspy[.]com)"; metadata: type stalkerware; dns.query; content:"app.foreverspy.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000514; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spy24 (spy24[.]net)"; metadata: type stalkerware; dns.query; content:"spy24.net"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000515; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spy24 (panel[.]spy24[.]net)"; metadata: type stalkerware; dns.query; content:"panel.spy24.net"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000516; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spy24 (panel24[.]org)"; metadata: type stalkerware; dns.query; content:"panel24.org"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000517; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spy24 (android[.]spy24[.]app)"; metadata: type stalkerware; dns.query; content:"android.spy24.app"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000518; rev:1;)
alert ip $HOME_NET any -> [138.201.32.118] any (msg:"PTS STALKERWARE 138[.]201[.]32[.]118 (stalkerware)"; metadata: type Spy24; classtype:targeted-activity; sid:1000519; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE CatWatchful (catwatchful[.]com)"; metadata: type stalkerware; dns.query; content:"catwatchful.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000520; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE CatWatchful (catwatchful-e03b8[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"catwatchful-e03b8.firebaseio.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000521; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE CatWatchful (catwatchful-e03b8-2[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"catwatchful-e03b8-2.firebaseio.com"; depth:34; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000522; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE CatWatchful (us-central1-catwatchful-e03b8[.]cloudfunctions[.]net)"; metadata: type stalkerware; dns.query; content:"us-central1-catwatchful-e03b8.cloudfunctions.net"; depth:48; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000523; rev:1;)
alert ip $HOME_NET any -> [45.114.224.147] any (msg:"PTS STALKERWARE 45[.]114[.]224[.]147 (stalkerware)"; metadata: type CatWatchful; classtype:targeted-activity; sid:1000524; rev:1;)
alert ip $HOME_NET any -> [162.144.75.253] any (msg:"PTS STALKERWARE 162[.]144[.]75[.]253 (stalkerware)"; metadata: type CatWatchful; classtype:targeted-activity; sid:1000525; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (a71f4[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"a71f4.firebaseio.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000526; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (ac480[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"ac480.firebaseio.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000527; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (auto-forward[.]com)"; metadata: type stalkerware; dns.query; content:"auto-forward.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000528; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (autoforward-8433d[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"autoforward-8433d.firebaseio.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000529; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (backup-a71f4[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"backup-a71f4.firebaseio.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000530; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (cellphoneservices[.]info)"; metadata: type stalkerware; dns.query; content:"cellphoneservices.info"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000531; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (ddiutilities[.]com)"; metadata: type stalkerware; dns.query; content:"ddiutilities.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000532; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (device-ac480[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"device-ac480.appspot.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000533; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (device-ac480[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"device-ac480.firebaseio.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000534; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (evt17[.]com)"; metadata: type stalkerware; dns.query; content:"evt17.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000535; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (ngc77[.]com)"; metadata: type stalkerware; dns.query; content:"ngc77.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000536; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (phonespector-b2f13[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"phonespector-b2f13.firebaseio.com"; depth:33; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000537; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE HighsterMobile (phonespector[.]com)"; metadata: type stalkerware; dns.query; content:"phonespector.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000538; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iMonitorSpy (imonitor-da8b2[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"imonitor-da8b2.firebaseio.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000539; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iMonitorSpy (imonitorke[.]com)"; metadata: type stalkerware; dns.query; content:"imonitorke.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000540; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iMonitorSpy (www[.]imonitorsoft[.]cn)"; metadata: type stalkerware; dns.query; content:"www.imonitorsoft.cn"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000541; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iMonitorSpy (www[.]imonitorsoft[.]com)"; metadata: type stalkerware; dns.query; content:"www.imonitorsoft.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000542; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iMonitorSpy (imonitorsoft[.]cn)"; metadata: type stalkerware; dns.query; content:"imonitorsoft.cn"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000543; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE iMonitorSpy (imonitorsoft[.]com)"; metadata: type stalkerware; dns.query; content:"imonitorsoft.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000544; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (6kvses[.]com)"; metadata: type stalkerware; dns.query; content:"6kvses.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000545; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (bincdi[.]6kvses[.]com)"; metadata: type stalkerware; dns.query; content:"bincdi.6kvses.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000546; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (bincdi[.]birxpk[.]com)"; metadata: type stalkerware; dns.query; content:"bincdi.birxpk.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000547; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (birxpk[.]com)"; metadata: type stalkerware; dns.query; content:"birxpk.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000548; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (dz7[.]wethnc067[.]xyz)"; metadata: type stalkerware; dns.query; content:"dz7.wethnc067.xyz"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000549; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (hzdy[.]birxpk[.]com)"; metadata: type stalkerware; dns.query; content:"hzdy.birxpk.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000550; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (ixhtb[.]s9gxw8[.]com)"; metadata: type stalkerware; dns.query; content:"ixhtb.s9gxw8.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000551; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (kvshdi[.]birxpk[.]com)"; metadata: type stalkerware; dns.query; content:"kvshdi.birxpk.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000552; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (mobiletool[.]ru)"; metadata: type stalkerware; dns.query; content:"mobiletool.ru"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000553; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (mrswd[.]wo87sf[.]com)"; metadata: type stalkerware; dns.query; content:"mrswd.wo87sf.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000554; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (mtoolapp[.]net)"; metadata: type stalkerware; dns.query; content:"mtoolapp.net"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000555; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (mtoolapp[.]biz)"; metadata: type stalkerware; dns.query; content:"mtoolapp.biz"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000556; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (my[.]mobiletool[.]ru)"; metadata: type stalkerware; dns.query; content:"my.mobiletool.ru"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000557; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (my[.]mtoolapp[.]net)"; metadata: type stalkerware; dns.query; content:"my.mtoolapp.net"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000558; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (mzpgfh[.]uhabq9[.]com)"; metadata: type stalkerware; dns.query; content:"mzpgfh.uhabq9.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000559; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (noujx[.]s9gxw8[.]com)"; metadata: type stalkerware; dns.query; content:"noujx.s9gxw8.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000560; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (s9gxw8[.]com)"; metadata: type stalkerware; dns.query; content:"s9gxw8.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000561; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (support[.]mtoolapp[.]biz)"; metadata: type stalkerware; dns.query; content:"support.mtoolapp.biz"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000562; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (ug1c5v[.]birxpk[.]com)"; metadata: type stalkerware; dns.query; content:"ug1c5v.birxpk.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000563; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (wethnc067[.]xyz)"; metadata: type stalkerware; dns.query; content:"wethnc067.xyz"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000564; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (www[.]mtoolapp[.]net)"; metadata: type stalkerware; dns.query; content:"www.mtoolapp.net"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000565; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileTool (xmyevq[.]birxpk[.]com)"; metadata: type stalkerware; dns.query; content:"xmyevq.birxpk.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000566; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ShadowSpy (runaki-support[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"runaki-support.appspot.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000567; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ShadowSpy (shadow-logs[.]com)"; metadata: type stalkerware; dns.query; content:"shadow-logs.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000568; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ShadowSpy (shadow-spy[.]com)"; metadata: type stalkerware; dns.query; content:"shadow-spy.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000569; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ShadowSpy (shadowappbundle-default-rtdb[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"shadowappbundle-default-rtdb.firebaseio.com"; depth:43; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000570; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ShadowSpy (shadowlogspanel[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"shadowlogspanel.firebaseio.com"; depth:30; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000571; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ShadowSpy (www[.]shadow-logs[.]com)"; metadata: type stalkerware; dns.query; content:"www.shadow-logs.