Ruleset Update Summary - 2025/03/17 - v10882

Ruleset Updates
1

Summary:

39 new OPEN, 109 new PRO (39 + 70)

Added rules:

Open:

  • 2060904 - ET INFO DYNAMIC_DNS Query to a *.bsfa .info domain (info.rules)
  • 2060905 - ET INFO DYNAMIC_DNS HTTP Request to a *.bsfa .info domain (info.rules)
  • 2060906 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (armamenti .world) (malware.rules)
  • 2060907 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (armamenti .world) in TLS SNI (malware.rules)
  • 2060908 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (armoryarch .shop) (malware.rules)
  • 2060909 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (armoryarch .shop) in TLS SNI (malware.rules)
  • 2060910 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (blackeblast .run) (malware.rules)
  • 2060911 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blackeblast .run) in TLS SNI (malware.rules)
  • 2060912 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (caliberc .today) (malware.rules)
  • 2060913 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (caliberc .today) in TLS SNI (malware.rules)
  • 2060914 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (citywand .live) (malware.rules)
  • 2060915 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (citywand .live) in TLS SNI (malware.rules)
  • 2060916 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (loadoutle .life) (malware.rules)
  • 2060917 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (loadoutle .life) in TLS SNI (malware.rules)
  • 2060918 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pistolpra .bet) (malware.rules)
  • 2060919 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pistolpra .bet) in TLS SNI (malware.rules)
  • 2060920 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (selfdefens .bet) (malware.rules)
  • 2060921 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (selfdefens .bet) in TLS SNI (malware.rules)
  • 2060922 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (targett .top) (malware.rules)
  • 2060923 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (targett .top) in TLS SNI (malware.rules)
  • 2060924 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weaponwo .life) (malware.rules)
  • 2060925 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (weaponwo .life) in TLS SNI (malware.rules)
  • 2060926 - ET INFO DYNAMIC_DNS Query to a *.jtizyl .net domain (info.rules)
  • 2060927 - ET INFO DYNAMIC_DNS HTTP Request to a *.jtizyl .net domain (info.rules)
  • 2060928 - ET INFO DYNAMIC_DNS Query to a *.pastrypowered .com domain (info.rules)
  • 2060929 - ET INFO DYNAMIC_DNS HTTP Request to a *.pastrypowered .com domain (info.rules)
  • 2060930 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guninfoo .run) (malware.rules)
  • 2060931 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (guninfoo .run) in TLS SNI (malware.rules)
  • 2060932 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gunlovers .top) (malware.rules)
  • 2060933 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gunlovers .top) in TLS SNI (malware.rules)
  • 2060934 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zfurrycomp .top) (malware.rules)
  • 2060935 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zfurrycomp .top) in TLS SNI (malware.rules)
  • 2060936 - ET MALWARE Generic Rust Stealer Exfiltration (POST) (malware.rules)
  • 2060937 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (opteme .com) (exploit_kit.rules)
  • 2060938 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vononline .com) (exploit_kit.rules)
  • 2060939 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (opteme .com) (exploit_kit.rules)
  • 2060940 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (vononline .com) (exploit_kit.rules)
  • 2060941 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (login .icvpartners .com) (malware.rules)
  • 2060942 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (login .icvpartners .com) (malware.rules)

Pro:

  • 2860720 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860721 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860722 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860723 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860724 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860725 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860726 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860727 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860728 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860729 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860730 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860731 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860732 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2860733 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860734 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2860735 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860736 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2860737 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860738 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860739 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2860740 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860741 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860742 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860743 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860744 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860745 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860746 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2860747 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2860748 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2860749 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2860750 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860751 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2860752 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860753 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2860754 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860755 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860756 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2860757 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860758 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860759 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860760 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860761 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860762 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2860763 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860764 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2860765 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860766 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2860767 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860768 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860769 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2860770 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860771 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860772 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860773 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860774 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860775 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2860776 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860777 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2860778 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860779 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2860780 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860781 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860782 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2860783 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860784 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)
  • 2860785 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)
  • 2860786 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)
  • 2860787 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
  • 2860788 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
  • 2860789 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)

Disabled and modified rules:

  • 2850006 - ETPRO MALWARE MSIL/ClipBanker.QS CnC Checkin (malware.rules)
  • 2850117 - ETPRO PHISHING Possible PancakeSwap Cred Phishing POST (phishing.rules)
  • 2850145 - ETPRO PHISHING Successful Generic Submission of Email (phishing.rules)
  • 2850147 - ETPRO PHISHING Generic Password Form M1 (phishing.rules)
  • 2850148 - ETPRO PHISHING Successful Generic Credential Phish POST M1 (phishing.rules)
  • 2850192 - ETPRO HUNTING Observed Honeypot Validation M1 (hunting.rules)
  • 2850455 - ETPRO INFO URL Shortener Service Domain in DNS Lookup (info.rules)