rule bulwark_https_bulwarkblack_com_physical_mail_phishing_targets_trezor_and_ledger_users_attackers_
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:56:43Z"
        tlp = "TLP:CLEAR"
        indicator_count = "8"
    strings:
        $s0 = "ledger.setuptransactioncheck.com" ascii wide nocase  // Domains
        $s1 = "trezor.authentication-check.io" ascii wide nocase  // Domains
        $s2 = "authentication-check.io/" ascii wide nocase  // URLs
        $s3 = "authentication-check.io/black/api/send.php" ascii wide nocase  // URLs
        $s4 = "https://ledger.setuptransactioncheck.com/" ascii wide nocase  // URLs
        $s5 = "https://trezor.authentication-check.io/" ascii wide nocase  // URLs
        $s6 = "https://trezor.authentication-check.io/black/api/send.php" ascii wide nocase  // URLs
        $s7 = "setuptransactioncheck.com/" ascii wide nocase  // URLs
    condition:
        any of ($s*)
}