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000572; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (apispyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"apispyhuman.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000573; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps22[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"aps22.spyhuman.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000574; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps12[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"aps12.spyhuman.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000575; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps13[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"aps13.spyhuman.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000576; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps14[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"aps14.spyhuman.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000577; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps15[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"aps15.spyhuman.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000578; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps16[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"aps16.spyhuman.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000579; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps17[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"aps17.spyhuman.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000580; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps16042016[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"aps16042016.spyhuman.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000581; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps18data[.]securebackuponline[.]net)"; metadata: type stalkerware; dns.query; content:"aps18data.securebackuponline.net"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000582; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps18file[.]securebackuponline[.]net)"; metadata: type stalkerware; dns.query; content:"aps18file.securebackuponline.net"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000583; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (aps2[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"aps2.spyhuman.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000584; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (nodejs[.]spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"nodejs.spyhuman.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000585; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (securebackuponline[.]net)"; metadata: type stalkerware; dns.query; content:"securebackuponline.net"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000586; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (sp18022019[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"sp18022019.firebaseio.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000587; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (spyhuman-97943[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"spyhuman-97943.firebaseio.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000588; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyHuman (spyhuman[.]com)"; metadata: type stalkerware; dns.query; content:"spyhuman.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000589; rev:1;)
alert ip $HOME_NET any -> [213.239.228.196] any (msg:"PTS STALKERWARE 213[.]239[.]228[.]196 (stalkerware)"; metadata: type SpyHuman; classtype:targeted-activity; sid:1000590; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE uMobix (android-api[.]umobix[.]com)"; metadata: type stalkerware; dns.query; content:"android-api.umobix.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000591; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE uMobix (us[.]umobix[.]com)"; metadata: type stalkerware; dns.query; content:"us.umobix.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000592; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (api[.]ogymogy[.]com)"; metadata: type stalkerware; dns.query; content:"api.ogymogy.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000593; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (lb[.]theonespy[.]com)"; metadata: type stalkerware; dns.query; content:"lb.theonespy.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000594; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (im[.]theonespy[.]com)"; metadata: type stalkerware; dns.query; content:"im.theonespy.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000595; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (node-api[.]theonespy[.]com)"; metadata: type stalkerware; dns.query; content:"node-api.theonespy.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000596; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (node1[.]theonespy[.]com)"; metadata: type stalkerware; dns.query; content:"node1.theonespy.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000597; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (node2[.]theonespy[.]com)"; metadata: type stalkerware; dns.query; content:"node2.theonespy.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000598; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (node3[.]theonespy[.]com)"; metadata: type stalkerware; dns.query; content:"node3.theonespy.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000599; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (node4[.]theonespy[.]com)"; metadata: type stalkerware; dns.query; content:"node4.theonespy.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000600; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (node5[.]theonespy[.]com)"; metadata: type stalkerware; dns.query; content:"node5.theonespy.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000601; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheOneSpy (ogymoggy[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"ogymoggy.firebaseio.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000602; rev:1;)
alert ip $HOME_NET any -> [85.13.218.229] any (msg:"PTS STALKERWARE 85[.]13[.]218[.]229 (stalkerware)"; metadata: type TheOneSpy; classtype:targeted-activity; sid:1000603; rev:1;)
alert ip $HOME_NET any -> [85.13.206.195] any (msg:"PTS STALKERWARE 85[.]13[.]206[.]195 (stalkerware)"; metadata: type TheOneSpy; classtype:targeted-activity; sid:1000604; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ClevGuard (api[.]clevguard[.]com)"; metadata: type stalkerware; dns.query; content:"api.clevguard.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000605; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ClevGuard (kidsguard-6c6a9[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"kidsguard-6c6a9.firebaseio.com"; depth:30; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000606; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ClevGuard (clevguard[.]net)"; metadata: type stalkerware; dns.query; content:"clevguard.net"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000607; rev:1;)
alert ip $HOME_NET any -> [47.88.63.70] any (msg:"PTS STALKERWARE 47[.]88[.]63[.]70 (stalkerware)"; metadata: type ClevGuard; classtype:targeted-activity; sid:1000608; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyPhoneTrack (cell-phones-tracker[.]net)"; metadata: type stalkerware; dns.query; content:"cell-phones-tracker.net"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000609; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyPhoneTrack (celltracker[.]mobi)"; metadata: type stalkerware; dns.query; content:"celltracker.mobi"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000610; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyPhoneTrack (easyphonetrack[.]com)"; metadata: type stalkerware; dns.query; content:"easyphonetrack.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000611; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyPhoneTrack (phonetrack[.]com)"; metadata: type stalkerware; dns.query; content:"phonetrack.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000612; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyPhoneTrack (spy-datacenter[.]com)"; metadata: type stalkerware; dns.query; content:"spy-datacenter.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000613; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyPhoneTrack (studio11-7e288[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"studio11-7e288.firebaseio.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000614; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyPhoneTrack (trackmy[.]mobi)"; metadata: type stalkerware; dns.query; content:"trackmy.mobi"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000615; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EasyPhoneTrack (www[.]spy-datacenter[.]com)"; metadata: type stalkerware; dns.query; content:"www.spy-datacenter.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000616; rev:1;)
alert ip $HOME_NET any -> [50.28.38.175] any (msg:"PTS STALKERWARE 50[.]28[.]38[.]175 (stalkerware)"; metadata: type EasyPhoneTrack; classtype:targeted-activity; sid:1000617; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE bark (bark-android-media[.]s3[.]amazonaws[.]com)"; metadata: type stalkerware; dns.query; content:"bark-android-media.s3.amazonaws.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000618; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE bark (www[.]bark[.]us)"; metadata: type stalkerware; dns.query; content:"www.bark.us"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000619; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyLive360 (s1[.]spylive360[.]com)"; metadata: type stalkerware; dns.query; content:"s1.spylive360.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000620; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyLive360 (s2[.]spylive360[.]com)"; metadata: type stalkerware; dns.query; content:"s2.spylive360.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000621; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyLive360 (s3[.]spylive360[.]com)"; metadata: type stalkerware; dns.query; content:"s3.spylive360.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000622; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyLive360 (spylive360[.]com)"; metadata: type stalkerware; dns.query; content:"spylive360.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000623; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyLive360 (sl360-7ba65[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"sl360-7ba65.firebaseio.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000624; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (xnspy[.]com)"; metadata: type stalkerware; dns.query; content:"xnspy.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000625; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (sync[.]xiz4me[.]com)"; metadata: type stalkerware; dns.query; content:"sync.xiz4me.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000626; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (alert[.]xiz4me[.]com)"; metadata: type stalkerware; dns.query; content:"alert.xiz4me.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000627; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (www[.]mydwnd[.]com)"; metadata: type stalkerware; dns.query; content:"www.mydwnd.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000628; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (mydwnd[.]com)"; metadata: type stalkerware; dns.query; content:"mydwnd.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000629; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (brilliant-flame-585[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"brilliant-flame-585.firebaseio.com"; depth:34; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000630; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (true-truck-86810[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"true-truck-86810.firebaseio.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000631; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (sync[.]bk128[.]com)"; metadata: type stalkerware; dns.query; content:"sync.bk128.