Ruleset Update Summary - 2025/03/25 - v10890

Summary:

64 new OPEN, 76 new PRO (64 + 12)

Added rules:

Open:

• 2061040 - ET WEB_SERVER Kubernetes Ingress NGINX Controller auth-url Annotation Injection (CVE-2025-24514) (web_server.rules)
• 2061041 - ET WEB_SERVER Kubernetes Ingress NGINX Controller auth-tls-match-cn Annotation Injection (CVE-2025-1097) (web_server.rules)
• 2061042 - ET WEB_SERVER Kubernetes Ingress NGINX Controller mirror UID Injection (CVE-2025-1098) (web_server.rules)
• 2061043 - ET INFO Observed DNS Query to External IP Lookup Domain (api .country .is) (info.rules)
• 2061044 - ET INFO Observed External IP Lookup Domain Domain (api .country .is in TLS SNI) (info.rules)
• 2061045 - ET INFO External IP Lookup via Country .is (info.rules)
• 2061046 - ET INFO DYNAMIC_DNS Query to a *.pmis-m .be domain (info.rules)
• 2061047 - ET INFO DYNAMIC_DNS HTTP Request to a *.pmis-m .be domain (info.rules)
• 2061048 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aadvento .run) (malware.rules)
• 2061049 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aadvento .run) in TLS SNI (malware.rules)
• 2061050 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (airwanhder .shop) (malware.rules)
• 2061051 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (airwanhder .shop) in TLS SNI (malware.rules)
• 2061052 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appgridn .live) (malware.rules)
• 2061053 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (appgridn .live) in TLS SNI (malware.rules)
• 2061054 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (byteplusx .digital) (malware.rules)
• 2061055 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (byteplusx .digital) in TLS SNI (malware.rules)
• 2061056 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cometaxk .run) (malware.rules)
• 2061057 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cometaxk .run) in TLS SNI (malware.rules)
• 2061058 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cosmosyf .top) (malware.rules)
• 2061059 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cosmosyf .top) in TLS SNI (malware.rules)
• 2061060 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (firearmsv .digital) (malware.rules)
• 2061061 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (firearmsv .digital) in TLS SNI (malware.rules)
• 2061062 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (flyxaway .live) (malware.rules)
• 2061063 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (flyxaway .live) in TLS SNI (malware.rules)
• 2061064 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (galarona .bet) (malware.rules)
• 2061065 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (galarona .bet) in TLS SNI (malware.rules)
• 2061066 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (galaxiay .world) (malware.rules)
• 2061067 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (galaxiay .world) in TLS SNI (malware.rules)
• 2061068 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (netbitec .live) (malware.rules)
• 2061069 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (netbitec .live) in TLS SNI (malware.rules)
• 2061070 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (orbitrxh .shop) (malware.rules)
• 2061071 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (orbitrxh .shop) in TLS SNI (malware.rules)
• 2061072 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pixtreev .run) (malware.rules)
• 2061073 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pixtreev .run) in TLS SNI (malware.rules)
• 2061074 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skynetxc .live) (malware.rules)
• 2061075 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (skynetxc .live) in TLS SNI (malware.rules)
• 2061076 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soliduso .digital) (malware.rules)
• 2061077 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (soliduso .digital) in TLS SNI (malware.rules)
• 2061078 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sparkiob .digital) (malware.rules)
• 2061079 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sparkiob .digital) in TLS SNI (malware.rules)
• 2061080 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (travielup .top) (malware.rules)
• 2061081 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (travielup .top) in TLS SNI (malware.rules)
• 2061082 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wandberup .shop) (malware.rules)
• 2061083 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wandberup .shop) in TLS SNI (malware.rules)
• 2061084 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wxayfarer .live) (malware.rules)
• 2061085 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wxayfarer .live) in TLS SNI (malware.rules)
• 2061086 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ronsamuel .com) (exploit_kit.rules)
• 2061087 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (compralibri .com) (exploit_kit.rules)
• 2061088 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ronsamuel .com) (exploit_kit.rules)
• 2061089 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (compralibri .com) (exploit_kit.rules)
• 2061090 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (staff .tompsettsportslaw .com) (malware.rules)
• 2061091 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (staff .tompsettsportslaw .com) (malware.rules)
• 2061092 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (javascripterhub .com) (exploit_kit.rules)
• 2061093 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (masteringjscode .com) (exploit_kit.rules)
• 2061094 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (javascripterhub .com) (exploit_kit.rules)
• 2061095 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (javascriptsynergy .com) (exploit_kit.rules)
• 2061096 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (interactivejsworld .com) (exploit_kit.rules)
• 2061097 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (dynamicjsdevelopers .com) (exploit_kit.rules)
• 2061098 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (javascripterhub .com) (exploit_kit.rules)
• 2061099 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (masteringjscode .com) (exploit_kit.rules)
• 2061100 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (javascripterhub .com) (exploit_kit.rules)
• 2061101 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (javascriptsynergy .com) (exploit_kit.rules)
• 2061102 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (interactivejsworld .com) (exploit_kit.rules)
• 2061103 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (dynamicjsdevelopers .com) (exploit_kit.rules)

Pro:

• 2860884 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
• 2860885 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
• 2860886 - ETPRO MALWARE Observed DNS Query to UNK_RemoteRogue Domain (malware.rules)
• 2860887 - ETPRO MALWARE Observed DNS Query to UNK_RemoteRogue Domain (malware.rules)
• 2860888 - ETPRO MALWARE Observed DNS Query to UNK_RemoteRogue Domain (malware.rules)
• 2860889 - ETPRO MALWARE Observed UNK_RemoteRogue Domain in TLS SNI (malware.rules)
• 2860890 - ETPRO MALWARE Observed UNK_RemoteRogue Domain in TLS SNI (malware.rules)
• 2860891 - ETPRO MALWARE Observed UNK_RemoteRogue Domain in TLS SNI (malware.rules)
• 2860892 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
• 2860893 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
• 2860894 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
• 2860895 - ETPRO MALWARE Lumma Stealer CnC Activity (POST) (malware.rules)