Base64 Encoded Remote Code Execution via Raw IP - ATR-2026-00220 (ff1594a4-5898-5b4f-95f9-9c884f9d07e5)
Detects Base64-encoded payloads that decode to curl commands fetching executable content from raw IP addresses, then piping to bash for execution. This pattern is characteristic of malware droppers and supply chain attacks that disguise malicious installation commands.