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000632; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (asset[.]bk128[.]com)"; metadata: type stalkerware; dns.query; content:"asset.bk128.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000633; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (alert[.]bk128[.]com)"; metadata: type stalkerware; dns.query; content:"alert.bk128.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000634; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (bk128[.]com)"; metadata: type stalkerware; dns.query; content:"bk128.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000635; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XNSpy (wppspy[.]tech)"; metadata: type stalkerware; dns.query; content:"wppspy.tech"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000636; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobiSpy (my[.]mobispy[.]net)"; metadata: type stalkerware; dns.query; content:"my.mobispy.net"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000637; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NeoSpy (i6[.]clientreport[.]info)"; metadata: type stalkerware; dns.query; content:"i6.clientreport.info"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000638; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NeoSpy (i7[.]clientreport[.]info)"; metadata: type stalkerware; dns.query; content:"i7.clientreport.info"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000639; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NeoSpy (i8[.]clientreport[.]info)"; metadata: type stalkerware; dns.query; content:"i8.clientreport.info"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000640; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NeoSpy (i9[.]clientreport[.]info)"; metadata: type stalkerware; dns.query; content:"i9.clientreport.info"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000641; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NeoSpy (i10[.]clientreport[.]info)"; metadata: type stalkerware; dns.query; content:"i10.clientreport.info"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000642; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NeoSpy (i11[.]clientreport[.]info)"; metadata: type stalkerware; dns.query; content:"i11.clientreport.info"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000643; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NeoSpy (i12[.]clientreport[.]info)"; metadata: type stalkerware; dns.query; content:"i12.clientreport.info"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000644; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NeoSpy (i13[.]clientreport[.]info)"; metadata: type stalkerware; dns.query; content:"i13.clientreport.info"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000645; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NeoSpy (clientreport[.]info)"; metadata: type stalkerware; dns.query; content:"clientreport.info"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000646; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AllTracker (4-dot-all-tracker[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"4-dot-all-tracker.appspot.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000647; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AllTracker (6-dot-all-tracker[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"6-dot-all-tracker.appspot.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000648; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AllTracker (all-tracker[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"all-tracker.appspot.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000649; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AllTracker (all-tracker[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"all-tracker.firebaseio.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000650; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AllTracker (alltracker[.]org)"; metadata: type stalkerware; dns.query; content:"alltracker.org"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000651; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AllTracker (staging-all-tracker[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"staging-all-tracker.appspot.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000652; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyPhoneApp (www[.]spy-phone-app[.]com)"; metadata: type stalkerware; dns.query; content:"www.spy-phone-app.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000653; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyPhoneApp (www[.]spappmonitoring[.]com)"; metadata: type stalkerware; dns.query; content:"www.spappmonitoring.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000654; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyPhoneApp (mobil-kem[.]com)"; metadata: type stalkerware; dns.query; content:"mobil-kem.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000655; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyPhoneApp (www[.]app-spy[.]com)"; metadata: type stalkerware; dns.query; content:"www.app-spy.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000656; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidMonitor (server[.]androidmonitor[.]com)"; metadata: type stalkerware; dns.query; content:"server.androidmonitor.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000657; rev:1;)
alert ip $HOME_NET any -> [178.33.203.110] any (msg:"PTS STALKERWARE 178[.]33[.]203[.]110 (stalkerware)"; metadata: type AndroidMonitor; classtype:targeted-activity; sid:1000658; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TalkLog (talklog[.]tools)"; metadata: type stalkerware; dns.query; content:"talklog.tools"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000659; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TalkLog (tchsrvce[.]com)"; metadata: type stalkerware; dns.query; content:"tchsrvce.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000660; rev:1;)
alert ip $HOME_NET any -> [78.46.34.14] any (msg:"PTS STALKERWARE 78[.]46[.]34[.]14 (stalkerware)"; metadata: type TalkLog; classtype:targeted-activity; sid:1000661; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyMasterPro (cpcalendars[.]spymasterpro[.]com)"; metadata: type stalkerware; dns.query; content:"cpcalendars.spymasterpro.com"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000662; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyMasterPro (cpcontacts[.]spymasterpro[.]com)"; metadata: type stalkerware; dns.query; content:"cpcontacts.spymasterpro.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000663; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyMasterPro (imobispy[.]com)"; metadata: type stalkerware; dns.query; content:"imobispy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000664; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyMasterPro (senseye[.]spymasterpro[.]com)"; metadata: type stalkerware; dns.query; content:"senseye.spymasterpro.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000665; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyMasterPro (spymaster-e535b[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"spymaster-e535b.firebaseio.com"; depth:30; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000666; rev:1;)
alert ip $HOME_NET any -> [91.121.70.22] any (msg:"PTS STALKERWARE 91[.]121[.]70[.]22 (stalkerware)"; metadata: type SpyMasterPro; classtype:targeted-activity; sid:1000667; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FreeAndroidSpy (server[.]freeandroidspy[.]com)"; metadata: type stalkerware; dns.query; content:"server.freeandroidspy.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000668; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FreeAndroidSpy (spysetup[.]com)"; metadata: type stalkerware; dns.query; content:"spysetup.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000669; rev:1;)
alert ip $HOME_NET any -> [46.40.125.240] any (msg:"PTS STALKERWARE 46[.]40[.]125[.]240 (stalkerware)"; metadata: type FreeAndroidSpy; classtype:targeted-activity; sid:1000670; rev:1;)
alert ip $HOME_NET any -> [199.38.181.70] any (msg:"PTS STALKERWARE 199[.]38[.]181[.]70 (stalkerware)"; metadata: type FreeAndroidSpy; classtype:targeted-activity; sid:1000671; rev:1;)
alert ip $HOME_NET any -> [217.182.176.52] any (msg:"PTS STALKERWARE 217[.]182[.]176[.]52 (stalkerware)"; metadata: type FreeAndroidSpy; classtype:targeted-activity; sid:1000672; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NetSpy (netspy-7b8ec[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"netspy-7b8ec.firebaseio.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000673; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spyier (i[.]spyier[.]com)"; metadata: type stalkerware; dns.query; content:"i.spyier.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000674; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spyier (v4vw4ytvo4[.]execute-api[.]us-east-2[.]amazonaws[.]com)"; metadata: type stalkerware; dns.query; content:"v4vw4ytvo4.execute-api.us-east-2.amazonaws.com"; depth:46; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000675; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE CouplerTracker (api[.]bytepioner[.]com)"; metadata: type stalkerware; dns.query; content:"api.bytepioner.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000676; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE GPSTrackerLoki (asgard-f8c53[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"asgard-f8c53.firebaseio.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000677; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE GPSTrackerLoki (m[.]asgardtech[.]ru)"; metadata: type stalkerware; dns.query; content:"m.asgardtech.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000678; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Xnore (spyapp[.]top)"; metadata: type stalkerware; dns.query; content:"spyapp.top"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000679; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Xnore (xnore[.]com)"; metadata: type stalkerware; dns.query; content:"xnore.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000680; rev:1;)
alert ip $HOME_NET any -> [162.144.212.52] any (msg:"PTS STALKERWARE 162[.]144[.]212[.]52 (stalkerware)"; metadata: type Xnore; classtype:targeted-activity; sid:1000681; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EspiaoAndroid (aovivo[.]foxspy[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"aovivo.foxspy.com.br"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000682; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EspiaoAndroid (api007[.]foxspy[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"api007.foxspy.com.br"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000683; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EspiaoAndroid (pc[.]foxspy[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"pc.foxspy.com.br"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000684; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EspiaoAndroid (celular007[.]s3[.]amazonaws[.]com)"; metadata: type stalkerware; dns.query; content:"celular007.s3.amazonaws.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000685; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EspiaoAndroid (remoto[.]foxspy[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"remoto.foxspy.com.br"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000686; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE pcTattletale (pctattletalev2[.]s3[.]amazonaws[.]com)"; metadata: type stalkerware; dns.query; content:"pctattletalev2.s3.amazonaws.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000687; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE pcTattletale (pctattletale[.]com)"; metadata: type stalkerware; dns.query; content:"pctattletale.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000688; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE pcTattletale (truewebmedia[.]com)"; metadata: type stalkerware; dns.query; content:"truewebmedia.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000689; rev:1;)
