diff --git a/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml b/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml
new file mode 100644
index 000000000..f127888cc
--- /dev/null
+++ b/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml
@@ -0,0 +1,33 @@
+title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
+id: e99375eb-3ee0-407a-9f90-79569cc6a01c
+status: experimental
+description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
+references:
+    - https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns
+author: Arda Buyukkaya (EclecticIQ)
+date: 2025-02-11
+tags:
+    - attack.command-and-control
+    - attack.t1090
+    - attack.t1573
+    - attack.t1071.001
+    - attack.t1059.001
+    - attack.s0183
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: '\curl.exe'
+    selection_socks:
+        CommandLine|contains:
+            - 'socks5h://'
+            - 'socks5://'
+            - 'socks4a://'
+    selection_onion:
+        CommandLine|contains: '.onion'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high