Ruleset Update Summary - 2025/02/10 - v10856

Ruleset Updates
1

Summary:

51 new OPEN, 90 new PRO (51 + 39)

Thanks @monitorsg

Added rules:

Open:

  • 2059979 - ET PHISHING Generic Credential Phish Landing Page 2025-02-10 (phishing.rules)
  • 2059980 - ET INFO Redirect to Lovable AI Generated WebApp (info.rules)
  • 2059981 - ET INFO DYNAMIC_DNS Query to a *.ultrapanel .us domain (info.rules)
  • 2059982 - ET INFO DYNAMIC_DNS HTTP Request to a *.ultrapanel .us domain (info.rules)
  • 2059983 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptupricez .click) (malware.rules)
  • 2059984 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptupricez .click in TLS SNI) (malware.rules)
  • 2059985 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cozyhomevpibes .cyou) (malware.rules)
  • 2059986 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cozyhomevpibes .cyou in TLS SNI) (malware.rules)
  • 2059987 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ignoredshee .com) (malware.rules)
  • 2059988 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ignoredshee .com in TLS SNI) (malware.rules)
  • 2059989 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (medicaljummtj .shop) (malware.rules)
  • 2059990 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (medicaljummtj .shop in TLS SNI) (malware.rules)
  • 2059991 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (modernakdventure .cyou) (malware.rules)
  • 2059992 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (modernakdventure .cyou in TLS SNI) (malware.rules)
  • 2059993 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vibranktdream .top) (malware.rules)
  • 2059994 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vibranktdream .top in TLS SNI) (malware.rules)
  • 2059995 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (breakfasutwy .cyou) (malware.rules)
  • 2059996 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (breakfasutwy .cyou in TLS SNI) (malware.rules)
  • 2059997 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (breezhymeadow .rest) (malware.rules)
  • 2059998 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (breezhymeadow .rest in TLS SNI) (malware.rules)
  • 2059999 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (digitalmarketing101 .click) (malware.rules)
  • 2060000 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (digitalmarketing101 .click in TLS SNI) (malware.rules)
  • 2060001 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fallyjustif .click) (malware.rules)
  • 2060002 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fallyjustif .click in TLS SNI) (malware.rules)
  • 2060003 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fascinatterz .cyou) (malware.rules)
  • 2060004 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fascinatterz .cyou in TLS SNI) (malware.rules)
  • 2060005 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (meditatetop .top) (malware.rules)
  • 2060006 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (meditatetop .top in TLS SNI) (malware.rules)
  • 2060007 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mshyhennyk .cyou) (malware.rules)
  • 2060008 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mshyhennyk .cyou in TLS SNI) (malware.rules)
  • 2060009 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (overttriter .biz) (malware.rules)
  • 2060010 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (overttriter .biz in TLS SNI) (malware.rules)
  • 2060011 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (voyageprivato .bond) (malware.rules)
  • 2060012 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (voyageprivato .bond in TLS SNI) (malware.rules)
  • 2060013 - ET INFO DYNAMIC_DNS Query to a *.serprise .com domain (info.rules)
  • 2060014 - ET INFO DYNAMIC_DNS HTTP Request to a *.serprise .com domain (info.rules)
  • 2060015 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .jpainting .ca) (malware.rules)
  • 2060016 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .jpainting .ca) (malware.rules)
  • 2060017 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cxheerfulriver .pics) (malware.rules)
  • 2060018 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cxheerfulriver .pics in TLS SNI) (malware.rules)
  • 2060019 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (greenearoth .cyou) (malware.rules)
  • 2060020 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (greenearoth .cyou in TLS SNI) (malware.rules)
  • 2060021 - ET WEB_SPECIFIC_APPS Microsoft Purview Authorized Server-Side Request Forgery (CVE-2025-21385) (web_specific_apps.rules)
  • 2060022 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (youhao5 .shop) (exploit_kit.rules)
  • 2060023 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (catchsx .top) (exploit_kit.rules)
  • 2060024 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (youhao5 .shop) (exploit_kit.rules)
  • 2060025 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (catchsx .top) (exploit_kit.rules)
  • 2060026 - ET MALWARE SocGholish CnC Domain in DNS Lookup (preview .jpainting .ca) (malware.rules)
  • 2060027 - ET MALWARE SocGholish CnC Domain in TLS SNI (preview .jpainting .ca) (malware.rules)
  • 2060028 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (agretex .com) (exploit_kit.rules)
  • 2060029 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (agretex .com) (exploit_kit.rules)

Pro:

  • 2860195 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860196 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860197 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860198 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860199 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2860200 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860201 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2860202 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860203 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2860204 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860205 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860206 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2860207 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860208 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860209 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860210 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860211 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860212 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860213 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860214 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860215 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860216 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860217 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860218 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860219 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860220 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860221 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860222 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860223 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860224 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2860225 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2860226 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2860227 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2860228 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860229 - ETPRO MALWARE Clickfix Lazyload Payload Inound (malware.rules)
  • 2860230 - ETPRO MALWARE Clickfix Related Additional Payload Request (GET) (malware.rules)
  • 2860231 - ETPRO MALWARE Lumma Stealer Downloader Inbound (malware.rules)
  • 2860232 - ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET) (malware.rules)
  • 2860233 - ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation) (malware.rules)

Disabled and modified rules:

  • 2859944 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2859952 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2859955 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2859968 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2859969 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2859979 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2859987 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2860008 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2860011 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2860026 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2860043 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
  • 2860077 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860085 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860088 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860101 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860102 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860112 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860120 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860140 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860141 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860144 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860159 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860163 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)
  • 2860176 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)