alert ip $HOME_NET any -> [67.227.193.142] any (msg:"PTS STALKERWARE 67[.]227[.]193[.]142 (stalkerware)"; metadata: type pcTattletale; classtype:targeted-activity; sid:1000690; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyEra (spylogs[.]com)"; metadata: type stalkerware; dns.query; content:"spylogs.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000691; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyEra (spyera[.]postaffiliatepro[.]com)"; metadata: type stalkerware; dns.query; content:"spyera.postaffiliatepro.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000692; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AntiFurtoDroid (app[.]antifurtodroid[.]com)"; metadata: type stalkerware; dns.query; content:"app.antifurtodroid.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000693; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE CallSMSTracker (beta[.]smstracker[.]com)"; metadata: type stalkerware; dns.query; content:"beta.smstracker.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000694; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE CallSMSTracker (messages01[.]smstracker[.]com)"; metadata: type stalkerware; dns.query; content:"messages01.smstracker.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000695; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE CallSMSTracker (messages02[.]smstracker[.]com)"; metadata: type stalkerware; dns.query; content:"messages02.smstracker.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000696; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE CallSMSTracker (staging[.]smstracker[.]com)"; metadata: type stalkerware; dns.query; content:"staging.smstracker.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000697; rev:1;)
alert ip $HOME_NET any -> [45.40.135.228] any (msg:"PTS STALKERWARE 45[.]40[.]135[.]228 (stalkerware)"; metadata: type CallSMSTracker; classtype:targeted-activity; sid:1000698; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AiSpyer (ioi[.]life)"; metadata: type stalkerware; dns.query; content:"ioi.life"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000699; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AiSpyer (api[.]corn-cob[.]com)"; metadata: type stalkerware; dns.query; content:"api.corn-cob.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000700; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AiSpyer (corn-cob[.]com)"; metadata: type stalkerware; dns.query; content:"corn-cob.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000701; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AiSpyer (d[.]corn-cob[.]com)"; metadata: type stalkerware; dns.query; content:"d.corn-cob.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000702; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AiSpyer (tracksp[.]in)"; metadata: type stalkerware; dns.query; content:"tracksp.in"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000703; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AiSpyer (my[.]aispyer[.]com)"; metadata: type stalkerware; dns.query; content:"my.aispyer.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000704; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AiSpyer (tracksp-7743c[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"tracksp-7743c.firebaseio.com"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000705; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AiSpyer (www[.]ioi[.]life)"; metadata: type stalkerware; dns.query; content:"www.ioi.life"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000706; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyToApp (android[.]spytoapp[.]com)"; metadata: type stalkerware; dns.query; content:"android.spytoapp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000707; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyToApp (apk01[.]spytoapp[.]com)"; metadata: type stalkerware; dns.query; content:"apk01.spytoapp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000708; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyToApp (apk02[.]spytoapp[.]com)"; metadata: type stalkerware; dns.query; content:"apk02.spytoapp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000709; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyToApp (apk03[.]spytoapp[.]com)"; metadata: type stalkerware; dns.query; content:"apk03.spytoapp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000710; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyToApp (apk04[.]spytoapp[.]com)"; metadata: type stalkerware; dns.query; content:"apk04.spytoapp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000711; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyToApp (downapk[.]spytoapp[.]com)"; metadata: type stalkerware; dns.query; content:"downapk.spytoapp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000712; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyToApp (services[.]spytoapp[.]com)"; metadata: type stalkerware; dns.query; content:"services.spytoapp.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000713; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BlurSpy (spyapp-8916f[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"spyapp-8916f.firebaseio.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000714; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BlurSpy (blurspy[.]com)"; metadata: type stalkerware; dns.query; content:"blurspy.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000715; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BlurSpy (8916f[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"8916f.appspot.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000716; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AppMia (tr[.]appmia[.]com)"; metadata: type stalkerware; dns.query; content:"tr.appmia.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000717; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Unisafe (a342f[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"a342f.appspot.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000718; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Unisafe (unisafe-a342f[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"unisafe-a342f.firebaseio.com"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000719; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Unisafe (usafe-ca594[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"usafe-ca594.firebaseio.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000720; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Unisafe (usafe[.]ru)"; metadata: type stalkerware; dns.query; content:"usafe.ru"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000721; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (analytics[.]trackview[.]net)"; metadata: type stalkerware; dns.query; content:"analytics.trackview.net"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000722; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (api-project-285519687053[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"api-project-285519687053.firebaseio.com"; depth:39; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000723; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (api[.]lifecircle[.]app)"; metadata: type stalkerware; dns.query; content:"api.lifecircle.app"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000724; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (api[.]trackview[.]lifecircle[.]app)"; metadata: type stalkerware; dns.query; content:"api.trackview.lifecircle.app"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000725; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (cnapi[.]trackview[.]net)"; metadata: type stalkerware; dns.query; content:"cnapi.trackview.net"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000726; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (lifecircle-223805[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"lifecircle-223805.firebaseio.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000727; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (m[.]lifecircle[.]app)"; metadata: type stalkerware; dns.query; content:"m.lifecircle.app"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000728; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (rc-api[.]lifecircle[.]app)"; metadata: type stalkerware; dns.query; content:"rc-api.lifecircle.app"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000729; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (trackview[.]net)"; metadata: type stalkerware; dns.query; content:"trackview.net"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000730; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (us-central1-api-project-285519687053[.]cloudfunctions[.]net)"; metadata: type stalkerware; dns.query; content:"us-central1-api-project-285519687053.cloudfunctions.net"; depth:55; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000731; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (user[.]trackview[.]net)"; metadata: type stalkerware; dns.query; content:"user.trackview.net"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000732; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (user2[.]trackview[.]net)"; metadata: type stalkerware; dns.query; content:"user2.trackview.net"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000733; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackView (relay1[.]trackview[.]net)"; metadata: type stalkerware; dns.query; content:"relay1.trackview.net"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000734; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackingSmartphone (trackingsmartphone[.]com)"; metadata: type stalkerware; dns.query; content:"trackingsmartphone.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000735; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackingSmartphone (onlinefundb[.]com)"; metadata: type stalkerware; dns.query; content:"onlinefundb.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000736; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TrackingSmartphone (tracking-smartphone[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"tracking-smartphone.firebaseio.com"; depth:34; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000737; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyphoneMobileTracker (phonetracker[.]com)"; metadata: type stalkerware; dns.query; content:"phonetracker.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000738; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyphoneMobileTracker (phonetracker95gpsonly[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"phonetracker95gpsonly.firebaseio.com"; depth:36; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000739; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE OneLocator (locatorprivacy[.]com)"; metadata: type stalkerware; dns.query; content:"locatorprivacy.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000740; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (ua[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"ua.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000741; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (ub[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"ub.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000742; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (uc[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"uc.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000743; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (ud[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"ud.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000744; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (ue[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"ue.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000745; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (uf[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"uf.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000746; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (ug[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"ug.