rule bulwark_https_bulwarkblack_com_microsoft_exposes_dns_based_clickfix_attack_nslookup_commands_use
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/microsoft-exposes-dns-based-clickfix-attack-nslookup-commands-used-for-stealth-malware-staging/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T16:06:21Z"
        tlp = "TLP:CLEAR"
        indicator_count = "3"
    strings:
        $s0 = "azwsappdev.com" ascii wide nocase  // Domains
        $s1 = "raxelpak.com" ascii wide nocase  // Domains
        $s2 = "testdomain123123.shop" ascii wide nocase  // Domains
    condition:
        any of ($s*)
}
