Ruleset Update Summary - 2025/04/21 - v10910

rulesbot · April 21, 2025, 8:27pm

Summary:

33 new OPEN, 51 new PRO (33 + 18)

Added rules:

Open:

2061755 - ET INFO DYNAMIC_DNS Query to a *.mushkoorfoods .co .uk domain (info.rules)
2061756 - ET INFO DYNAMIC_DNS HTTP Request to a *.mushkoorfoods .co .uk domain (info.rules)
2061757 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (meerkaty .digital) (malware.rules)
2061758 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (meerkaty .digital) in TLS SNI (malware.rules)
2061759 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (newzeconi .digital) (malware.rules)
2061760 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (newzeconi .digital) in TLS SNI (malware.rules)
2061761 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shootef .world) (malware.rules)
2061762 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shootef .world) in TLS SNI (malware.rules)
2061763 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bisonq .live) (malware.rules)
2061764 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bisonq .live) in TLS SNI (malware.rules)
2061765 - ET WEB_SPECIFIC_APPS Exhibitor UI Command Injection Attempt Inbound (CVE-2019-5029) (web_specific_apps.rules)
2061766 - ET WEB_SPECIFIC_APPS IBM Informix Open Admin PHP RCE Attempt Inbound (CVE-2017-1092) (web_specific_apps.rules)
2061767 - ET EXPLOIT Belkin N750 Buffer Overflow Attempt (exploit.rules)
2061768 - ET EXPLOIT Sophos Web Appliance RCE Attempt Inbound (CVE-2013-4983) (exploit.rules)
2061769 - ET HUNTING HTTP H2C Smuggling - HTTP2-Settings Omitted in Connection Header (hunting.rules)
2061770 - ET WEB_SPECIFIC_APPS GLPI < 10.0.17 Pre-Auth SQL Injection (CVE-2025-24799) (web_specific_apps.rules)
2061771 - ET WEB_SPECIFIC_APPS GLPI < 10.0.17 Authenticated Remote Code Execution (CVE-2025-24801) (web_specific_apps.rules)
2061772 - ET WEB_SPECIFIC_APPS GLPI < 10.0.17 Authenticated Local File Inclusion (web_specific_apps.rules)
2061773 - ET MALWARE UNK NSFWBot CnC Activity (GET) (malware.rules)
2061774 - ET WEB_SPECIFIC_APPS Yi IOT XY-3820 Daemon Service Directory Traversal Attempt (web_specific_apps.rules)
2061775 - ET WEB_SPECIFIC_APPS Yi IOT XY-3820 cmd Service Unauthenticated Remote Code Execution Attempt (web_specific_apps.rules)
2061776 - ET MALWARE UNK NSFWBot CnC Command Inbound (malware.rules)
2061777 - ET MALWARE UNK NSFWBot C2 Additional Time Request (malware.rules)
2061778 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (nettixx .com) (exploit_kit.rules)
2061779 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (kriegerspub .com) (exploit_kit.rules)
2061780 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (talklc .com) (exploit_kit.rules)
2061781 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (nettixx .com) (exploit_kit.rules)
2061782 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (kriegerspub .com) (exploit_kit.rules)
2061783 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (talklc .com) (exploit_kit.rules)
2061784 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fuckhdmov .top) (exploit_kit.rules)
2061785 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (layardrama21 .top) (exploit_kit.rules)
2061786 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .freein-deed .com) (malware.rules)
2061787 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .freein-deed .com) (malware.rules)

Pro:

2809485 - ETPRO WEB_SPECIFIC_APPS Blitz CMS Community SQLi Request (web_specific_apps.rules)
2861196 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2861197 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861198 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861199 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861200 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861201 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861202 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861203 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861204 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2861205 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861206 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861207 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861208 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861209 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861210 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861211 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861212 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

