Ruleset Update Summary - 2025/04/03 - v10897

Summary:

33 new OPEN, 34 new PRO (33 + 1)


Added rules:

Open:

  • 2061257 - ET USER_AGENTS Deprecated Xiaomi Mi Browser User-Agent Observed (user_agents.rules)
  • 2061258 - ET WEB_SPECIFIC_APPS Sitecore Experience Platforms Remote Code Execution (CVE-2023-35813) (web_specific_apps.rules)
  • 2061259 - ET WEB_SPECIFIC_APPS Kentico Xperience CMS Cross Site Scripting via Unauthenticated File Upload Attempt (CVE-2025-2748) (web_specific_apps.rules)
  • 2061260 - ET INFO DYNAMIC_DNS Query to a *.daveengineer .com domain (info.rules)
  • 2061261 - ET INFO DYNAMIC_DNS HTTP Request to a *.daveengineer .com domain (info.rules)
  • 2061262 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (candidt .live) (malware.rules)
  • 2061263 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (candidt .live) in TLS SNI (malware.rules)
  • 2061264 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (freshyu .digital) (malware.rules)
  • 2061265 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (freshyu .digital) in TLS SNI (malware.rules)
  • 2061266 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grxeasyw .digital) (malware.rules)
  • 2061267 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grxeasyw .digital) in TLS SNI (malware.rules)
  • 2061268 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingotyxx .live) (malware.rules)
  • 2061269 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ingotyxx .live) in TLS SNI (malware.rules)
  • 2061270 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jrxsafer .top) (malware.rules)
  • 2061271 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jrxsafer .top) in TLS SNI (malware.rules)
  • 2061272 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (krxspint .digital) (malware.rules)
  • 2061273 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (krxspint .digital) in TLS SNI (malware.rules)
  • 2061274 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rhxhube .run) (malware.rules)
  • 2061275 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rhxhube .run) in TLS SNI (malware.rules)
  • 2061276 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (xrfxcaseq .live) (malware.rules)
  • 2061277 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (xrfxcaseq .live) in TLS SNI (malware.rules)
  • 2061278 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ywmedici .top) (malware.rules)
  • 2061279 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ywmedici .top) in TLS SNI (malware.rules)
  • 2061280 - ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2746) (web_specific_apps.rules)
  • 2061281 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (liberatuie .run) (malware.rules)
  • 2061282 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (liberatuie .run in TLS SNI) (malware.rules)
  • 2061283 - ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2747) (web_specific_apps.rules)
  • 2061284 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (webproinc .com) (exploit_kit.rules)
  • 2061285 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (webproinc .com) (exploit_kit.rules)
  • 2061286 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (covaticonstructioncorp .shop) (exploit_kit.rules)
  • 2061287 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (covaticonstructioncorp .shop) (exploit_kit.rules)
  • 2061288 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (landing .survival-kitz .com) (malware.rules)
  • 2061289 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (landing .survival-kitz .com) (malware.rules)

Pro:

  • 2861058 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)