Ruleset Update Summary - 2025/03/11 - v10876

Ruleset Updates
1

Summary:

21 new OPEN, 26 new PRO (21 + 5)

Added rules:

Open:

  • 2060779 - ET WEB_SPECIFIC_APPS DocsGPT Remote Code Execution Attempt (CVE-2025-0868) (web_specific_apps.rules)
  • 2060780 - ET WEB_SPECIFIC_APPS Cockpit Authenticated Arbitrary PHP File Upload (web_specific_apps.rules)
  • 2060781 - ET MALWARE Observed DNS Query to ClickFix Domain (booking-sup-lang-eng .com) (malware.rules)
  • 2060782 - ET MALWARE Observed ClickFix Domain (booking-sup-lang-eng .com in TLS SNI) (malware.rules)
  • 2060783 - ET WEB_SPECIFIC_APPS KLog Server Directory Traversal Attempt (CVE-2025-1035) (web_specific_apps.rules)
  • 2060784 - ET INFO DYNAMIC_DNS Query to a *.iamnotwhoiam .net domain (info.rules)
  • 2060785 - ET INFO DYNAMIC_DNS HTTP Request to a *.iamnotwhoiam .net domain (info.rules)
  • 2060786 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gentlbecomfort .world/Lofg) (malware.rules)
  • 2060787 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gentlbecomfort .world/Lofg) in TLS SNI (malware.rules)
  • 2060788 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (joingeryjunc .top) (malware.rules)
  • 2060789 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (joingeryjunc .top) in TLS SNI (malware.rules)
  • 2060790 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (srpkoa .com) (exploit_kit.rules)
  • 2060791 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (srpkoa .com) (exploit_kit.rules)
  • 2060792 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (rasin .shop) (exploit_kit.rules)
  • 2060793 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kfzversicherungskosten .top) (exploit_kit.rules)
  • 2060794 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (rasin .shop) (exploit_kit.rules)
  • 2060795 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kfzversicherungskosten .top) (exploit_kit.rules)
  • 2060796 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (www .smartcn .cn) (exploit_kit.rules)
  • 2060797 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (www .smartcn .cn) (exploit_kit.rules)
  • 2060798 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (catalog .sjsailboats .com) (malware.rules)
  • 2060799 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (catalog .sjsailboats .com) (malware.rules)

Pro:

  • 2860669 - ETPRO ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page Inbound (Large Image Evasion) (attack_response.rules)
  • 2860670 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860671 - ETPRO MALWARE Win32/GetStream Stealer Victim Profile Exfil (malware.rules)
  • 2860672 - ETPRO MALWARE Win32/GetStream Stealer CnC Response (malware.rules)
  • 2860673 - ETPRO EXPLOIT Microsoft MapUrlToZone Security Feature Bypass (CVE-2025-21247) (exploit.rules)