Wave-2 Pterodo beacon URL pattern (n=14 samples since 2026-02):

palianytsia_200@infosec.exchange

Wave-2 Pterodo beacon URL pattern (n=14 samples since 2026-02):

/(Svvr|SSsr|Akad|Akk|Gpps|Mouuds)(Htm|Ua|U)?-DD-MM → 212.193.20.110

5 of 6 verbs carry double-letter alliteration (vv/Ss/kk/pp/uu) — same operator habit as the 2022-23 `j-j-j` URL generator + the alliterative *orious.ru / *mucoris.ru apex naming Talos/Symantec documented years ago. Three years later, same fingerprint.

Bare-IP + plain HTTP + no TLS = SNI inspection won't catch it. Block 212.193.20.110 directly.

Suricata draft rules: github.com/palianytsia-200/U-OB-KY/blob/main/rules/pterodo-wave2-beacon.rules

#Pterodo #UAC0010 #Gamaredon #ThreatIntel