rule malware_windows_moonlightmaze_encrypted_keyloger { meta: description = "Rule to detect Moonlight Maze encrypted keylogger logs" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" author = "Kaspersky Lab" strings: $a1 = {47 01 22 2A 6D 3E 39 2C} condition: ($a1 at 0) }