Ruleset Update Summary - 2025/04/22 - v10911

Ruleset Updates
1

Summary:

18 new OPEN, 26 new PRO (18 + 8)

Thanks @g0njxa, KevinRoss, darses, @sekoia_io

Added rules:

Open:

  • 2061788 - ET WEB_SPECIFIC_APPS BentoML Unauthenticated Remote Command Execution via Insecure Deserialization (CVE-2025-27520) (web_specific_apps.rules)
  • 2061789 - ET MALWARE StealC v2 Fake 404 Page Observed (malware.rules)
  • 2061790 - ET INFO Potentially Vulnerable Erlang/OTP SSH Server Banner (CVE-2025-32433) (info.rules)
  • 2061791 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (jjpalace .com) (exploit_kit.rules)
  • 2061792 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (jjpalace .com) (exploit_kit.rules)
  • 2061793 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (apelmerah .top) (exploit_kit.rules)
  • 2061794 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (apelmerah .top) (exploit_kit.rules)
  • 2061795 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (secure .gatecollegesystem .com) (malware.rules)
  • 2061796 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (secure .gatecollegesystem .com) (malware.rules)
  • 2061797 - ET EXPLOIT SSH Erlang/OTP SSH Server Unencryped Channel Request (Message Type 98) (CVE-2025-32433) (exploit.rules)
  • 2061798 - ET EXPLOIT SSH Client Key Exchange Init Cookie Null (exploit.rules)
  • 2061799 - ET WEB_SPECIFIC_APPS TOTOLINK N600R cstecgi.cgi ipDoamin parameter Command Injection Attempt (CVE-2022-26187) (web_specific_apps.rules)
  • 2061800 - ET WEB_SPECIFIC_APPS TOTOLINK N600R cstecgi.cgi hostTime parameter Command Injection Attempt (CVE-2022-26188) (web_specific_apps.rules)
  • 2061801 - ET WEB_SPECIFIC_APPS TOTOLINK N600R cstecgi.cgi langType parameter Command Injection Attempt (CVE-2022-26189) (web_specific_apps.rules)
  • 2061802 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .valleypreptutoring .us) (malware.rules)
  • 2061803 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .valleypreptutoring .us) (malware.rules)
  • 2061804 - ET MALWARE Interlock RAT CnC Checkin (malware.rules)
  • 2061805 - ET EXPLOIT SSH Erlang/OTP SSH Server Unencryped Channel Open (Message Type 90) (CVE-2025-32433) (exploit.rules)

Pro:

  • 2861213 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861214 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861215 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861216 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861217 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861218 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861219 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861220 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

  • 2061785 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (layardrama21 .top) (exploit_kit.rules)