Ruleset Update Summary - 2025/02/28 - v10869

rulesbot · February 28, 2025, 9:27pm

Summary:

71 new OPEN, 73 new PRO (71 + 2)

Thanks @sekoia_io

Added rules:

Open:

2060435 - ET INFO Default PolarSSL/mbedTLS Certificate Issuer Observed in Certificate (info.rules)
2060436 - ET MALWARE Observed Malicious SSL Cert Associated with PolarEdge Botnet M1 (malware.rules)
2060437 - ET MALWARE Observed Malicious SSL Cert Associated with PolarEdge Botnet M2 (malware.rules)
2060438 - ET MALWARE Observed Malicious SSL Cert Associated with PolarEdge Botnet M3 (malware.rules)
2060439 - ET MALWARE Observed Malicious SSL Cert Associated with PolarEdge Botnet M4 (malware.rules)
2060440 - ET MALWARE PolarEdge Webshell Installation attempt (malware.rules)
2060441 - ET MALWARE PolarEdge Webshell Activity (malware.rules)
2060442 - ET MALWARE PolarEdge TLS Backdoor Installation Attempt (malware.rules)
2060443 - ET MALWARE PolarEdge CnC Checkin (malware.rules)
2060444 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (suiteiol .cc) (malware.rules)
2060445 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (longlog .cc) (malware.rules)
2060446 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (aipricadd .top) (malware.rules)
2060447 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (ssofhoseuegsgrfnu .ru) (malware.rules)
2060448 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (hitchil .cc) (malware.rules)
2060449 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (headached .cc) (malware.rules)
2060450 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (landim .cc) (malware.rules)
2060451 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (icecreand .cc) (malware.rules)
2060452 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (largeroofs .top) (malware.rules)
2060453 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (asustordownload .com) (malware.rules)
2060454 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (gardensc .cc) (malware.rules)
2060455 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (siotherlentsearsitech .shop) (malware.rules)
2060456 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (firebasesafer .top) (malware.rules)
2060457 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (centrequ .cc) (malware.rules)
2060458 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (durianlink .cc) (malware.rules)
2060459 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (Logchim .cc) (malware.rules)
2060460 - ET MALWARE PolarEdge CnC Domain in DNS Lookup (nternetd .cc) (malware.rules)
2060461 - ET MALWARE Observed PolarEdge Domain (suiteiol .cc in TLS SNI) (malware.rules)
2060462 - ET MALWARE Observed PolarEdge Domain (longlog .cc in TLS SNI) (malware.rules)
2060463 - ET MALWARE Observed PolarEdge Domain (aipricadd .top in TLS SNI) (malware.rules)
2060464 - ET MALWARE Observed PolarEdge Domain (ssofhoseuegsgrfnu .ru in TLS SNI) (malware.rules)
2060465 - ET MALWARE Observed PolarEdge Domain (hitchil .cc in TLS SNI) (malware.rules)
2060466 - ET MALWARE Observed PolarEdge Domain (headached .cc in TLS SNI) (malware.rules)
2060467 - ET MALWARE Observed PolarEdge Domain (landim .cc in TLS SNI) (malware.rules)
2060468 - ET MALWARE Observed PolarEdge Domain (icecreand .cc in TLS SNI) (malware.rules)
2060469 - ET MALWARE Observed PolarEdge Domain (largeroofs .top in TLS SNI) (malware.rules)
2060470 - ET MALWARE Observed PolarEdge Domain (asustordownload .com in TLS SNI) (malware.rules)
2060471 - ET MALWARE Observed PolarEdge Domain (gardensc .cc in TLS SNI) (malware.rules)
2060472 - ET MALWARE Observed PolarEdge Domain (siotherlentsearsitech .shop in TLS SNI) (malware.rules)
2060473 - ET MALWARE Observed PolarEdge Domain (firebasesafer .top in TLS SNI) (malware.rules)
2060474 - ET MALWARE Observed PolarEdge Domain (centrequ .cc in TLS SNI) (malware.rules)
2060475 - ET MALWARE Observed PolarEdge Domain (durianlink .cc in TLS SNI) (malware.rules)
2060476 - ET MALWARE Observed PolarEdge Domain (Logchim .cc in TLS SNI) (malware.rules)
2060477 - ET MALWARE Observed PolarEdge Domain (nternetd .cc in TLS SNI) (malware.rules)
2060478 - ET INFO DYNAMIC_DNS Query to a *.weinteract .com domain (info.rules)
2060479 - ET INFO DYNAMIC_DNS HTTP Request to a *.weinteract .com domain (info.rules)
2060480 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (windows .envisionfonddulac .net) (malware.rules)
2060481 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (windows .envisionfonddulac .net) (malware.rules)
2060482 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (calmingtefxtures .run) (malware.rules)
2060483 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (calmingtefxtures .run in TLS SNI) (malware.rules)
2060484 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (commercfriek .digital) (malware.rules)
2060485 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (commercfriek .digital in TLS SNI) (malware.rules)
2060486 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (communicationfell .icu) (malware.rules)
2060487 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (communicationfell .icu in TLS SNI) (malware.rules)
2060488 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (faminuarfas .digital) (malware.rules)
2060489 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (faminuarfas .digital in TLS SNI) (malware.rules)
2060490 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gmoldenhours .tech) (malware.rules)
2060491 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gmoldenhours .tech in TLS SNI) (malware.rules)
2060492 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (halfambitie .space) (malware.rules)
2060493 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (halfambitie .space in TLS SNI) (malware.rules)
2060494 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mountainvbreezes .bet) (malware.rules)
2060495 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mountainvbreezes .bet in TLS SNI) (malware.rules)
2060496 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (solarnatgure .run) (malware.rules)
2060497 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (solarnatgure .run in TLS SNI) (malware.rules)
2060498 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (netsolut .com) (exploit_kit.rules)
2060499 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (netsolut .com) (exploit_kit.rules)
2060500 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (couterfv .top) (exploit_kit.rules)
2060501 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (couterfv .top) (exploit_kit.rules)
2060502 - ET INFO Discord Chat Service Domain in DNS Lookup (gateway .discord .gg) (info.rules)
2060503 - ET INFO Discord Chat Service Domain in DNS Lookup (discord .com) (info.rules)
2060504 - ET INFO Observed Discord Service Domain (gateway .discord .gg) in TLS SNI (info.rules)
2060505 - ET INFO Observed Discord Service Domain (discord .com) in TLS SNI (info.rules)

Pro:

2860492 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2860493 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/11/27 - v10756 Ruleset Updates	40	November 27, 2024
Ruleset Update Summary - 2023/10/23 - v10446 Ruleset Updates	516	October 23, 2023
Ruleset Update Summary - 2023/08/29 - v10405 Ruleset Updates	271	August 29, 2023
Ruleset Update Summary - 2024/04/25 - v10583 Ruleset Updates	672	April 25, 2024
Ruleset Update Summary - 2023/07/18 - v10374 Ruleset Updates	231	July 18, 2023

Ruleset Update Summary - 2025/02/28 - v10869

Summary:

Added rules:

Open:

Pro:

Related topics