Ruleset Update Summary - 2025/03/13 - v10878

Ruleset Updates
1

Summary:

47 new OPEN, 67 new PRO (47 + 20)

Thanks @AWNetworks

Added rules:

Open:

  • 2060821 - ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891) (web_specific_apps.rules)
  • 2060822 - ET MALWARE Observed DNS Query to ClickFix Domain in Domain (nxtbook .com) in DNS Lookup (malware.rules)
  • 2060823 - ET MALWARE Observed DNS Query to ClickFix Domain in Domain (fowlerkiawindsor .com) in DNS Lookup (malware.rules)
  • 2060824 - ET MALWARE Observed DNS Query to ClickFix Domain in Domain (hep2go .com) in DNS Lookup (malware.rules)
  • 2060825 - ET MALWARE Observed DNS Query to ClickFix Domain in Domain (gilchristautomotive .com) in DNS Lookup (malware.rules)
  • 2060826 - ET MALWARE Observed DNS Query to ClickFix Domain in Domain (genesisofkennesaw .com) in DNS Lookup (malware.rules)
  • 2060827 - ET MALWARE Observed DNS Query to ClickFix Domain in Domain (randywisebuickgmc .com) in DNS Lookup (malware.rules)
  • 2060828 - ET MALWARE Observed DNS Query to ClickFix Domain in Domain (machaiford .com) in DNS Lookup (malware.rules)
  • 2060829 - ET MALWARE Observed ClickFix Domain (nxtbook .com) in TLS SNI (malware.rules)
  • 2060830 - ET MALWARE Observed ClickFix Domain (fowlerkiawindsor .com) in TLS SNI (malware.rules)
  • 2060831 - ET MALWARE Observed ClickFix Domain (hep2go .com) in TLS SNI (malware.rules)
  • 2060832 - ET MALWARE Observed ClickFix Domain (gilchristautomotive .com) in TLS SNI (malware.rules)
  • 2060833 - ET MALWARE Observed ClickFix Domain (genesisofkennesaw .com) in TLS SNI (malware.rules)
  • 2060834 - ET MALWARE Observed ClickFix Domain (randywisebuickgmc .com) in TLS SNI (malware.rules)
  • 2060835 - ET MALWARE Observed ClickFix Domain (machaiford .com) in TLS SNI (malware.rules)
  • 2060836 - ET MALWARE Observed ClickFix Domain (noritter .com) in DNS Lookup (malware.rules)
  • 2060837 - ET MALWARE Observed ClickFix Domain (deliveryoka .com) in DNS Lookup (malware.rules)
  • 2060838 - ET MALWARE Observed ClickFix Domain (security-confirmation .help) in DNS Lookup (malware.rules)
  • 2060839 - ET MALWARE Observed ClickFix Domain (myvocabulary .com) in DNS Lookup (malware.rules)
  • 2060840 - ET MALWARE Observed ClickFix Domain (id .kickfire .com) in DNS Lookup (malware.rules)
  • 2060841 - ET MALWARE Observed ClickFix Domain (tapestryoftruth .com) in DNS Lookup (malware.rules)
  • 2060842 - ET MALWARE Observed ClickFix Domain (noritter .com) in TLS SNI (malware.rules)
  • 2060843 - ET MALWARE Observed ClickFix Domain (deliveryoka .com) in TLS SNI (malware.rules)
  • 2060844 - ET MALWARE Observed ClickFix Domain (security-confirmation .help) in TLS SNI (malware.rules)
  • 2060845 - ET MALWARE Observed ClickFix Domain (myvocabulary .com) in TLS SNI (malware.rules)
  • 2060846 - ET MALWARE Observed ClickFix Domain (id .kickfire .com) in TLS SNI (malware.rules)
  • 2060847 - ET MALWARE Observed ClickFix Domain (tapestryoftruth .com) in TLS SNI (malware.rules)
  • 2060848 - ET MALWARE Observed ClickFix Domain (main-connection .click) in DNS Lookup (malware.rules)
  • 2060849 - ET MALWARE Observed ClickFix Domain (authentication-to .help) in DNS Lookup (malware.rules)
  • 2060850 - ET MALWARE Observed ClickFix Domain (open-connect-to-cdn .cc) in DNS Lookup (malware.rules)
  • 2060851 - ET MALWARE Observed ClickFix Domain (connection .click) in DNS Lookup (malware.rules)
  • 2060852 - ET MALWARE Observed ClickFix Domain (westmaidentrue .click) in DNS Lookup (malware.rules)
  • 2060853 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (astralconnec .icu) (malware.rules)
  • 2060854 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (astralconnec .icu) in TLS SNI (malware.rules)
  • 2060855 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (citydisco .bet) (malware.rules)
  • 2060856 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (citydisco .bet) in TLS SNI (malware.rules)
  • 2060857 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (menuedgarli .shop) (malware.rules)
  • 2060858 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (menuedgarli .shop) in TLS SNI (malware.rules)
  • 2060859 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (cyberetc .com) (exploit_kit.rules)
  • 2060860 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (cyberetc .com) (exploit_kit.rules)
  • 2060861 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (movtime76 .shop) (exploit_kit.rules)
  • 2060862 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (movtime76 .shop) (exploit_kit.rules)
  • 2060863 - ET MALWARE Observed ClickFix Domain (main-connection .click) in TLS SNI (malware.rules)
  • 2060864 - ET MALWARE Observed ClickFix Domain (authentication-to .help) in TLS SNI (malware.rules)
  • 2060865 - ET MALWARE Observed ClickFix Domain (open-connect-to-cdn .cc) in TLS SNI (malware.rules)
  • 2060866 - ET MALWARE Observed ClickFix Domain (connection .click) in TLS SNI (malware.rules)
  • 2060867 - ET MALWARE Observed ClickFix Domain (westmaidentrue .click) in TLS SNI (malware.rules)

Pro:

  • 2860684 - ETPRO MALWARE Generic Stealer Host Profile Exfil (malware.rules)
  • 2860685 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860686 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860687 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860688 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860689 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860690 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860691 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860692 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860693 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860694 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860695 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860696 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860697 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860698 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860699 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860700 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860701 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860702 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860703 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2060618 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (https://t .me/kz_prokla1) (malware.rules)
  • 2060619 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (https://t .me/kz_prokla1 in TLS SNI) (malware.rules)