rule bulwark_https_bulwarkblack_com_apt28_exploited_cve_2026_21513_mshtml_zero_day_as_attack_vector_b
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/apt28-exploited-cve-2026-21513-mshtml-zero-day-as-attack-vector-before-february-patch-tuesday/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:30:08Z"
        tlp = "TLP:CLEAR"
        indicator_count = "1"
    strings:
        $s0 = "wellnesscaremed.com" ascii wide nocase  // Domains
    condition:
        any of ($s*)
}
