Ruleset Update Summary - 2025/02/24 - v10865

Summary:

80 new OPEN, 108 new PRO (80 + 28)

Thanks @monitorsg


Added rules:

Open:

  • 2060283 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (sponsor .sewacanada .org) (malware.rules)
  • 2060284 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (sponsor .sewacanada .org) (malware.rules)
  • 2060285 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (NovaNesmt .cyou) (malware.rules)
  • 2060286 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (NovaNesmt .cyou in TLS SNI) (malware.rules)
  • 2060287 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (RgadiantSoul .top) (malware.rules)
  • 2060288 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (RgadiantSoul .top in TLS SNI) (malware.rules)
  • 2060289 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (babyedopposer .site) (malware.rules)
  • 2060290 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (babyedopposer .site in TLS SNI) (malware.rules)
  • 2060291 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (governoagoal .pw) (malware.rules)
  • 2060292 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (governoagoal .pw in TLS SNI) (malware.rules)
  • 2060293 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (https://t .me/fvTDOnvFcMdW) (malware.rules)
  • 2060294 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (https://t .me/fvTDOnvFcMdW in TLS SNI) (malware.rules)
  • 2060295 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (investiigato .website) (malware.rules)
  • 2060296 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (investiigato .website in TLS SNI) (malware.rules)
  • 2060297 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (openheartljiving .tech) (malware.rules)
  • 2060298 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (openheartljiving .tech in TLS SNI) (malware.rules)
  • 2060299 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pausedcritiaca .fun) (malware.rules)
  • 2060300 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pausedcritiaca .fun in TLS SNI) (malware.rules)
  • 2060301 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (petlovinstop .top) (malware.rules)
  • 2060302 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (petlovinstop .top in TLS SNI) (malware.rules)
  • 2060303 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (posqvevibesonly .tech) (malware.rules)
  • 2060304 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (posqvevibesonly .tech in TLS SNI) (malware.rules)
  • 2060305 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prideforgek .fun) (malware.rules)
  • 2060306 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (prideforgek .fun in TLS SNI) (malware.rules)
  • 2060307 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (privileggoe .live) (malware.rules)
  • 2060308 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (privileggoe .live in TLS SNI) (malware.rules)
  • 2060309 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (refledesige .online) (malware.rules)
  • 2060310 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (refledesige .online in TLS SNI) (malware.rules)
  • 2060311 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soqulfonections .tech) (malware.rules)
  • 2060312 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (soqulfonections .tech in TLS SNI) (malware.rules)
  • 2060313 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (subawhipnator .life) (malware.rules)
  • 2060314 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (subawhipnator .life in TLS SNI) (malware.rules)
  • 2060315 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (uncertainyelemz .bet) (malware.rules)
  • 2060316 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (uncertainyelemz .bet in TLS SNI) (malware.rules)
  • 2060317 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wqanderludreams .tech) (malware.rules)
  • 2060318 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wqanderludreams .tech in TLS SNI) (malware.rules)
  • 2060319 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (VisiwonaryPath .top) (malware.rules)
  • 2060320 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (VisiwonaryPath .top in TLS SNI) (malware.rules)
  • 2060321 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (metalcourthur .fun) (malware.rules)
  • 2060322 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (metalcourthur .fun in TLS SNI) (malware.rules)
  • 2060323 - ET EXPLOIT Zyxel runCommandInShell Telnet Service Command Injection Attempt (CVE-2024-40891) (exploit.rules)
  • 2060324 - ET INFO DYNAMIC_DNS Query to a *.compositgroup .com domain (info.rules)
  • 2060325 - ET INFO DYNAMIC_DNS HTTP Request to a *.compositgroup .com domain (info.rules)
  • 2060326 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .adx-crm .com) (malware.rules)
  • 2060327 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .adx-crm .com) (malware.rules)
  • 2060328 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brightfuturjes .tech) (malware.rules)
  • 2060329 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brightfuturjes .tech in TLS SNI) (malware.rules)
  • 2060330 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deaddereaste .today) (malware.rules)
  • 2060331 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deaddereaste .today in TLS SNI) (malware.rules)
  • 2060332 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlagrestatem .bet) (malware.rules)
  • 2060333 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlagrestatem .bet in TLS SNI) (malware.rules)
  • 2060334 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hobbyedsmoker .live) (malware.rules)
  • 2060335 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hobbyedsmoker .live in TLS SNI) (malware.rules)
  • 2060336 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inspiringjstories .tech) (malware.rules)
  • 2060337 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (inspiringjstories .tech in TLS SNI) (malware.rules)
  • 2060338 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pastedeputten .life) (malware.rules)
  • 2060339 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pastedeputten .life in TLS SNI) (malware.rules)
  • 2060340 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (physicalsnowwer .digital) (malware.rules)
  • 2060341 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (physicalsnowwer .digital in TLS SNI) (malware.rules)
  • 2060342 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pirtyoffensiz .bet) (malware.rules)
  • 2060343 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pirtyoffensiz .bet in TLS SNI) (malware.rules)
  • 2060344 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sterilizeflow .top) (malware.rules)
  • 2060345 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sterilizeflow .top in TLS SNI) (malware.rules)
  • 2060346 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (turngallerudgo .icu) (malware.rules)
  • 2060347 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (turngallerudgo .icu in TLS SNI) (malware.rules)
  • 2060348 - ET WEB_SPECIFIC_APPS Paessler PRTG Notification Command Injection Attempt (CVE-2018-9276) (web_specific_apps.rules)
  • 2060349 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (infinett .com) (exploit_kit.rules)
  • 2060350 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (infinett .com) (exploit_kit.rules)
  • 2060351 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kamagrafr .icu) (exploit_kit.rules)
  • 2060352 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (milebox .shop) (exploit_kit.rules)
  • 2060353 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kamagrafr .icu) (exploit_kit.rules)
  • 2060354 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (milebox .shop) (exploit_kit.rules)
  • 2060355 - ET MALWARE SocGholish Domain in DNS Lookup (software .adx-crm .com) (malware.rules)
  • 2060356 - ET MALWARE SocGholish Domain in DNS Lookup (sponsor .sewacanada .org) (malware.rules)
  • 2060357 - ET MALWARE SocGholish Domain in TLS SNI (software .adx-crm .com) (malware.rules)
  • 2060358 - ET MALWARE SocGholish Domain in TLS SNI (sponsor .sewacanada .org) (malware.rules)
  • 2060359 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (canaviva .org) (exploit_kit.rules)
  • 2060360 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (theteachersteacherllc .net) (exploit_kit.rules)
  • 2060361 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (canaviva .org) (exploit_kit.rules)
  • 2060362 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (theteachersteacherllc .net) (exploit_kit.rules)

Pro:

  • 2860400 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860401 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860402 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860403 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860404 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860405 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2860406 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2860407 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2860408 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2860409 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860410 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2860411 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860412 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2860413 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860414 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860415 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2860416 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860417 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860418 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860419 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2860420 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2860421 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860422 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2860423 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860424 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2860425 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2860426 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2860427 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)

Disabled and modified rules:

  • 2060249 - ET INFO Observed DNS Query to trycloudflare .com Domain (info.rules)