rule bulwark_https_bulwarkblack_com_how_to_protect_evilginx_using_cloudflare_and_html_obfuscation
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:31:58Z"
        tlp = "TLP:CLEAR"
        indicator_count = "7"
    strings:
        $s0 = "academy.breakdev.org" ascii wide nocase  // Domains
        $s1 = "help.evilginx.com" ascii wide nocase  // Domains
        $s2 = "index.ht" ascii wide nocase  // Domains
        $s3 = "www.r-tec.net" ascii wide nocase  // Domains
        $s4 = "https://academy.breakdev.org/evilginx-mastery" ascii wide nocase  // URLs
        $s5 = "https://help.evilginx.com/docs/category/getting-started" ascii wide nocase  // URLs
        $s6 = "https://www.r-tec.net/r-tec-blog-evade-signature-based-phishing-detections.html" ascii wide nocase  // URLs
    condition:
        any of ($s*)
}