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000747; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (uh[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"uh.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000748; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (ui[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"ui.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000749; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (uj[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"uj.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000750; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (uk[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"uk.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000751; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (ul[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"ul.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000752; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (um[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"um.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000753; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (un[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"un.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000754; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (uo[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"uo.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000755; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (up[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"up.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000756; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (uq[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"uq.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000757; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE EvaSpy (ur[.]evaspy[.]com)"; metadata: type stalkerware; dns.query; content:"ur.evaspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000758; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE RealtimeSpy (realtime-spy-mobile[.]com)"; metadata: type stalkerware; dns.query; content:"realtime-spy-mobile.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000759; rev:1;)
alert ip $HOME_NET any -> [184.154.69.210] any (msg:"PTS STALKERWARE 184[.]154[.]69[.]210 (stalkerware)"; metadata: type RealtimeSpy; classtype:targeted-activity; sid:1000760; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (api[.]ttspy[.]com)"; metadata: type stalkerware; dns.query; content:"api.ttspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000761; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (cloud[.]ttspy[.]com)"; metadata: type stalkerware; dns.query; content:"cloud.ttspy.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000762; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (jjspy[.]com)"; metadata: type stalkerware; dns.query; content:"jjspy.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000763; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (jjspy[.]ml)"; metadata: type stalkerware; dns.query; content:"jjspy.ml"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000764; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (my[.]jjspy[.]com)"; metadata: type stalkerware; dns.query; content:"my.jjspy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000765; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (phone-backup-service[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"phone-backup-service.firebaseio.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000766; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (rrspy[.]com)"; metadata: type stalkerware; dns.query; content:"rrspy.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000767; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (rtc[.]ttspy[.]com)"; metadata: type stalkerware; dns.query; content:"rtc.ttspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000768; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (service[.]n[.]weiguanai[.]cn)"; metadata: type stalkerware; dns.query; content:"service.n.weiguanai.cn"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000769; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (service[.]weiguanai[.]cn)"; metadata: type stalkerware; dns.query; content:"service.weiguanai.cn"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000770; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (ttjj[.]ga)"; metadata: type stalkerware; dns.query; content:"ttjj.ga"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000771; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (ttjj[.]tk)"; metadata: type stalkerware; dns.query; content:"ttjj.tk"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000772; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (ttjj[.]ml)"; metadata: type stalkerware; dns.query; content:"ttjj.ml"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000773; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (ttspy[.]com)"; metadata: type stalkerware; dns.query; content:"ttspy.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000774; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (ttspy[.]net)"; metadata: type stalkerware; dns.query; content:"ttspy.net"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000775; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (ttspy[.]top)"; metadata: type stalkerware; dns.query; content:"ttspy.top"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000776; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (upload[.]weiguanai[.]cn)"; metadata: type stalkerware; dns.query; content:"upload.weiguanai.cn"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000777; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (ws[.]ttspy[.]com)"; metadata: type stalkerware; dns.query; content:"ws.ttspy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000778; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (www[.]ttjj[.]tk)"; metadata: type stalkerware; dns.query; content:"www.ttjj.tk"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000779; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE jjspy (wx[.]weiguanai[.]cn)"; metadata: type stalkerware; dns.query; content:"wx.weiguanai.cn"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000780; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidSpy (a-spy[.]com)"; metadata: type stalkerware; dns.query; content:"a-spy.com"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000781; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidSpy (m[.]a-spy[.]com)"; metadata: type stalkerware; dns.query; content:"m.a-spy.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000782; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidSpy (klg[.]a-spy[.]com)"; metadata: type stalkerware; dns.query; content:"klg.a-spy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000783; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidSpy (my[.]a-spy[.]com)"; metadata: type stalkerware; dns.query; content:"my.a-spy.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000784; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (amon[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"amon.android-monitor.ru"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000785; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (amon1[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"amon1.android-monitor.ru"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000786; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (andmon[.]name)"; metadata: type stalkerware; dns.query; content:"andmon.name"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000787; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (android-apk[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"android-apk.android-monitor.ru"; depth:30; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000788; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (android-monitor1[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"android-monitor1.android-monitor.ru"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000789; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (android-police[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"android-police.android-monitor.ru"; depth:33; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000790; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (android-police[.]ru)"; metadata: type stalkerware; dns.query; content:"android-police.ru"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000791; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (anmon[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"anmon.android-monitor.ru"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000792; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (anmon[.]name)"; metadata: type stalkerware; dns.query; content:"anmon.name"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000793; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (anmon[.]ru)"; metadata: type stalkerware; dns.query; content:"anmon.ru"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000794; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (anmon[.]su)"; metadata: type stalkerware; dns.query; content:"anmon.su"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000795; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (anmon1[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"anmon1.android-monitor.ru"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000796; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (droimon20[.]ru)"; metadata: type stalkerware; dns.query; content:"droimon20.ru"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000797; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (monitor-android[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"monitor-android.android-monitor.ru"; depth:34; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000798; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (prog-money[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"prog-money.android-monitor.ru"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000799; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (prog-money[.]com)"; metadata: type stalkerware; dns.query; content:"prog-money.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000800; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (www[.]android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"www.android-monitor.ru"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000801; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AndroidPolice (android-monitor[.]ru)"; metadata: type stalkerware; dns.query; content:"android-monitor.ru"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000802; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FindMyPhone (find-my-phone-prod[.]herokuapp[.]com)"; metadata: type stalkerware; dns.query; content:"find-my-phone-prod.herokuapp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000803; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FindMyPhone (findmyphone[.]mangobird[.]com)"; metadata: type stalkerware; dns.query; content:"findmyphone.mangobird.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000804; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Bulgok (c-phone[.]ru)"; metadata: type stalkerware; dns.query; content:"c-phone.ru"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000805; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Bulgok (control-phone-a05a3[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"control-phone-a05a3.firebaseio.com"; depth:34; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000806; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Bulgok (q95294fs[.]beget[.]tech)"; metadata: type stalkerware; dns.query; content:"q95294fs.beget.tech"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000807; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (apk7[.]biz)"; metadata: type stalkerware; dns.query; content:"apk7.biz"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000808; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (clues[.]link)"; metadata: type stalkerware; dns.query; content:"clues.link"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000809; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (clues4[.]com)"; metadata: type stalkerware; dns.query; content:"clues4.