Ruleset Update Summary - 2025/02/25 - v10866

Summary:

14 new OPEN, 15 new PRO (14 + 1)

Thanks @monitorsg


Added rules:

Open:

  • 2060363 - ET EXPLOIT Exim SQLite (DBM) Injection (CVE-2025-26794) (exploit.rules)
  • 2060364 - ET INFO DYNAMIC_DNS Query to a *.power-media .ro domain (info.rules)
  • 2060365 - ET INFO DYNAMIC_DNS HTTP Request to a *.power-media .ro domain (info.rules)
  • 2060366 - ET INFO DYNAMIC_DNS Query to a *.pitlobra .ro domain (info.rules)
  • 2060367 - ET INFO DYNAMIC_DNS HTTP Request to a *.pitlobra .ro domain (info.rules)
  • 2060368 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (cluster .buydoorlitesandlouvers .com) (malware.rules)
  • 2060369 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (cluster .buydoorlitesandlouvers .com) (malware.rules)
  • 2060370 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (advertised .life) (malware.rules)
  • 2060371 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (advertised .life in TLS SNI) (malware.rules)
  • 2060372 - ET WEB_SPECIFIC_APPS MITRE Caldera Remote Code Execution (CVE-2025-27364) (web_specific_apps.rules)
  • 2060373 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (sunotels .com) (exploit_kit.rules)
  • 2060374 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (sunotels .com) (exploit_kit.rules)
  • 2060375 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (socksforrocks .shop) (exploit_kit.rules)
  • 2060376 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (socksforrocks .shop) (exploit_kit.rules)

Pro:

  • 2860434 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2060293 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (t .me/fvTDOnvFcMdW) (malware.rules)
  • 2060294 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (t .me/fvTDOnvFcMdW in TLS SNI) (malware.rules)