Ruleset Update Summary - 2025/03/14 - v10881

rulesbot · March 14, 2025, 9:26pm

Summary:

36 new OPEN, 46 new PRO (36 + 10)

Added rules:

Open:

2060868 - ET MALWARE TINYSHELL appid Variant (RedPenguin) Connect Back C2 (malware.rules)
2060869 - ET MALWARE TINYSHELL to Variant (RedPenguin) Connect Back C2 (malware.rules)
2060870 - ET MALWARE TINYSHELL impad Variant Encrypted Auth Token (malware.rules)
2060871 - ET MALWARE TINYSHELL impad Variant Command Packet (malware.rules)
2060872 - ET MALWARE TINYSHELL irad Variant ICMP Inbound (uSarguuS62bKRA0J) (malware.rules)
2060873 - ET MALWARE TINYSHELL irad Variant ICMP Inbound (1spCq0BMbJwCoeZn) (malware.rules)
2060874 - ET MALWARE Win32/TA569 Gholoader Domain in DNS Lookup (support .traininghub .world) (malware.rules)
2060875 - ET MALWARE Win32/TA569 Gholoader Domain in TLS SNI (support .traininghub .world) (malware.rules)
2060876 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshairc .life) (malware.rules)
2060877 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (crosshairc .life) in TLS SNI (malware.rules)
2060878 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foodieloverstop .top) (malware.rules)
2060879 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (foodieloverstop .top) in TLS SNI (malware.rules)
2060880 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fsamilyfirstlife .click) (malware.rules)
2060881 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fsamilyfirstlife .click) in TLS SNI (malware.rules)
2060882 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hingehjan .shop) (malware.rules)
2060883 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hingehjan .shop) in TLS SNI (malware.rules)
2060884 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (munitions .life) (malware.rules)
2060885 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (munitions .life) in TLS SNI (malware.rules)
2060886 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pillowrcest .life) (malware.rules)
2060887 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pillowrcest .life) in TLS SNI (malware.rules)
2060888 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screvwspa .icu) (malware.rules)
2060889 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (screvwspa .icu) in TLS SNI (malware.rules)
2060890 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weaponrywo .digital) (malware.rules)
2060891 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (weaponrywo .digital) in TLS SNI (malware.rules)
2060892 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wilddthings .top) (malware.rules)
2060893 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wilddthings .top) in TLS SNI (malware.rules)
2060894 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zincaa .shop) (malware.rules)
2060895 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zincaa .shop) in TLS SNI (malware.rules)
2060896 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (paulsss .com) (exploit_kit.rules)
2060897 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (paulsss .com) (exploit_kit.rules)
2060898 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (glitterygadgets .shop) (exploit_kit.rules)
2060899 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (glitterygadgets .shop) (exploit_kit.rules)
2060900 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (support .traininghub .world) (exploit_kit.rules)
2060901 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (support .traininghub .world) (exploit_kit.rules)
2060902 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (secure .lme-co .com) (malware.rules)
2060903 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (secure .lme-co .com) (malware.rules)

Pro:

2860704 - ETPRO MALWARE Single Character .mp4 Download With Minimal Headers - Likely Hostile (malware.rules)
2860705 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2860706 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2860707 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2860708 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2860709 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2860710 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2860711 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2860712 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2860713 - ETPRO ATTACK_RESPONSE Fake .mp4 Inbound Containing Obfuscated PowerShell (attack_response.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/01/02 - v10822 Ruleset Updates	51	January 2, 2025
Ruleset Update Summary - 2024/12/31 - v10820 Ruleset Updates	64	December 31, 2024
Ruleset Update Summary - 2025/04/07 - v10899 Ruleset Updates	91	April 7, 2025
Ruleset Update Summary - 2024/12/23 - v10813 Ruleset Updates	102	December 23, 2024
Ruleset Update Summary - 2024/11/14 - v10742 Ruleset Updates	81	November 14, 2024

Ruleset Update Summary - 2025/03/14 - v10881

Summary:

Added rules:

Open:

Pro:

Related topics