Ruleset Update Summary - 2025/02/03 - v10851

Summary:

66 new OPEN, 95 new PRO (66 + 29)


Added rules:

Open:

  • 2059808 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abdibingjwhs .click) (malware.rules)
  • 2059809 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abdibingjwhs .click in TLS SNI) (malware.rules)
  • 2059810 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (adventureseekerstop .top) (malware.rules)
  • 2059811 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (adventureseekerstop .top in TLS SNI) (malware.rules)
  • 2059812 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ecofriendl .top) (malware.rules)
  • 2059813 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ecofriendl .top in TLS SNI) (malware.rules)
  • 2059814 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rollinsccred .biz) (malware.rules)
  • 2059815 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rollinsccred .biz in TLS SNI) (malware.rules)
  • 2059816 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (winnyhelplejsu .shop) (malware.rules)
  • 2059817 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (winnyhelplejsu .shop in TLS SNI) (malware.rules)
  • 2059818 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (believezioep .com) (malware.rules)
  • 2059819 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (believezioep .com in TLS SNI) (malware.rules)
  • 2059820 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bookwormstop .top) (malware.rules)
  • 2059821 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bookwormstop .top in TLS SNI) (malware.rules)
  • 2059822 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cabbagepattof .net) (malware.rules)
  • 2059823 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cabbagepattof .net in TLS SNI) (malware.rules)
  • 2059824 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clammypunero .com) (malware.rules)
  • 2059825 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clammypunero .com in TLS SNI) (malware.rules)
  • 2059826 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deliciousrecspes .top) (malware.rules)
  • 2059827 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deliciousrecspes .top in TLS SNI) (malware.rules)
  • 2059828 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dreambjig .top) (malware.rules)
  • 2059829 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dreambjig .top in TLS SNI) (malware.rules)
  • 2059830 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (entrepreneurstop .top) (malware.rules)
  • 2059831 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (entrepreneurstop .top in TLS SNI) (malware.rules)
  • 2059832 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (garderjjerop .com) (malware.rules)
  • 2059833 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (garderjjerop .com in TLS SNI) (malware.rules)
  • 2059834 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (plasticreie .com) (malware.rules)
  • 2059835 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (plasticreie .com in TLS SNI) (malware.rules)
  • 2059836 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shunstriderk .net) (malware.rules)
  • 2059837 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shunstriderk .net in TLS SNI) (malware.rules)
  • 2059838 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skirtgrippys .com) (malware.rules)
  • 2059839 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (skirtgrippys .com in TLS SNI) (malware.rules)
  • 2059840 - ET POLICY Contec Health CMS8000 Patient Monitor Insecure Default HL7 Protocol Server IP (CVE-2025-0626) (policy.rules)
  • 2059841 - ET POLICY Contec Health CMS8000 Patient Monitor Insecure Default CMS Protocol Server IP (CVE-2025-0626) (policy.rules)
  • 2059842 - ET WEB_SPECIFIC_APPS YETI Platform Server-Side Template Injection (CVE-2024-45607) (web_specific_apps.rules)
  • 2059843 - ET WEB_SPECIFIC_APPS SimpleHelp Support Server Unauthenticated Path Traversal (serverconfig.xml) (CVE-2024-57727) (web_specific_apps.rules)
  • 2059844 - ET INFO DYNAMIC_DNS Query to a *.ibernoticias .com domain (info.rules)
  • 2059845 - ET INFO DYNAMIC_DNS HTTP Request to a *.ibernoticias .com domain (info.rules)
  • 2059846 - ET MALWARE Win32/IcedID CnC Domain in DNS Lookup (toughflatlying .com) (malware.rules)
  • 2059847 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (PersonalFinanceAdvice .biz) (malware.rules)
  • 2059848 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (PersonalFinanceAdvice .biz in TLS SNI) (malware.rules)
  • 2059849 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (azurgewhisper .hair) (malware.rules)
  • 2059850 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (azurgewhisper .hair in TLS SNI) (malware.rules)
  • 2059851 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (culinarydelighytts .top) (malware.rules)
  • 2059852 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (culinarydelighytts .top in TLS SNI) (malware.rules)
  • 2059853 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enchanutedmeadow .hair) (malware.rules)
  • 2059854 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enchanutedmeadow .hair in TLS SNI) (malware.rules)
  • 2059855 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (encirelk .cyou) (malware.rules)
  • 2059856 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (encirelk .cyou in TLS SNI) (malware.rules)
  • 2059857 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fitnessgurustop .top) (malware.rules)
  • 2059858 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fitnessgurustop .top in TLS SNI) (malware.rules)
  • 2059859 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (minlliving .biz) (malware.rules)
  • 2059860 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (minlliving .biz in TLS SNI) (malware.rules)
  • 2059861 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thingspouter .top) (malware.rules)
  • 2059862 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thingspouter .top in TLS SNI) (malware.rules)
  • 2059863 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (warlikedbeliev .org) (malware.rules)
  • 2059864 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (warlikedbeliev .org in TLS SNI) (malware.rules)
  • 2059865 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (idioinc .com) (exploit_kit.rules)
  • 2059866 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (idioinc .com) (exploit_kit.rules)
  • 2059867 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (newgoodfoodmarket .com) (exploit_kit.rules)
  • 2059868 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (newgoodfoodmarket .com) (exploit_kit.rules)
  • 2059869 - ET MALWARE SocGholish CnC Domain in DNS Lookup (btctrading .crestlinesolutions .work) (malware.rules)
  • 2059870 - ET MALWARE SocGholish CnC Domain in TLS SNI (btctrading .crestlinesolutions .work) (malware.rules)
  • 2059871 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vbcsd .top) (exploit_kit.rules)
  • 2059872 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vbcsd .top) (exploit_kit.rules)
  • 2059873 - ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Unauthorized XML External Entity (CVE-2024-37397) (web_specific_apps.rules)

