rule bulwark_https_bulwarkblack_com_metro4shell_critical_react_native_cli_vulnerability_actively_expl
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T16:06:21Z"
        tlp = "TLP:CLEAR"
        indicator_count = "3"
    strings:
        $s0 = "134.209.69.155" ascii wide nocase  // IPv4
        $s1 = "223.6.249.141" ascii wide nocase  // IPv4
        $s2 = "5.109.182.231" ascii wide nocase  // IPv4
    condition:
        any of ($s*)
}