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000810; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (cluestr[.]com)"; metadata: type stalkerware; dns.query; content:"cluestr.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000811; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (e-spy[.]app)"; metadata: type stalkerware; dns.query; content:"e-spy.app"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000812; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (e-spy[.]org)"; metadata: type stalkerware; dns.query; content:"e-spy.org"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000813; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (izapk[.]xyz)"; metadata: type stalkerware; dns.query; content:"izapk.xyz"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000814; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (izspy-1313[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"izspy-1313.firebaseio.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000815; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (msafe[.]xyz)"; metadata: type stalkerware; dns.query; content:"msafe.xyz"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000816; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (www[.]apk7[.]biz)"; metadata: type stalkerware; dns.query; content:"www.apk7.biz"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000817; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (www[.]e-spy[.]org)"; metadata: type stalkerware; dns.query; content:"www.e-spy.org"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000818; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Tracku (www[.]msafe[.]xyz)"; metadata: type stalkerware; dns.query; content:"www.msafe.xyz"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000819; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (apprtc[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"apprtc.appspot.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000820; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (d[.]tispy[.]net)"; metadata: type stalkerware; dns.query; content:"d.tispy.net"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000821; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (freespyapp[.]com)"; metadata: type stalkerware; dns.query; content:"freespyapp.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000822; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (kidsshield[.]net)"; metadata: type stalkerware; dns.query; content:"kidsshield.net"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000823; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (login[.]quanly24h[.]net)"; metadata: type stalkerware; dns.query; content:"login.quanly24h.net"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000824; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (pc[.]backupsoft[.]eu)"; metadata: type stalkerware; dns.query; content:"pc.backupsoft.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000825; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (pc[.]freespyapp[.]com)"; metadata: type stalkerware; dns.query; content:"pc.freespyapp.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000826; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (pc[.]selfspy[.]com)"; metadata: type stalkerware; dns.query; content:"pc.selfspy.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000827; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (pc[.]viptelefonprogrami[.]com)"; metadata: type stalkerware; dns.query; content:"pc.viptelefonprogrami.com"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000828; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (quanly24h[.]net)"; metadata: type stalkerware; dns.query; content:"quanly24h.net"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000829; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (spyt[.]co)"; metadata: type stalkerware; dns.query; content:"spyt.co"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000830; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (spytrac-app1[.]s3[.]amazonaws[.]com)"; metadata: type stalkerware; dns.query; content:"spytrac-app1.s3.amazonaws.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000831; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (theodoi24h[.]com)"; metadata: type stalkerware; dns.query; content:"theodoi24h.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000832; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (tispy[.]net)"; metadata: type stalkerware; dns.query; content:"tispy.net"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000833; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (ua[.]tispy[.]net)"; metadata: type stalkerware; dns.query; content:"ua.tispy.net"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000834; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE KidsShield (viptelefonprogrami[.]com)"; metadata: type stalkerware; dns.query; content:"viptelefonprogrami.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000835; rev:1;)
alert ip $HOME_NET any -> [52.22.130.9] any (msg:"PTS STALKERWARE 52[.]22[.]130[.]9 (stalkerware)"; metadata: type KidsShield; classtype:targeted-activity; sid:1000836; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NemoSpy (nemospy[.]com)"; metadata: type stalkerware; dns.query; content:"nemospy.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000837; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NemoSpy (setup[.]nemospy[.]com)"; metadata: type stalkerware; dns.query; content:"setup.nemospy.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000838; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyKontrol (pc[.]spykontrol[.]com)"; metadata: type stalkerware; dns.query; content:"pc.spykontrol.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000839; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyKontrol (androidapk[.]biz)"; metadata: type stalkerware; dns.query; content:"androidapk.biz"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000840; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (12d60[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"12d60.appspot.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000841; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (12d60[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"12d60.firebaseio.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000842; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (13-5[.]org)"; metadata: type stalkerware; dns.query; content:"13-5.org"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000843; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (13-5[.]ru)"; metadata: type stalkerware; dns.query; content:"13-5.ru"; depth:7; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000844; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (89685[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"89685.firebaseio.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000845; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (account[.]trackerplus[.]ru)"; metadata: type stalkerware; dns.query; content:"account.trackerplus.ru"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000846; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (and[.]info-taxi[.]info)"; metadata: type stalkerware; dns.query; content:"and.info-taxi.info"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000847; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (best-spy-apps[.]com)"; metadata: type stalkerware; dns.query; content:"best-spy-apps.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000848; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (edlnc255s2q[.]s3[.]amazonaws[.]com)"; metadata: type stalkerware; dns.query; content:"edlnc255s2q.s3.amazonaws.com"; depth:28; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000849; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (ftp[.]info-taxi[.]info)"; metadata: type stalkerware; dns.query; content:"ftp.info-taxi.info"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000850; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (info-taxi[.]info)"; metadata: type stalkerware; dns.query; content:"info-taxi.info"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000851; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (kokum[.]ru)"; metadata: type stalkerware; dns.query; content:"kokum.ru"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000852; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (pi[.]info-taxi[.]info)"; metadata: type stalkerware; dns.query; content:"pi.info-taxi.info"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000853; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (sap4mobile-89685[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"sap4mobile-89685.firebaseio.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000854; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (sap4mobile[.]com)"; metadata: type stalkerware; dns.query; content:"sap4mobile.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000855; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (smartback-12d60[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"smartback-12d60.appspot.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000856; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (smartback-12d60[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"smartback-12d60.firebaseio.com"; depth:30; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000857; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (spy2mobile-bb441[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"spy2mobile-bb441.firebaseio.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000858; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (spy2mobile[.]com)"; metadata: type stalkerware; dns.query; content:"spy2mobile.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000859; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (spytomobile[.]com)"; metadata: type stalkerware; dns.query; content:"spytomobile.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000860; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (tagdps[.]ru)"; metadata: type stalkerware; dns.query; content:"tagdps.ru"; depth:9; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000861; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackplus (tfk7r22klf8vtd8g90jq8qno1tpqhmpe[.]apps[.]googleusercontent[.]com)"; metadata: type stalkerware; dns.query; content:"tfk7r22klf8vtd8g90jq8qno1tpqhmpe.apps.googleusercontent.com"; depth:59; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000862; rev:1;)
alert ip $HOME_NET any -> [185.87.51.116] any (msg:"PTS STALKERWARE 185[.]87[.]51[.]116 (stalkerware)"; metadata: type Trackplus; classtype:targeted-activity; sid:1000863; rev:1;)
alert ip $HOME_NET any -> [139.59.125.208] any (msg:"PTS STALKERWARE 139[.]59[.]125[.]208 (stalkerware)"; metadata: type Trackplus; classtype:targeted-activity; sid:1000864; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobileSpy (api[.]mobilespy[.]at)"; metadata: type stalkerware; dns.query; content:"api.mobilespy.at"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000865; rev:1;)
