Summary:
14 new OPEN, 15 new PRO (14 + 1)
Thanks @monitorsg
Added rules:
Open:
- 2060363 - ET EXPLOIT Exim SQLite (DBM) Injection (CVE-2025-26794) (exploit.rules)
- 2060364 - ET INFO DYNAMIC_DNS Query to a *.power-media .ro domain (info.rules)
- 2060365 - ET INFO DYNAMIC_DNS HTTP Request to a *.power-media .ro domain (info.rules)
- 2060366 - ET INFO DYNAMIC_DNS Query to a *.pitlobra .ro domain (info.rules)
- 2060367 - ET INFO DYNAMIC_DNS HTTP Request to a *.pitlobra .ro domain (info.rules)
- 2060368 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (cluster .buydoorlitesandlouvers .com) (malware.rules)
- 2060369 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (cluster .buydoorlitesandlouvers .com) (malware.rules)
- 2060370 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (advertised .life) (malware.rules)
- 2060371 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (advertised .life in TLS SNI) (malware.rules)
- 2060372 - ET WEB_SPECIFIC_APPS MITRE Caldera Remote Code Execution (CVE-2025-27364) (web_specific_apps.rules)
- 2060373 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (sunotels .com) (exploit_kit.rules)
- 2060374 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (sunotels .com) (exploit_kit.rules)
- 2060375 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (socksforrocks .shop) (exploit_kit.rules)
- 2060376 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (socksforrocks .shop) (exploit_kit.rules)
Pro:
- 2860434 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
Disabled and modified rules:
- 2060293 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (t .me/fvTDOnvFcMdW) (malware.rules)
- 2060294 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (t .me/fvTDOnvFcMdW in TLS SNI) (malware.rules)