Ruleset Update Summary - 2025/04/07 - v10899

rulesbot · April 7, 2025, 8:41pm

Summary:

53 new OPEN, 69 new PRO (53 + 16)

Added rules:

Open:

2030092 - ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016) (web_specific_apps.rules)
2061313 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hopezx .run) (malware.rules)
2061314 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hopezx .run) in TLS SNI (malware.rules)
2061315 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (metalupy .digital) (malware.rules)
2061316 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (metalupy .digital) in TLS SNI (malware.rules)
2061317 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pepperiop .digital) (malware.rules)
2061318 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pepperiop .digital) in TLS SNI (malware.rules)
2061319 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (plantainklj .run) (malware.rules)
2061320 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (plantainklj .run) in TLS SNI (malware.rules)
2061321 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (puerrogfh .live) (malware.rules)
2061322 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (puerrogfh .live) in TLS SNI (malware.rules)
2061323 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quavabvc .top) (malware.rules)
2061324 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (quavabvc .top) in TLS SNI (malware.rules)
2061325 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rambutanvcx .run) (malware.rules)
2061326 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rambutanvcx .run) in TLS SNI (malware.rules)
2061327 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skywavej .digital) (malware.rules)
2061328 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (skywavej .digital) in TLS SNI (malware.rules)
2061329 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (virationli .site) (malware.rules)
2061330 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (virationli .site) in TLS SNI (malware.rules)
2061331 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (joyousczx .live) (malware.rules)
2061332 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (joyousczx .live) in TLS SNI (malware.rules)
2061333 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (palpableafs .live) (malware.rules)
2061334 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (palpableafs .live) in TLS SNI (malware.rules)
2061335 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rlxspoty .run) (malware.rules)
2061336 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rlxspoty .run) in TLS SNI (malware.rules)
2061337 - ET WEB_SPECIFIC_APPS Tenda AC7 SetPptpServerCfg Buffer Overflow Attempt (CVE-2025-3346) (web_specific_apps.rules)
2061338 - ET WEB_SPECIFIC_APPS Grafana Snapshot Authentication Bypass (CVE-2021-39226) (web_specific_apps.rules)
2061339 - ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208) (web_specific_apps.rules)
2061340 - ET INFO DYNAMIC_DNS Query to a *.tyden .name domain (info.rules)
2061341 - ET INFO DYNAMIC_DNS HTTP Request to a *.tyden .name domain (info.rules)
2061342 - ET INFO DYNAMIC_DNS Query to a *.scmdatasolution .com domain (info.rules)
2061343 - ET INFO DYNAMIC_DNS HTTP Request to a *.scmdatasolution .com domain (info.rules)
2061344 - ET INFO DYNAMIC_DNS Query to a *.lexgardner .com domain (info.rules)
2061345 - ET INFO DYNAMIC_DNS HTTP Request to a *.lexgardner .com domain (info.rules)
2061346 - ET INFO DYNAMIC_DNS Query to a *.shakemanor .com domain (info.rules)
2061347 - ET INFO DYNAMIC_DNS HTTP Request to a *.shakemanor .com domain (info.rules)
2061348 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (advancesg .live) (malware.rules)
2061349 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (advancesg .live) in TLS SNI (malware.rules)
2061350 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (easyfwdr .digital) (malware.rules)
2061351 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (easyfwdr .digital) in TLS SNI (malware.rules)
2061352 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (furthert .run) (malware.rules)
2061353 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (furthert .run) in TLS SNI (malware.rules)
2061354 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reformzv .digital) (malware.rules)
2061355 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reformzv .digital) in TLS SNI (malware.rules)
2061356 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zestyasd .run) (malware.rules)
2061357 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zestyasd .run) in TLS SNI (malware.rules)
2061358 - ET WEB_SPECIFIC_APPS Flowise Pre-Auth Arbitrary File Upload Attempt (CVE-2025-26319) (web_specific_apps.rules)
2061359 - ET WEB_SPECIFIC_APPS UNA CMS PHP Object Injection (CVE-2025-32101) (web_specific_apps.rules)
2061360 - ET WEB_SPECIFIC_APPS TP-Link Authentication Bypass Attempt (CVE-2024-57050,2024-57049) (web_specific_apps.rules)
2061361 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (lapsack .com) (exploit_kit.rules)
2061362 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (lapsack .com) (exploit_kit.rules)
2061363 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (myvrhost .viottoholdings .com) (malware.rules)
2061364 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (myvrhost .viottoholdings .com) (malware.rules)

Pro:

2861067 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861068 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861069 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861070 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861071 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861072 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861073 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861074 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2861075 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2861076 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2861077 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2861078 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)
2861079 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)
2861080 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
2861081 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
2861082 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Removed rules:

2030092 - ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/12/26 - v10817 Ruleset Updates	87	December 26, 2024
Ruleset Update Summary - 2024/11/29 - v10761 Ruleset Updates	43	November 29, 2024
Ruleset Update Summary - 2024/11/12 - v10740 Ruleset Updates	123	November 12, 2024
Ruleset Update Summary - 2025/03/26 - v10891 Ruleset Updates	84	March 26, 2025
Ruleset Update Summary - 2025/03/17 - v10882 Ruleset Updates	75	March 17, 2025

Ruleset Update Summary - 2025/04/07 - v10899

Summary:

Added rules:

Open:

Pro:

Removed rules:

Related topics