Pro:

  • 2859862 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859863 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859864 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859865 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859866 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859867 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859868 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859869 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859870 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859871 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859872 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859873 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859874 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859875 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859876 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859877 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859878 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859879 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859880 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859881 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859882 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859883 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859884 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859885 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859886 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2859887 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2859888 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2859889 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859890 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2023611 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 107 (malware.rules)

Disabled and modified rules:

  • 2058017 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bfd78 .biz) (exploit_kit.rules)
  • 2058018 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (zeroassoluto .biz) (exploit_kit.rules)
  • 2058019 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (best-net .biz) (exploit_kit.rules)
  • 2058020 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aquabaru .online) (exploit_kit.rules)
  • 2058021 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chudautu .info) (exploit_kit.rules)
  • 2058022 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bfd78 .biz) (exploit_kit.rules)
  • 2058023 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (zeroassoluto .biz) (exploit_kit.rules)
  • 2058024 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (best-net .biz) (exploit_kit.rules)
  • 2058025 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aquabaru .online) (exploit_kit.rules)
  • 2058026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chudautu .info) (exploit_kit.rules)
  • 2058035 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .trc20 .kcgrocks .com) (malware.rules)
  • 2058049 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (q8ds .net) (exploit_kit.rules)
  • 2058050 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (q8ds .net) (exploit_kit.rules)
  • 2058065 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (renqidm .info) (exploit_kit.rules)
  • 2058066 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (renqidm .info) (exploit_kit.rules)
  • 2058088 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (opravy .biz) (exploit_kit.rules)
  • 2058089 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (space-cadet .info) (exploit_kit.rules)
  • 2058090 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (wanconyan .co) (exploit_kit.rules)
  • 2058091 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bentia .info) (exploit_kit.rules)
  • 2058092 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (opravy .biz) (exploit_kit.rules)
  • 2058093 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (space-cadet .info) (exploit_kit.rules)
  • 2058094 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (wanconyan .co) (exploit_kit.rules)
  • 2058095 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bentia .info) (exploit_kit.rules)
  • 2058097 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .law .kimsavagelaw .com) (malware.rules)
  • 2058099 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (chewels .com) (exploit_kit.rules)
  • 2058100 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (chewels .com) (exploit_kit.rules)
  • 2059297 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .regular .ptbaconsulting .com) (malware.rules)
  • 2059298 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .regular .ptbaconsulting .com) (malware.rules)
  • 2859587 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859606 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859607 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859608 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859620 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859625 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859626 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859856 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)