rule bulwark_https_bulwarkblack_com_unc3753_vishing_rmm_physical_intrusions_law_firms
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:58:03Z"
        tlp = "TLP:CLEAR"
        indicator_count = "13"
    strings:
        $s0 = "business-data-leaks.com" ascii wide nocase  // Domains
        $s1 = "privnote.com" ascii wide nocase  // Domains
        $s2 = "helpdesk.com" ascii wide nocase  // URLs
        $s3 = "https://business-data-leaks.com" ascii wide nocase  // URLs
        $s4 = "it.com" ascii wide nocase  // URLs
        $s5 = "itdesk.com" ascii wide nocase  // URLs
        $s6 = "174.169.162.62" ascii wide nocase  // IPv4
        $s7 = "192.236.146.173" ascii wide nocase  // IPv4
        $s8 = "192.236.147.131" ascii wide nocase  // IPv4
        $s9 = "192.236.147.138" ascii wide nocase  // IPv4
        $s10 = "192.236.154.158" ascii wide nocase  // IPv4
        $s11 = "193.141.60.212" ascii wide nocase  // IPv4
        $s12 = "64.94.84.97" ascii wide nocase  // IPv4
    condition:
        any of ($s*)
}