alert ip $HOME_NET any -> [37.120.162.163] any (msg:"PTS STALKERWARE 37[.]120[.]162[.]163 (stalkerware)"; metadata: type MobileSpy; classtype:targeted-activity; sid:1000866; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (api[.]awarenesstechnologies[.]com)"; metadata: type stalkerware; dns.query; content:"api.awarenesstechnologies.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000867; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (apitest[.]awarenesstechnologies[.]com)"; metadata: type stalkerware; dns.query; content:"apitest.awarenesstechnologies.com"; depth:33; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000868; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (data-webwatcherdata-alb-1451089636[.]us-west-2[.]elb[.]amazonaws[.]com)"; metadata: type stalkerware; dns.query; content:"data-webwatcherdata-alb-1451089636.us-west-2.elb.amazonaws.com"; depth:62; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000869; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (data[.]qa[.]webwatcherdata[.]com)"; metadata: type stalkerware; dns.query; content:"data.qa.webwatcherdata.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000870; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (data[.]webwatcherdata[.]com)"; metadata: type stalkerware; dns.query; content:"data.webwatcherdata.com"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000871; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (download[.]webwatcherdata[.]com)"; metadata: type stalkerware; dns.query; content:"download.webwatcherdata.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000872; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (login[.]webwatcher[.]com)"; metadata: type stalkerware; dns.query; content:"login.webwatcher.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000873; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (rcomlogin[.]com)"; metadata: type stalkerware; dns.query; content:"rcomlogin.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000874; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (screentimelabs[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"screentimelabs.appspot.com"; depth:26; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000875; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (webwatcher-child-app[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"webwatcher-child-app.firebaseio.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000876; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (webwatcherdata[.]com)"; metadata: type stalkerware; dns.query; content:"webwatcherdata.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000877; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (www[.]webwatchernow[.]com)"; metadata: type stalkerware; dns.query; content:"www.webwatchernow.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000878; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WebWatcher (webwatchernow[.]com)"; metadata: type stalkerware; dns.query; content:"webwatchernow.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000879; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NexSpy (my[.]nexspy[.]com)"; metadata: type stalkerware; dns.query; content:"my.nexspy.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000880; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NexSpy (api[.]mobilebackup[.]biz)"; metadata: type stalkerware; dns.query; content:"api.mobilebackup.biz"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000881; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE NexSpy (topzaloha[.]cz)"; metadata: type stalkerware; dns.query; content:"topzaloha.cz"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000882; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MyCellSpy (api[.]mycellspy[.]com)"; metadata: type stalkerware; dns.query; content:"api.mycellspy.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000883; rev:1;)
alert ip $HOME_NET any -> [47.252.23.40] any (msg:"PTS STALKERWARE 47[.]252[.]23[.]40 (stalkerware)"; metadata: type MyCellSpy; classtype:targeted-activity; sid:1000884; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spylix (api[.]spylix[.]com)"; metadata: type stalkerware; dns.query; content:"api.spylix.com"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000885; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spylix (apidemo[.]spylix[.]com)"; metadata: type stalkerware; dns.query; content:"apidemo.spylix.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000886; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spylix (d2nipadu1fr4ne[.]cloudfront[.]net)"; metadata: type stalkerware; dns.query; content:"d2nipadu1fr4ne.cloudfront.net"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000887; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spylix (getspylix[.]io)"; metadata: type stalkerware; dns.query; content:"getspylix.io"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000888; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spylix (my[.]spylix[.]com)"; metadata: type stalkerware; dns.query; content:"my.spylix.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000889; rev:1;)
alert ip $HOME_NET any -> [52.90.126.68] any (msg:"PTS STALKERWARE 52[.]90[.]126[.]68 (stalkerware)"; metadata: type Spylix; classtype:targeted-activity; sid:1000890; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MonitorUltra (x1panel[.]com)"; metadata: type stalkerware; dns.query; content:"x1panel.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000891; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MonitorUltra (xpcpanel[.]com)"; metadata: type stalkerware; dns.query; content:"xpcpanel.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000892; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MonitorUltra (monitor-ultra[.]com)"; metadata: type stalkerware; dns.query; content:"monitor-ultra.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000893; rev:1;)
alert ip $HOME_NET any -> [185.2.103.130] any (msg:"PTS STALKERWARE 185[.]2[.]103[.]130 (stalkerware)"; metadata: type MonitorUltra; classtype:targeted-activity; sid:1000894; rev:1;)
alert ip $HOME_NET any -> [80.241.216.14] any (msg:"PTS STALKERWARE 80[.]241[.]216[.]14 (stalkerware)"; metadata: type MonitorUltra; classtype:targeted-activity; sid:1000895; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SentryPC (sentrypc[.]net)"; metadata: type stalkerware; dns.query; content:"sentrypc.net"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000896; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SentryPC (spc-runtimes[.]s3[.]amazonaws[.]com)"; metadata: type stalkerware; dns.query; content:"spc-runtimes.s3.amazonaws.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000897; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SentryPC (www[.]sentrypconline[.]com)"; metadata: type stalkerware; dns.query; content:"www.sentrypconline.com"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000898; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SentryPC (www[.]sentrypc[.]net)"; metadata: type stalkerware; dns.query; content:"www.sentrypc.net"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000899; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SentryPC (www[.]spclogs[.]com)"; metadata: type stalkerware; dns.query; content:"www.spclogs.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000900; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SentryPC (www[.]sentrypc[.]download)"; metadata: type stalkerware; dns.query; content:"www.sentrypc.download"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000901; rev:1;)
alert ip $HOME_NET any -> [108.178.9.124] any (msg:"PTS STALKERWARE 108[.]178[.]9[.]124 (stalkerware)"; metadata: type SentryPC; classtype:targeted-activity; sid:1000902; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE TheWiSpy (cp[.]thewispy[.]com)"; metadata: type stalkerware; dns.query; content:"cp.thewispy.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000903; rev:1;)
alert ip $HOME_NET any -> [167.71.189.163] any (msg:"PTS STALKERWARE 167[.]71[.]189[.]163 (stalkerware)"; metadata: type TheWiSpy; classtype:targeted-activity; sid:1000904; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Observer (observer[.]back4app[.]io)"; metadata: type stalkerware; dns.query; content:"observer.back4app.io"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000905; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (d1gslyvqtipqvi[.]cloudfront[.]net)"; metadata: type stalkerware; dns.query; content:"d1gslyvqtipqvi.cloudfront.net"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000906; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (d24lo6rmha82nf[.]cloudfront[.]net)"; metadata: type stalkerware; dns.query; content:"d24lo6rmha82nf.cloudfront.net"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000907; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (d3g4zswpacwtfb[.]cloudfront[.]net)"; metadata: type stalkerware; dns.query; content:"d3g4zswpacwtfb.cloudfront.net"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000908; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (data240[.]mrec24[.]com)"; metadata: type stalkerware; dns.query; content:"data240.mrec24.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000909; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (data241[.]mrec24[.]com)"; metadata: type stalkerware; dns.query; content:"data241.mrec24.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000910; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (disp2[.]mrec24[.]com)"; metadata: type stalkerware; dns.query; content:"disp2.mrec24.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000911; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (dispatcher[.]mrecorder[.]com)"; metadata: type stalkerware; dns.query; content:"dispatcher.mrecorder.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000912; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (mobi22[.]com)"; metadata: type stalkerware; dns.query; content:"mobi22.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000913; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (mobilerecorder-1277[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"mobilerecorder-1277.firebaseio.com"; depth:34; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000914; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (mrec24[.]com)"; metadata: type stalkerware; dns.query; content:"mrec24.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000915; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (my[.]mrec24[.]com)"; metadata: type stalkerware; dns.query; content:"my.mrec24.com"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000916; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (package[.]mrec24[.]com)"; metadata: type stalkerware; dns.query; content:"package.mrec24.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000917; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (package2[.]mrec24[.]com)"; metadata: type stalkerware; dns.query; content:"package2.mrec24.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000918; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Mrecorder (project-7991479181228723357[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"project-7991479181228723357.firebaseio.com"; depth:42; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000919; rev:1;)
alert ip $HOME_NET any -> [103.147.225.210] any (msg:"PTS STALKERWARE 103[.]147[.]225[.]210 (stalkerware)"; metadata: type PhoneSpy; classtype:targeted-activity; sid:1000920; rev:1;)
alert ip $HOME_NET any -> [175.126.146.147] any (msg:"PTS STALKERWARE 175[.]126[.]146[.]147 (stalkerware)"; metadata: type PhoneSpy; classtype:targeted-activity; sid:1000921; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE ShadySpy (www[.]shadyspy[.]com)"; metadata: type stalkerware; dns.query; content:"www.shadyspy.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000922; rev:1;)
