Ruleset Update Summary - 2025/02/18 - v10861

Ruleset Updates
1

Summary:

92 new OPEN, 106 new PRO (92 + 14)

Added rules:

Open:

  • 2060116 - ET INFO DYNAMIC_DNS Query to a *.kendimas .com domain (info.rules)
  • 2060117 - ET INFO DYNAMIC_DNS HTTP Request to a *.kendimas .com domain (info.rules)
  • 2060118 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (programs .edlester .com) (malware.rules)
  • 2060119 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (programs .edlester .com) (malware.rules)
  • 2060120 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (CaxndidWave .cyou) (malware.rules)
  • 2060121 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (CaxndidWave .cyou in TLS SNI) (malware.rules)
  • 2060122 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ClerarHorizon .cyou) (malware.rules)
  • 2060123 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ClerarHorizon .cyou in TLS SNI) (malware.rules)
  • 2060124 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (GreehnVibe .top) (malware.rules)
  • 2060125 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (GreehnVibe .top in TLS SNI) (malware.rules)
  • 2060126 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (LightoJourney .top) (malware.rules)
  • 2060127 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (LightoJourney .top in TLS SNI) (malware.rules)
  • 2060128 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (SoftNestl .cyou) (malware.rules)
  • 2060129 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (SoftNestl .cyou in TLS SNI) (malware.rules)
  • 2060130 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zengardxen .cyou) (malware.rules)
  • 2060131 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zengardxen .cyou in TLS SNI) (malware.rules)
  • 2060132 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (BrhightFusion .top) (malware.rules)
  • 2060133 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (BrhightFusion .top in TLS SNI) (malware.rules)
  • 2060134 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (dashboard .nzlifecoaching .com) (malware.rules)
  • 2060135 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (dashboard .nzlifecoaching .com) (malware.rules)
  • 2060136 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cryptocurrencytrends .click) (malware.rules)
  • 2060137 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cryptocurrencytrends .click in TLS SNI) (malware.rules)
  • 2060138 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (https://t .me/gwwrggwarhrha) (malware.rules)
  • 2060139 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (https://t .me/gwwrggwarhrha in TLS SNI) (malware.rules)
  • 2060140 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jookerkslxsafkr .xyz) (malware.rules)
  • 2060141 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jookerkslxsafkr .xyz in TLS SNI) (malware.rules)
  • 2060142 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relaxparadisetop .top) (malware.rules)
  • 2060143 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (relaxparadisetop .top in TLS SNI) (malware.rules)
  • 2060144 - ET EXPLOIT PostgreSQL psql SQL Injection (CVE-2025-1094) (exploit.rules)
  • 2060145 - ET MALWARE Observed DNS Query to REF7707 Domain (update .hobiter .com) (malware.rules)
  • 2060146 - ET MALWARE Observed DNS Query to REF7707 Domain (support .fortineat .com) (malware.rules)
  • 2060147 - ET MALWARE Observed DNS Query to REF7707 Domain (digert .ictnsc .com) (malware.rules)
  • 2060148 - ET MALWARE Observed DNS Query to REF7707 Domain (d-links .net) (malware.rules)
  • 2060149 - ET MALWARE Observed DNS Query to REF7707 Domain (poster .checkponit .com) (malware.rules)
  • 2060150 - ET MALWARE Observed DNS Query to REF7707 Domain (cloud .autodiscovar .com) (malware.rules)
  • 2060151 - ET MALWARE Observed DNS Query to REF7707 Domain (vm-clouds .net) (malware.rules)
  • 2060152 - ET MALWARE Observed DNS Query to REF7707 Domain (support .vmphere .com) (malware.rules)
  • 2060153 - ET MALWARE Observed REF7707 Domain (update .hobiter .com in TLS SNI) (malware.rules)
  • 2060154 - ET MALWARE Observed REF7707 Domain (support .fortineat .com in TLS SNI) (malware.rules)
  • 2060155 - ET MALWARE Observed REF7707 Domain (digert .ictnsc .com in TLS SNI) (malware.rules)
  • 2060156 - ET MALWARE Observed REF7707 Domain (d-links .net in TLS SNI) (malware.rules)
  • 2060157 - ET MALWARE Observed REF7707 Domain (poster .checkponit .com in TLS SNI) (malware.rules)
  • 2060158 - ET MALWARE Observed REF7707 Domain (cloud .autodiscovar .com in TLS SNI) (malware.rules)
  • 2060159 - ET MALWARE Observed REF7707 Domain (vm-clouds .net in TLS SNI) (malware.rules)
  • 2060160 - ET MALWARE Observed REF7707 Domain (support .vmphere .com in TLS SNI) (malware.rules)
  • 2060161 - ET INFO Observed DNS Query to Microsoft Cloud Service Domain (graph .microsoft .com) (info.rules)
  • 2060162 - ET INFO Observed Microsoft Cloud Service Domain (graph .microsoft .com in TLS SNI) (info.rules)
  • 2060163 - ET INFO DYNAMIC_DNS Query to a *.shein .ca domain (info.rules)
  • 2060164 - ET INFO DYNAMIC_DNS HTTP Request to a *.shein .ca domain (info.rules)
  • 2060165 - ET INFO DYNAMIC_DNS Query to a *.logistica .com .mx domain (info.rules)
  • 2060166 - ET INFO DYNAMIC_DNS HTTP Request to a *.logistica .com .mx domain (info.rules)
