Ruleset Update Summary - 2025/04/04 - v10898

Ruleset Updates
1

Summary:

23 new OPEN, 31 new PRO (23 + 8)

Thanks @watchtowrcyber

Added rules:

Open:

  • 2061290 - ET WEB_SPECIFIC_APPS ZendTo temp_name parameter Command Injection Attempt (web_specific_apps.rules)
  • 2061291 - ET WEB_SPECIFIC_APPS AppSmith PostgreSQL Command Injection Attempt (CVE-2024-55963) (web_specific_apps.rules)
  • 2061292 - ET WEB_SPECIFIC_APPS Ivanti Connect Secure Buffer Overflow (X-Forwarded-For) (CVE-2025-22457) (web_specific_apps.rules)
  • 2061293 - ET INFO DYNAMIC_DNS Query to a *.phunkmasterz .com domain (info.rules)
  • 2061294 - ET INFO DYNAMIC_DNS HTTP Request to a *.phunkmasterz .com domain (info.rules)
  • 2061295 - ET INFO DYNAMIC_DNS Query to a *.prayerforworldpeace .com domain (info.rules)
  • 2061296 - ET INFO DYNAMIC_DNS HTTP Request to a *.prayerforworldpeace .com domain (info.rules)
  • 2061297 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pajamas-stoic-failing .shop) (malware.rules)
  • 2061298 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pajamas-stoic-failing .shop) in TLS SNI (malware.rules)
  • 2061299 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (styleclinic-beautyicon .shop) (malware.rules)
  • 2061300 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (styleclinic-beautyicon .shop) in TLS SNI (malware.rules)
  • 2061301 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (waiteralcohowl .shop) (malware.rules)
  • 2061302 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (waiteralcohowl .shop) in TLS SNI (malware.rules)
  • 2061303 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wellofflyric .click) (malware.rules)
  • 2061304 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wellofflyric .click) in TLS SNI (malware.rules)
  • 2061305 - ET WEB_SPECIFIC_APPS Apache Pinot Authentication Bypass (CVE-2024-56325) (web_specific_apps.rules)
  • 2061306 - ET WEB_SPECIFIC_APPS WordPress Plugin wp-automatic Server-Side Request Forgery (CVE-2024-27954) (web_specific_apps.rules)
  • 2061307 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (phpmyadmin .emeraldpineventures .com) (malware.rules)
  • 2061308 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (phpmyadmin .emeraldpineventures .com) (malware.rules)
  • 2061309 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gededewe .shop) (exploit_kit.rules)
  • 2061310 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gededewe .shop) (exploit_kit.rules)
  • 2061311 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (lancasternh .com) (exploit_kit.rules)
  • 2061312 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (lancasternh .com) (exploit_kit.rules)

Pro:

  • 2861059 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861060 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861061 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861062 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861063 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861064 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861065 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861066 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)