2053253 - ET MALWARE Observed MageCart Domain (ctotech .store in TLS SNI) (malware.rules)
2053254 - ET MALWARE Observed MageCart Domain (drgibit .click in TLS SNI) (malware.rules)
2053255 - ET MALWARE Observed MageCart Domain (vidbent .shop in TLS SNI) (malware.rules)
2053256 - ET MALWARE Observed MageCart Domain (neznlink .store in TLS SNI) (malware.rules)
2053257 - ET MALWARE Observed MageCart Domain (sudtech .online in TLS SNI) (malware.rules)
2053258 - ET MALWARE Observed MageCart Domain (antelec .click in TLS SNI) (malware.rules)
2053259 - ET MALWARE Observed MageCart Domain (cvyatop .online in TLS SNI) (malware.rules)
2053260 - ET MALWARE Observed MageCart Domain (tutic .click in TLS SNI) (malware.rules)
2053261 - ET MALWARE Observed MageCart Domain (zarelec .quest in TLS SNI) (malware.rules)
2053262 - ET MALWARE Observed MageCart Domain (saponline .site in TLS SNI) (malware.rules)
2053263 - ET MALWARE Observed MageCart Domain (mistlink .online in TLS SNI) (malware.rules)
2053264 - ET MALWARE Observed MageCart Domain (reshnot .quest in TLS SNI) (malware.rules)
2053265 - ET MALWARE Observed MageCart Domain (zakit .quest in TLS SNI) (malware.rules)
2053266 - ET MALWARE Observed MageCart Domain (temninch .site in TLS SNI) (malware.rules)
2053267 - ET MALWARE Observed MageCart Domain (rijtech .shop in TLS SNI) (malware.rules)
2053268 - ET MALWARE Observed MageCart Domain (mokamob .site in TLS SNI) (malware.rules)
2053330 - ET MALWARE DNS Query to Merlin C2 Domain (cloud .keepasses .com) (malware.rules)
2053332 - ET MALWARE DNS Query to Merlin C2 Domain (scancenter .trendrealtime .com) (malware.rules)
2053333 - ET MALWARE Observed Merlin C2 Domain (scancenter .trendrealtime .com in TLS SNI) (malware.rules)
2053334 - ET MALWARE Observed Merlin C2 Domain (cloud .keepasses .com in TLS SNI) (malware.rules)
2053335 - ET MALWARE DNS Query to PhantomNet C2 Domain (associate .freeonlinelearning .com) (malware.rules)
2053336 - ET MALWARE Observed PhantomNet C2 Domain (associate .freeonlinelearningtech .com in TLS SNI) (malware.rules)
2053337 - ET MALWARE Observed PhantomNet C2 Domain (associate .freeonlinelearning .com in TLS SNI) (malware.rules)
2053338 - ET MALWARE DNS Query to PhantomNet C2 Domain (associate .freeonlinelearningtech .com) (malware.rules)
2053339 - ET MALWARE DNS Query to CCoreDoor Domain (message .ooguy .com) (malware.rules)
2053340 - ET MALWARE Observed CCoreDoor C2 Domain (message .ooguy .com in TLS SNI) (malware.rules)
2053343 - ET MALWARE DNS Query to Cobalt Strike Domain (dnsspeedtest2022 .com) (malware.rules)
2053344 - ET MALWARE Observed Cobalt Strike Domain (dnsspeedtest2022 .com in TLS SNI) (malware.rules)
2053412 - ET MALWARE DNS Query to ClearFake Domain (businessresources .ltd) (malware.rules)
2053413 - ET MALWARE Observed ClearFake Domain (businessresources .ltd in TLS SNI) (malware.rules)
2053415 - ET MALWARE ClearFake CnC Activity Outbound (source_id) (malware.rules)
2053490 - ET MALWARE ClearFake CnC Domain in DNS Lookup (drinkresources .rest) (malware.rules)
2053491 - ET MALWARE ClearFake CnC Domain in DNS Lookup (artservice .online) (malware.rules)
2053492 - ET MALWARE Observed ClearFake Domain (drinkresources .rest in TLS SNI) (malware.rules)
2053493 - ET MALWARE Observed ClearFake Domain (artservice .online in TLS SNI) (malware.rules)
2053732 - ET MALWARE DNS Query to ClickFix Domain (test-1627838 .shop) (malware.rules)
2053733 - ET MALWARE Observed ClickFix Domain (oazevents .com in TLS SNI) (malware.rules)
2053734 - ET MALWARE Observed ClickFix Domain (test-1627838 .shop in TLS SNI) (malware.rules)
2053735 - ET MALWARE DNS Query to ClearFake Domain (zerosoftware .tech) (malware.rules)
2053736 - ET MALWARE DNS Query to ClearFake Domain (pchelpsrwizardpro .com) (malware.rules)
2053737 - ET MALWARE DNS Query to ClearFake Domain (pchelprwizzards .com) (malware.rules)
2053738 - ET MALWARE DNS Query to ClearFake Domain (pchelprowizard .com) (malware.rules)
2053739 - ET MALWARE Observed ClearFake Domain (zerosoftware .tech in TLS SNI) (malware.rules)
2053740 - ET MALWARE Observed ClearFake Domain (pchelpsrwizardpro .com in TLS SNI) (malware.rules)
2053741 - ET MALWARE Observed ClearFake Domain (pchelprwizzards .com in TLS SNI) (malware.rules)
2053742 - ET MALWARE Observed ClearFake Domain (pchelprowizard .com in TLS SNI) (malware.rules)
2053743 - ET MALWARE DNS Query to ClearFake Domain (ghufal .answermedia .site) (malware.rules)
2053744 - ET MALWARE Observed ClearFake Domain (ghufal .answermedia .site in TLS SNI) (malware.rules)
2053768 - ET MALWARE DNS Query to ClickFix Related Domain (x8f7a89 .pics) (malware.rules)
2053769 - ET MALWARE DNS Query to ClickFix Related Domain (ndas8m92 .lol) (malware.rules)
2053770 - ET MALWARE DNS Query to ClickFix Related Domain (flynews .us) (malware.rules)
2053771 - ET MALWARE Observed ClickFix Domain (x8f7a89 .pics in TLS SNI) (malware.rules)
2053772 - ET MALWARE Observed ClickFix Domain (ndas8m92 .lol in TLS SNI) (malware.rules)
2053773 - ET MALWARE Observed ClickFix Domain (flynews .us in TLS SNI) (malware.rules)
2053788 - ET MALWARE DNS Query to ClickFix Domain (cleanway .5asec .fr) (malware.rules)
2053789 - ET MALWARE Observed ClickFix Domain (cleanway .5asec .fr in TLS SNI) (malware.rules)
2053872 - ET MALWARE DNS Query to Wordpress Social Warfare Plugin Supply Chain Attack Related Domain (hostpdf .co) (malware.rules)
2053873 - ET MALWARE Observed Wordpress Social Warfare Plugin Supply Chain Attack Related Domain (hostpdf .co in TLS SNI) (malware.rules)
2053874 - ET ADWARE_PUP DNS Query to CoinMiner Proxy Domain (xmrminingproxy .com) (adware_pup.rules)
2053875 - ET MALWARE Observed CoinMiner Proxy Domain (xmrminingproxy .com in TLS SNI) (malware.rules)
2054020 - ET MALWARE DNS Query to Wordpress Social Warfare Plugin Exploit Related Domain (online-vip-dating .com) (malware.rules)
2054021 - ET MALWARE DNS Query to Wordpress Social Warfare Plugin Exploit Related Domain (face-your-dreams .com) (malware.rules)
2054022 - ET MALWARE DNS Query to Wordpress Social Warfare Plugin Exploit Related Domain (onlinechatconnections .com) (malware.rules)
2054023 - ET MALWARE DNS Query to Wordpress Social Warfare Plugin Exploit Related Domain (silver-dates .com) (malware.rules)
2054024 - ET MALWARE DNS Query to Wordpress Social Warfare Plugin Exploit Related Domain (matchingsingles .net) (malware.rules)
2054342 - ET MALWARE UNK_ConsoleCollie CnC Domain in DNS Lookup (chemdl .gangtao .live) (malware.rules)
2054343 - ET MALWARE Observed UNK_ConsoleCollie Domain (conn .phmdbad .live in TLS SNI) (malware.rules)
2054344 - ET MALWARE Observed UNK_ConsoleCollie Domain (chemdl .gangtao .live in TLS SNI) (malware.rules)
2054345 - ET MALWARE Xworm CnC Domain in DNS Lookup (223 .ip .ply .gg) (malware.rules)
2054347 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (analforeverlove .top) (malware.rules)
2054348 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (rzfift15ht .top) (malware.rules)
2054349 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (rzeight18pt .top) (malware.rules)
2054351 - ET MALWARE Observed Cryptbot Domain (analforeverlove .top in TLS SNI) (malware.rules)
2054352 - ET MALWARE Observed Cryptbot Domain (rzfift15ht .top in TLS SNI) (malware.rules)
2054353 - ET MALWARE Observed Cryptbot Domain (rzeight18pt .top in TLS SNI) (malware.rules)
2857188 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
2857189 - ETPRO MALWARE ClickFix CnC Activity (GET) (malware.rules)
2857201 - ETPRO MALWARE Atera DMM Related Domain in DNS Lookup (malware.rules)
2857202 - ETPRO MALWARE Observed Atera DMM Related Domain in TLS SNI (malware.rules)
2857517 - ETPRO PHISHING DNS Query to GoPhish Domain (phishing.rules)
2857518 - ETPRO PHISHING Observed GoPhish Domain in TLS SNI (phishing.rules)

Removed rules:

2809485 - ETPRO MALWARE Blitz CMS Community SQLi Request (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/11/11 - v10739 Ruleset Updates	105	November 11, 2024
Ruleset Update Summary - 2024/12/26 - v10817 Ruleset Updates	87	December 26, 2024
Ruleset Update Summary - 2024/11/12 - v10740 Ruleset Updates	123	November 12, 2024
Ruleset Update Summary - 2025/04/07 - v10899 Ruleset Updates	103	April 7, 2025
Ruleset Update Summary - 2025/03/17 - v10882 Ruleset Updates	79	March 17, 2025

Ruleset Update Summary - 2025/04/21 - v10910

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics