Ruleset Update Summary - 2025/04/11 - v10903

Summary:

60 new OPEN, 63 new PRO (60 + 3)

Thanks @g0njxa, @sublime_sec, @Lab52io, @sucurisecurity, @GDATA


Added rules:

Open:

  • 2061449 - ET MALWARE StealC v2 CnC Checkin (POST) (malware.rules)
  • 2061450 - ET MALWARE StealC v2 CnC Activity (POST) (malware.rules)
  • 2061451 - ET MALWARE StealC v2 CnC Server Response (malware.rules)
  • 2061452 - ET PHISHING Credit Card Skimming Domain (italicfonts .org) in DNS Lookup (phishing.rules)
  • 2061453 - ET PHISHING Observed Credit Card Skimmer Domain (italicfonts .org) in TLS SNI (phishing.rules)
  • 2061454 - ET MALWARE Vidar Stealer CnC Domain in DNS Lookup (fua .4t .com) (malware.rules)
  • 2061455 - ET MALWARE Observed Vidar Stealer Domain (fua .4t .com) in TLS SNI (malware.rules)
  • 2061456 - ET MALWARE Trox Stealer Related Domain (debt-collection-experts .online) in DNS Lookup (malware.rules)
  • 2061457 - ET MALWARE Trox Stealer Related Domain (debt-collection-experts .com) in DNS Lookup (malware.rules)
  • 2061458 - ET MALWARE Observed Trox Stealer Related Domain (debt-collection-experts .online) in TLS SNI (malware.rules)
  • 2061459 - ET MALWARE Observed Trox Stealer Related Domain (debt-collection-experts .com) in TLS SNI (malware.rules)
  • 2061460 - ET MALWARE Trox Stealer System Profiling Data Exfiltration Attempt (malware.rules)
  • 2061461 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (airforce1 .mmafan .biz) (malware.rules)
  • 2061462 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (bayerischemotorenwerke .nflfan .org) (malware.rules)
  • 2061463 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (michaeljacksontribute .mmafan .biz) (malware.rules)
  • 2061464 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (flightradar .mymediapc .net) (malware.rules)
  • 2061465 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (camsobservations .nhlfan .net) (malware.rules)
  • 2061466 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (marronfiveshows .serveexchange .com) (malware.rules)
  • 2061467 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (mapfre .homesecuritypc .com) (malware.rules)
  • 2061468 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (mercedesbenz .mysecuritycamera .net) (malware.rules)
  • 2061469 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (simpsonsbartmovies .stufftoread .com) (malware.rules)
  • 2061470 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (renault .hosthampster .com) (malware.rules)
  • 2061471 - ET MALWARE Observed Grandoreiro Stealer Domain (airforce1 .mmafan .biz) in TLS SNI (malware.rules)
  • 2061472 - ET MALWARE Observed Grandoreiro Stealer Domain (bayerischemotorenwerke .nflfan .org) in TLS SNI (malware.rules)
  • 2061473 - ET MALWARE Observed Grandoreiro Stealer Domain (michaeljacksontribute .mmafan .biz) in TLS SNI (malware.rules)
  • 2061474 - ET MALWARE Observed Grandoreiro Stealer Domain (flightradar .mymediapc .net) in TLS SNI (malware.rules)
  • 2061475 - ET MALWARE Observed Grandoreiro Stealer Domain (camsobservations .nhlfan .net) in TLS SNI (malware.rules)
  • 2061476 - ET MALWARE Observed Grandoreiro Stealer Domain (marronfiveshows .serveexchange .com) in TLS SNI (malware.rules)
  • 2061477 - ET MALWARE Observed Grandoreiro Stealer Domain (mapfre .homesecuritypc .com) in TLS SNI (malware.rules)
  • 2061478 - ET MALWARE Observed Grandoreiro Stealer Domain (mercedesbenz .mysecuritycamera .net) in TLS SNI (malware.rules)
  • 2061479 - ET MALWARE Observed Grandoreiro Stealer Domain (simpsonsbartmovies .stufftoread .com) in TLS SNI (malware.rules)
  • 2061480 - ET MALWARE Observed Grandoreiro Stealer Domain (renault .hosthampster .com) in TLS SNI (malware.rules)
  • 2061481 - ET INFO DYNAMIC_DNS Query to a *.aspdebugger .com domain (info.rules)
  • 2061482 - ET INFO DYNAMIC_DNS HTTP Request to a *.aspdebugger .com domain (info.rules)
  • 2061483 - ET INFO DYNAMIC_DNS Query to a *.wittesolutions .com domain (info.rules)
  • 2061484 - ET INFO DYNAMIC_DNS HTTP Request to a *.wittesolutions .com domain (info.rules)
  • 2061485 - ET INFO DYNAMIC_DNS Query to a *.megaingenieria .com domain (info.rules)
  • 2061486 - ET INFO DYNAMIC_DNS HTTP Request to a *.megaingenieria .com domain (info.rules)
  • 2061487 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (adaptwrx .digital) (malware.rules)
  • 2061488 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (adaptwrx .digital) in TLS SNI (malware.rules)
  • 2061489 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dynamiczl .live) (malware.rules)
  • 2061490 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dynamiczl .live) in TLS SNI (malware.rules)
  • 2061491 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (elvernwood .digital) (malware.rules)
  • 2061492 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (elvernwood .digital) in TLS SNI (malware.rules)
  • 2061493 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (modtunes .live) (malware.rules)
  • 2061494 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (modtunes .live) in TLS SNI (malware.rules)
  • 2061495 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiltvc .digital) (malware.rules)
  • 2061496 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tiltvc .digital) in TLS SNI (malware.rules)
  • 2061497 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (transatcitov .cfd) (malware.rules)
  • 2061498 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (transatcitov .cfd) in TLS SNI (malware.rules)
  • 2061499 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wucijyi .shop) (malware.rules)
  • 2061500 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wucijyi .shop) in TLS SNI (malware.rules)
  • 2061501 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (waxworkx .com) (exploit_kit.rules)
  • 2061502 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (skatkat .com) (exploit_kit.rules)
  • 2061503 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (waxworkx .com) (exploit_kit.rules)
  • 2061504 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (skatkat .com) (exploit_kit.rules)
  • 2061505 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (izone .digital) (exploit_kit.rules)
  • 2061506 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (izone .digital) (exploit_kit.rules)
  • 2061507 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .gemstonebookkeepingservices .com) (malware.rules)
  • 2061508 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .gemstonebookkeepingservices .com) (malware.rules)

Pro:

  • 2861122 - ETPRO PHISHING Job Scam Phishing Landing Page M1 2025-04-09 (phishing.rules)
  • 2861123 - ETPRO PHISHING Job Scam Phishing Landing Page M2 2025-04-09 (phishing.rules)
  • 2861124 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)