Ruleset Update Summary - 2025/02/26 - v10867

Ruleset Updates
1

Summary:

24 new OPEN, 24 new PRO (24 + 0)

Added rules:

Open:

  • 2060377 - ET MALWARE Divulge Stealer CnC Checkin (malware.rules)
  • 2060378 - ET MALWARE Divulge Stealer CnC Domain in DNS Lookup (stealer .to) (malware.rules)
  • 2060379 - ET MALWARE Observed Divulge Stealer Domain (stealer .to) in TLS SNI (malware.rules)
  • 2060380 - ET MALWARE Divulge Stealer Data Exfiltration Attempt (malware.rules)
  • 2060381 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (mail .aestheticfina .com) (malware.rules)
  • 2060382 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (mail .aestheticfina .com) (malware.rules)
  • 2060383 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (boltetuurked .digital) (malware.rules)
  • 2060384 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (boltetuurked .digital in TLS SNI) (malware.rules)
  • 2060385 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exarthynature .run) (malware.rules)
  • 2060386 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) (malware.rules)
  • 2060387 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hvsdkfjfhj-sd-1 .pro) (malware.rules)
  • 2060388 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hvsdkfjfhj-sd-1 .pro in TLS SNI) (malware.rules)
  • 2060389 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presentymusse .world) (malware.rules)
  • 2060390 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (presentymusse .world in TLS SNI) (malware.rules)
  • 2060391 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pukisound .icu) (malware.rules)
  • 2060392 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pukisound .icu in TLS SNI) (malware.rules)
  • 2060393 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (debolts .com) (exploit_kit.rules)
  • 2060394 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (debolts .com) (exploit_kit.rules)
  • 2060395 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dealermobil .top) (exploit_kit.rules)
  • 2060396 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (7serv .top) (exploit_kit.rules)
  • 2060397 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dealermobil .top) (exploit_kit.rules)
  • 2060398 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (7serv .top) (exploit_kit.rules)
  • 2060399 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (nacionalmedia .com) (exploit_kit.rules)
  • 2060400 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (nacionalmedia .com) (exploit_kit.rules)

Modified inactive rules:

  • 2053407 - ET MALWARE SocGholish CnC Domain in DNS (* .team .jessicabarrett .com) (malware.rules)
  • 2054354 - ET MALWARE SocGholish CnC Domain in DNS (* .parish .chuathuongxot .org) (malware.rules)
  • 2054498 - ET MALWARE SocGholish CnC Domain in DNS (* .award .vuheritagefoundation .org) (malware.rules)
  • 2054633 - ET MALWARE SocGholish CnC Domain in DNS (* .loyalty .hienphucuanhanloai .org) (malware.rules)
  • 2054634 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .loyalty.hienphucuanhanloai .org) (malware.rules)
  • 2054720 - ET MALWARE SocGholish CnC Domain in DNS (* .living .miraclesofeucharisticjesus .org) (malware.rules)
  • 2054866 - ET MALWARE SocGholish CnC Domain in DNS (* .donors .eucharisticjesus .net) (malware.rules)
  • 2055222 - ET MALWARE SocGholish CnC Domain in DNS (* .guide .borden-carleton .ca) (malware.rules)
  • 2055316 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .sponsor .printondemandagency .com) (malware.rules)
  • 2055495 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .contest .printondemandmerchandise .com) (malware.rules)
  • 2055738 - ET MALWARE SocGholish CnC Domain in DNS (* .podcast .lisameyerson .com) (malware.rules)
  • 2055769 - ET MALWARE SocGholish CnC Domain in DNS (* .benefits .melanatedbloodlinesrestoration .com) (malware.rules)
  • 2055867 - ET MALWARE SocGholish CnC Domain in DNS (* .therapy .emergencepsychservices .com) (malware.rules)
  • 2056321 - ET MALWARE SocGholish CnC Domain in DNS (* .shades .whatisaweekend .com) (malware.rules)
  • 2056554 - ET MALWARE SocGholish CnC Domain in DNS (* .outfit .dianamercer .com) (malware.rules)
  • 2057065 - ET MALWARE SocGholish CnC Domain in DNS (* .range .cccinvolve .org) (malware.rules)
  • 2057228 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .strategies .mvpstrat .com) (malware.rules)
  • 2057364 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .events .socalpocis .org) (malware.rules)
  • 2058720 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .slot .buyaiphoneonline .com) (malware.rules)
  • 2059086 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .static .buyweatherstriponline .com) (malware.rules)
  • 2059186 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .order .buyanemostatonline .com) (malware.rules)
  • 2059359 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .trial .buyintercomsonline .com) (malware.rules)
  • 2059377 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .crm .bestintownpro .com) (malware.rules)
  • 2059445 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .app .andredenault .com) (malware.rules)
  • 2060015 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .jpainting .ca) (malware.rules)
  • 2060243 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (seminary .envisionfonddulac .com) (malware.rules)

Disabled and modified rules:

  • 2060224 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (onlinelas .com) (exploit_kit.rules)
  • 2060225 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (onlinelas .com) (exploit_kit.rules)