Ruleset Update Summary - 2025/02/07 - v10855

rulesbot · February 7, 2025, 10:09pm

Summary:

34 new OPEN, 38 new PRO (34 + 4)

Thanks @Fortinet

Added rules:

Open:

2059945 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jakker-udsalg .top) (exploit_kit.rules)
2059946 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (websitedirectory .top) (exploit_kit.rules)
2059947 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pilulespascher .top) (exploit_kit.rules)
2059948 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jakker-udsalg .top) (exploit_kit.rules)
2059949 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (websitedirectory .top) (exploit_kit.rules)
2059950 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pilulespascher .top) (exploit_kit.rules)
2059951 - ET MALWARE SocGholish CnC Domain in DNS Lookup (hub .unlimitedcashflowevent .com) (malware.rules)
2059952 - ET MALWARE SocGholish CnC Domain in TLS SNI (hub .unlimitedcashflowevent .com) (malware.rules)
2059953 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (telback .com) (exploit_kit.rules)
2059954 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (telback .com) (exploit_kit.rules)
2059955 - ET ADWARE_PUP Onestart AI Host Profile Checkin (POST) (adware_pup.rules)
2059956 - ET ADWARE_PUP Onestart AI Program Version Checkin (POST) (adware_pup.rules)
2059957 - ET MALWARE Winos4.0 Framework CnC Checkin (x32.) (malware.rules)
2059958 - ET INFO DYNAMIC_DNS Query to a *.mounthoodlodges .com domain (info.rules)
2059959 - ET INFO DYNAMIC_DNS HTTP Request to a *.mounthoodlodges .com domain (info.rules)
2059960 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (glibvisitiru .click) (malware.rules)
2059961 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (glibvisitiru .click in TLS SNI) (malware.rules)
2059962 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (muscleinitai .biz) (malware.rules)
2059963 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (muscleinitai .biz in TLS SNI) (malware.rules)
2059964 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (permussiduebuz .shop) (malware.rules)
2059965 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (permussiduebuz .shop in TLS SNI) (malware.rules)
2059966 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (radiantqwuest .top) (malware.rules)
2059967 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (radiantqwuest .top in TLS SNI) (malware.rules)
2059968 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (warmwhearts .cloud) (malware.rules)
2059969 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (warmwhearts .cloud in TLS SNI) (malware.rules)
2059970 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weardawwerz .shop) (malware.rules)
2059971 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (weardawwerz .shop in TLS SNI) (malware.rules)
2059972 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zsilvermoonbeam .hair) (malware.rules)
2059973 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zsilvermoonbeam .hair in TLS SNI) (malware.rules)
2059974 - ET MALWARE Winos4.0 Framework Fake BMP Download Containing XOR encoded .dll (malware.rules)
2059975 - ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response (malware.rules)
2059976 - ET MALWARE Winos4.0 Framework CnC Domain in DNS Lookup (ad59t82g .com) (malware.rules)
2059977 - ET MALWARE Observed Winos4.0 Framework CnC Domain (ad59t82g .com in TLS SNI) (malware.rules)
2059978 - ET INFO Lovable AI Generated Landing Page 2025-02-07 (info.rules)

Pro:

2860191 - ETPRO PHISHING TA453 Phishing CnC Activity (POST) (phishing.rules)
2860192 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2860193 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2860194 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Disabled and modified rules:

2058121 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tasteofgoodness .info) (exploit_kit.rules)
2058122 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (casibom .cyou) (exploit_kit.rules)
2058123 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dcaa .info) (exploit_kit.rules)
2058125 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tasteofgoodness .info) (exploit_kit.rules)
2058126 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (casibom .cyou) (exploit_kit.rules)
2058127 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dcaa .info) (exploit_kit.rules)
2058128 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (coeshor .com) (exploit_kit.rules)
2058129 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (coeshor .com) (exploit_kit.rules)
2058149 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (iognews .com) (exploit_kit.rules)
2058150 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (habfan .com) (exploit_kit.rules)
2058151 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (iognews .com) (exploit_kit.rules)
2058152 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (habfan .com) (exploit_kit.rules)
2058153 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .material .amstillroofing .com) (malware.rules)
2058155 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jitcom .info) (exploit_kit.rules)
2058156 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jitcom .info) (exploit_kit.rules)
2059358 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .trial .buyintercomsonline .com) (malware.rules)
2059359 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .trial .buyintercomsonline .com) (malware.rules)
2059377 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .crm .bestintownpro .com) (malware.rules)
2059378 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .crm .bestintownpro .com) (malware.rules)
2059445 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .app .andredenault .com) (malware.rules)
2059446 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .app .andredenault .com) (malware.rules)
2059609 - ET MALWARE SocGholish CnC Domain in DNS Lookup (customer .aaddigitalstrategies .com) (malware.rules)
2059610 - ET MALWARE SocGholish CnC Domain in TLS SNI (customer .aaddigitalstrategies .com) (malware.rules)
2859736 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859737 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859738 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859739 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859740 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859741 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859742 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859757 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859758 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859759 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859760 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859777 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859787 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859788 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859789 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859790 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/07/11 - v10643 Ruleset Updates	93	July 11, 2024
Ruleset Update Summary - 2024/11/25 - v10750 Ruleset Updates	72	November 25, 2024
Ruleset Update Summary - 2025/01/07 - v10831 Ruleset Updates	73	January 7, 2025
Ruleset Update Summary - 2024/02/19 - v10535 Ruleset Updates	513	February 19, 2024
Ruleset Update Summary - 2024/12/18 - v10810 Ruleset Updates	78	December 18, 2024

Ruleset Update Summary - 2025/02/07 - v10855

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics