<![CDATA[Wave-2 Pterodo beacon URL pattern (n=14 samples since 2026-02):]]>Wave-2 Pterodo beacon URL pattern (n=14 samples since 2026-02):

/(Svvr|SSsr|Akad|Akk|Gpps|Mouuds)(Htm|Ua|U)?-DD-MM → 212.193.20.110

5 of 6 verbs carry double-letter alliteration (vv/Ss/kk/pp/uu) — same operator habit as the 2022-23 `j-j-j` URL generator + the alliterative *orious.ru / *mucoris.ru apex naming Talos/Symantec documented years ago. Three years later, same fingerprint.

Bare-IP + plain HTTP + no TLS = SNI inspection won't catch it. Block 212.193.20.110 directly.

Suricata draft rules: github.com/palianytsia-200/U-OB-KY/blob/main/rules/pterodo-wave2-beacon.rules

]]>https://board.circlewithadot.net/topic/7727b7ee-2185-4f39-a214-7f73be8be2b4/wave-2-pterodo-beacon-url-pattern-n-14-samples-since-2026-02RSS for NodeFri, 15 May 2026 02:44:18 GMTThu, 14 May 2026 13:00:00 GMT60