Ruleset Update Summary - 2025/03/10 - v10875

Ruleset Updates
1

Summary:

89 new OPEN, 105 new PRO (89 + 16)

Added rules:

Open:

  • 2060690 - ET EXPLOIT_KIT Malicious TA2727 TDS Domain in DNS Lookup (arpobe .hemispheredrown .tech) (exploit_kit.rules)
  • 2060691 - ET EXPLOIT_KIT Malicious TA2727 TDS Domain in TLS SNI (arpobe .hemispheredrown .tech) (exploit_kit.rules)
  • 2060692 - ET INFO DYNAMIC_DNS Query to a *.veronicabazan .cl domain (info.rules)
  • 2060693 - ET INFO DYNAMIC_DNS HTTP Request to a *.veronicabazan .cl domain (info.rules)
  • 2060694 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (arisechairedd .shop) (malware.rules)
  • 2060695 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (arisechairedd .shop) in TLS SNI (malware.rules)
  • 2060696 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (begindecafer .world) (malware.rules)
  • 2060697 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (begindecafer .world) in TLS SNI (malware.rules)
  • 2060698 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (catterjur .run) (malware.rules)
  • 2060699 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (catterjur .run) in TLS SNI (malware.rules)
  • 2060700 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (defaulemot .run) (malware.rules)
  • 2060701 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (defaulemot .run) in TLS SNI (malware.rules)
  • 2060702 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fostinjec .today) (malware.rules)
  • 2060703 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fostinjec .today) in TLS SNI (malware.rules)
  • 2060704 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (garagedrootz .top) (malware.rules)
  • 2060705 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (garagedrootz .top) in TLS SNI (malware.rules)
  • 2060706 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (modelshiverd .icu) (malware.rules)
  • 2060707 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (modelshiverd .icu) in TLS SNI (malware.rules)
  • 2060708 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (orangemyther .live) (malware.rules)
  • 2060709 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (orangemyther .live) in TLS SNI (malware.rules)
  • 2060710 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sterpickced .digital) (malware.rules)
  • 2060711 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sterpickced .digital) in TLS SNI (malware.rules)
  • 2060712 - ET INFO DYNAMIC_DNS Query to a *.gmk .cl domain (info.rules)
  • 2060713 - ET INFO DYNAMIC_DNS HTTP Request to a *.gmk .cl domain (info.rules)
  • 2060714 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (furryfinkders .digital) (malware.rules)
  • 2060715 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (furryfinkders .digital) in TLS SNI (malware.rules)
  • 2060716 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gmt-a .shop) (exploit_kit.rules)
  • 2060717 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gmt-a .shop) (exploit_kit.rules)
  • 2060718 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (viloriterso .icu) (exploit_kit.rules)
  • 2060719 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (viloriterso .icu) (exploit_kit.rules)
  • 2060720 - ET WEB_SPECIFIC_APPS D-Tale Filter Query Command Injection Attempt (CVE-2025-0655) (web_specific_apps.rules)
  • 2060721 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (samaxwell .com) (exploit_kit.rules)
  • 2060722 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (samaxwell .com) (exploit_kit.rules)
  • 2060723 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (forum .envisionfonddulac .info) (malware.rules)
  • 2060724 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (forum .envisionfonddulac .info) (malware.rules)
  • 2060725 - ET INFO DYNAMIC_DNS Query to a *.mundra .com domain (info.rules)
  • 2060726 - ET INFO DYNAMIC_DNS HTTP Request to a *.mundra .com domain (info.rules)
  • 2060727 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apwporchestrator .shop) (malware.rules)
  • 2060728 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (apwporchestrator .shop) in TLS SNI (malware.rules)
  • 2060729 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bugildbett .top) (malware.rules)
  • 2060730 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bugildbett .top) in TLS SNI (malware.rules)
  • 2060731 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cjlaspcorne .icu) (malware.rules)
  • 2060732 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cjlaspcorne .icu) in TLS SNI (malware.rules)
  • 2060733 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (featureccus .shop) (malware.rules)
  • 2060734 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (featureccus .shop) in TLS SNI (malware.rules)
  • 2060735 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (htardwarehu .icu) (malware.rules)
  • 2060736 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (htardwarehu .icu) in TLS SNI (malware.rules)
  • 2060737 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jowinjoinery .icu) (malware.rules)
  • 2060738 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jowinjoinery .icu) in TLS SNI (malware.rules)
  • 2060739 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (latchclan .shop) (malware.rules)
  • 2060740 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (latchclan .shop) in TLS SNI (malware.rules)
  • 2060741 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (legenassedk .top) (malware.rules)
  • 2060742 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (legenassedk .top) in TLS SNI (malware.rules)
  • 2060743 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mrodularmall .top) (malware.rules)
  • 2060744 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mrodularmall .top) in TLS SNI (malware.rules)
  • 2060745 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pillowtouzch .shop) (malware.rules)
  • 2060746 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pillowtouzch .shop) in TLS SNI (malware.rules)
  • 2060747 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sockvoicep .live) (malware.rules)
  • 2060748 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sockvoicep .live) in TLS SNI (malware.rules)
  • 2060749 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060750 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060751 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060752 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060753 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060754 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060755 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060756 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060757 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060758 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060759 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060760 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060761 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060762 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060763 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060764 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060765 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060766 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060767 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060768 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060769 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060770 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060771 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060772 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060773 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060774 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060775 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060776 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060777 - ET EXPLOIT [CORELIGHT] - CVE-2025-27218 Sitecore unsafe deserialization attempt (exploit.rules)
  • 2060778 - ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection (CVE-2025-27636) (web_specific_apps.rules)

Pro:

  • 2860653 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860654 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860655 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860656 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860657 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2860658 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860659 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2860660 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860661 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2860662 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860663 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860664 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2860665 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860666 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860667 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860668 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2060571 - ET PHISHING Evilginx Activity (Favicon Query) (phishing.rules)