alert ip $HOME_NET any -> [45.79.149.154] any (msg:"PTS STALKERWARE 45[.]79[.]149[.]154 (stalkerware)"; metadata: type ShadySpy; classtype:targeted-activity; sid:1000923; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AbsoluTrack (absolutesoftsystem[.]in)"; metadata: type stalkerware; dns.query; content:"absolutesoftsystem.in"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000924; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AbsoluTrack (ass[.]absolutesoftsystem[.]in)"; metadata: type stalkerware; dns.query; content:"ass.absolutesoftsystem.in"; depth:25; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000925; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AbsoluTrack (thiefguardbd[.]com)"; metadata: type stalkerware; dns.query; content:"thiefguardbd.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000926; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AbsoluTrack (antitheft-88554[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"antitheft-88554.firebaseio.com"; depth:30; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000927; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AbsoluTrack (remotesecurity-629f2[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"remotesecurity-629f2.firebaseio.com"; depth:35; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000928; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AbsoluTrack (test[.]onetouchsecurities[.]com)"; metadata: type stalkerware; dns.query; content:"test.onetouchsecurities.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000929; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE AbsoluTrack (remotesecurityots[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"remotesecurityots.firebaseio.com"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000930; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SmartKeylogger (awamisolution[.]com)"; metadata: type stalkerware; dns.query; content:"awamisolution.com"; depth:17; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000931; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Traccar (traccar-client-app[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"traccar-client-app.firebaseio.com"; depth:33; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000932; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Traccar (traccar[.]org)"; metadata: type stalkerware; dns.query; content:"traccar.org"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000933; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyNote (spynote[.]us)"; metadata: type stalkerware; dns.query; content:"spynote.us"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000934; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobiStealth (einformatiks[.]com)"; metadata: type stalkerware; dns.query; content:"einformatiks.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000935; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobiStealth (www[.]einformatiks[.]com)"; metadata: type stalkerware; dns.query; content:"www.einformatiks.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000936; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobiStealth (dwn[.]vys[.]me)"; metadata: type stalkerware; dns.query; content:"dwn.vys.me"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000937; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobiStealth (www[.]vys[.]me)"; metadata: type stalkerware; dns.query; content:"www.vys.me"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000938; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MobiStealth (vys[.]me)"; metadata: type stalkerware; dns.query; content:"vys.me"; depth:6; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000939; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Trackji (trackji[.]com)"; metadata: type stalkerware; dns.query; content:"trackji.com"; depth:11; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000940; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XDSpy (app[.]xdspy[.]app)"; metadata: type stalkerware; dns.query; content:"app.xdspy.app"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000941; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyApp (x[.]pgv4[.]com)"; metadata: type stalkerware; dns.query; content:"x.pgv4.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000942; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyApp (pgv4[.]com)"; metadata: type stalkerware; dns.query; content:"pgv4.com"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000943; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyApp (www[.]pgv4[.]com)"; metadata: type stalkerware; dns.query; content:"www.pgv4.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000944; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MySpyApps (my-spy-a9c92[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"my-spy-a9c92.firebaseio.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000945; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE OneSpy (api[.]cp[.]onemonitar[.]com)"; metadata: type stalkerware; dns.query; content:"api.cp.onemonitar.com"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000946; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE OneSpy (onespy-in-196211[.]firebaseio[.]com)"; metadata: type stalkerware; dns.query; content:"onespy-in-196211.firebaseio.com"; depth:31; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000947; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE OneSpy (android[.]chyldmonitor[.]com)"; metadata: type stalkerware; dns.query; content:"android.chyldmonitor.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000948; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE OneSpy (web[.]chyldmonitor[.]com)"; metadata: type stalkerware; dns.query; content:"web.chyldmonitor.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000949; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE OneSpy (sse[.]chyldmonitor[.]com)"; metadata: type stalkerware; dns.query; content:"sse.chyldmonitor.com"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000950; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WheresMyDroid (wmdcommander[.]appspot[.]com)"; metadata: type stalkerware; dns.query; content:"wmdcommander.appspot.com"; depth:24; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000951; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WiseMo (mycloud[.]wisemo[.]com)"; metadata: type stalkerware; dns.query; content:"mycloud.wisemo.com"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000952; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WiseMo (mycloud1[.]wisemo[.]com)"; metadata: type stalkerware; dns.query; content:"mycloud1.wisemo.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000953; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE WiseMo (mtracker[.]fortess[.]net)"; metadata: type stalkerware; dns.query; content:"mtracker.fortess.net"; depth:20; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000954; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FindMyKids (api[.]findmykids[.]org)"; metadata: type stalkerware; dns.query; content:"api.findmykids.org"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000955; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FindMyKids (r[.]findmykids[.]org)"; metadata: type stalkerware; dns.query; content:"r.findmykids.org"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000956; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FindMyKids (wss[.]findmykids[.]org)"; metadata: type stalkerware; dns.query; content:"wss.findmykids.org"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000957; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE FindMyKids (where-is-my-children[.]firebase[.]io)"; metadata: type stalkerware; dns.query; content:"where-is-my-children.firebase.io"; depth:32; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000958; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MagMonitor (www[.]maglook[.]eu)"; metadata: type stalkerware; dns.query; content:"www.maglook.eu"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000959; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MagMonitor (maglook[.]eu)"; metadata: type stalkerware; dns.query; content:"maglook.eu"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000960; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MagMonitor (ue[.]maglook[.]eu)"; metadata: type stalkerware; dns.query; content:"ue.maglook.eu"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000961; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MagMonitor (uf[.]maglook[.]eu)"; metadata: type stalkerware; dns.query; content:"uf.maglook.eu"; depth:13; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000962; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (back[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"back.brunoespiao.com.br"; depth:23; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000963; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (brunoespiao[.]com)"; metadata: type stalkerware; dns.query; content:"brunoespiao.com"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000964; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"brunoespiao.com.br"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000965; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (im[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"im.brunoespiao.com.br"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000966; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (pc[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"pc.brunoespiao.com.br"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000967; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (pc1[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"pc1.brunoespiao.com.br"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000968; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (ua[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"ua.brunoespiao.com.br"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000969; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (ue[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"ue.brunoespiao.com.br"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000970; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (uf[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"uf.brunoespiao.com.br"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000971; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (uf1[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"uf1.brunoespiao.com.br"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000972; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (ur[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"ur.brunoespiao.com.br"; depth:21; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000973; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (www[.]brunoespiao[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"www.brunoespiao.com.br"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000974; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE BrunoEspiao (brunoespiao2[.]s3[.]amazonaws[.]com)"; metadata: type stalkerware; dns.query; content:"brunoespiao2.s3.amazonaws.com"; depth:29; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000975; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spyone (pc[.]spyone[.]pl)"; metadata: type stalkerware; dns.query; content:"pc.spyone.pl"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000976; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spyone (ur[.]spyone[.]pl)"; metadata: type stalkerware; dns.query; content:"ur.spyone.pl"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000977; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spyone (laucass[.]forumactif[.]org)"; metadata: type stalkerware; dns.query; content:"laucass.forumactif.org"; depth:22; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000978; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE eagleSPY (eaglespy[.]com[.]br)"; metadata: type stalkerware; dns.query; content:"eaglespy.com.br"; depth:15; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000979; rev:1;)
alert ip $HOME_NET any -> [201.33.21.62] any (msg:"PTS STALKERWARE 201[.]33[.]21[.]62 (stalkerware)"; metadata: type eagleSPY; classtype:targeted-activity; sid:1000980; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE PhoneMonitor (users[.]thephonem[.]com)"; metadata: type stalkerware; dns.query; content:"users.thephonem.com"; depth:19; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000981; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spynger (my[.]spynger[.]net)"; metadata: type stalkerware; dns.query; content:"my.spynger.net"; depth:14; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000982; rev:1;)
alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE Spynger (ios-gw[.]spynger[.]net)"; metadata: type stalkerware; dns.query; content:"ios-gw.spynger.net"; depth:18; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000983; rev:1;)