  • 2060167 - ET INFO DYNAMIC_DNS Query to a *.ostrovsky .sk domain (info.rules)
  • 2060168 - ET INFO DYNAMIC_DNS HTTP Request to a *.ostrovsky .sk domain (info.rules)
  • 2060169 - ET INFO DYNAMIC_DNS Query to a *.globalwireandcable .com domain (info.rules)
  • 2060170 - ET INFO DYNAMIC_DNS HTTP Request to a *.globalwireandcable .com domain (info.rules)
  • 2060171 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .hypnotherapy-training .co .nz) (malware.rules)
  • 2060172 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .hypnotherapy-training .co .nz) (malware.rules)
  • 2060173 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (HoarmonyNest .top) (malware.rules)
  • 2060174 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (HoarmonyNest .top in TLS SNI) (malware.rules)
  • 2060175 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (PeactefulPath .top) (malware.rules)
  • 2060176 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (PeactefulPath .top in TLS SNI) (malware.rules)
  • 2060177 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (RadiatntIdeas .top) (malware.rules)
  • 2060178 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (RadiatntIdeas .top in TLS SNI) (malware.rules)
  • 2060179 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (endxlesspossi .tech) (malware.rules)
  • 2060180 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (endxlesspossi .tech in TLS SNI) (malware.rules)
  • 2060181 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impactsupport .world) (malware.rules)
  • 2060182 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (impactsupport .world in TLS SNI) (malware.rules)
  • 2060183 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lestagames .world) (malware.rules)
  • 2060184 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lestagames .world in TLS SNI) (malware.rules)
  • 2060185 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nestlecompany .world) (malware.rules)
  • 2060186 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nestlecompany .world in TLS SNI) (malware.rules)
  • 2060187 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cinaweine .shop) (exploit_kit.rules)
  • 2060188 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mammeporche .top) (exploit_kit.rules)
  • 2060189 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cinaweine .shop) (exploit_kit.rules)
  • 2060190 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mammeporche .top) (exploit_kit.rules)
  • 2060191 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vessweb .com) (exploit_kit.rules)
  • 2060192 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (szshenyao .com) (exploit_kit.rules)
  • 2060193 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (scanpaq .com) (exploit_kit.rules)
  • 2060194 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (eecsys .com) (exploit_kit.rules)
  • 2060195 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (vessweb .com) (exploit_kit.rules)
  • 2060196 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (szshenyao .com) (exploit_kit.rules)
  • 2060197 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (scanpaq .com) (exploit_kit.rules)
  • 2060198 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (rapiddevapi .com) (exploit_kit.rules)
  • 2060199 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (ap-1739871718-ioj2rc-omeiiwaw3fgs3uq4wuooeceed5a96euw1b-s3alias .s3 .eu-west-1 .amazonaws .com) (exploit_kit.rules)
  • 2060200 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (rapiddevapi .com) (exploit_kit.rules)
  • 2060201 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (ap-1739871718-ioj2rc-omeiiwaw3fgs3uq4wuooeceed5a96euw1b-s3alias .s3 .eu-west-1 .amazonaws .com) (exploit_kit.rules)
  • 2060202 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decreaserid .world) (malware.rules)
  • 2060203 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (decreaserid .world in TLS SNI) (malware.rules)
  • 2060204 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoyoverse .blog) (malware.rules)
  • 2060205 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hoyoverse .blog in TLS SNI) (malware.rules)
  • 2060206 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dsfljsdfjewf .info) (malware.rules)
  • 2060207 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dsfljsdfjewf .info in TLS SNI) (malware.rules)

Pro:

  • 2860346 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2860347 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2860348 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2860349 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2860350 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2860351 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2860352 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2860353 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2860354 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2860355 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2860356 - ETPRO MALWARE Observed DNS Query to TA399 Domain (malware.rules)
  • 2860357 - ETPRO MALWARE Observed DNS Query to TA399 Domain (malware.rules)
  • 2860358 - ETPRO MALWARE Observed TA399 Domain in TLS SNI (malware.rules)
  • 2860359 - ETPRO MALWARE Observed TA399 Domain in TLS SNI (malware.rules)