Ruleset Update Summary - 2025/04/28 - v10915

Ruleset Updates
1

Summary:

60 new OPEN, 107 new PRO (60 + 47)

Added rules:

Open:

  • 2061898 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coderspartk .digital) (malware.rules)
  • 2061899 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (coderspartk .digital) in TLS SNI (malware.rules)
  • 2061900 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dannyleagy .fun) (malware.rules)
  • 2061901 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dannyleagy .fun) in TLS SNI (malware.rules)
  • 2061902 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gorillao .digital) (malware.rules)
  • 2061903 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gorillao .digital) in TLS SNI (malware.rules)
  • 2061904 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quonecony .live) (malware.rules)
  • 2061905 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (quonecony .live) in TLS SNI (malware.rules)
  • 2061906 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (regardvelvettynerverf .site) (malware.rules)
  • 2061907 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (regardvelvettynerverf .site) in TLS SNI (malware.rules)
  • 2061908 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rusconfi .run) (malware.rules)
  • 2061909 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rusconfi .run) in TLS SNI (malware.rules)
  • 2061910 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techwaveg .run) (malware.rules)
  • 2061911 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techwaveg .run) in TLS SNI (malware.rules)
  • 2061912 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (transdataa .digital) (malware.rules)
  • 2061913 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (transdataa .digital) in TLS SNI (malware.rules)
  • 2061914 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (willywilk .fun) (malware.rules)
  • 2061915 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (willywilk .fun) in TLS SNI (malware.rules)
  • 2061916 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (woodpeckersd .run) (malware.rules)
  • 2061917 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (woodpeckersd .run) in TLS SNI (malware.rules)
  • 2061918 - ET INFO DYNAMIC_DNS Query to a *.moldeo .org domain (info.rules)
  • 2061919 - ET INFO DYNAMIC_DNS HTTP Request to a *.moldeo .org domain (info.rules)
  • 2061920 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hungreecoq .run) (malware.rules)
  • 2061921 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hungreecoq .run) in TLS SNI (malware.rules)
  • 2061922 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mediaflowq .run) (malware.rules)
  • 2061923 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mediaflowq .run) in TLS SNI (malware.rules)
  • 2061924 - ET WEB_SPECIFIC_APPS SAP Netweaver Unauthenticated File Upload Attempt (JSP Webshell) (CVE-2025-31324) (web_specific_apps.rules)
  • 2061925 - ET INFO DYNAMIC_DNS Query to a *.rheinfathia .com domain (info.rules)
  • 2061926 - ET INFO DYNAMIC_DNS HTTP Request to a *.rheinfathia .com domain (info.rules)
  • 2061927 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bardcauft .run) (malware.rules)
  • 2061928 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bardcauft .run) in TLS SNI (malware.rules)
  • 2061929 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bearjk .live) (malware.rules)
  • 2061930 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bearjk .live) in TLS SNI (malware.rules)
  • 2061931 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (buzzarddf .live) (malware.rules)
  • 2061932 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (buzzarddf .live) in TLS SNI (malware.rules)
  • 2061933 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fishgh .digital) (malware.rules)
  • 2061934 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fishgh .digital) in TLS SNI (malware.rules)
  • 2061935 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lemurz .digital) (malware.rules)
  • 2061936 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lemurz .digital) in TLS SNI (malware.rules)
  • 2061937 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobitront .run) (malware.rules)
  • 2061938 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mobitront .run) in TLS SNI (malware.rules)
  • 2061939 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (parakehjet .run) (malware.rules)
  • 2061940 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (parakehjet .run) in TLS SNI (malware.rules)
  • 2061941 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (smartbitsx .digital) (malware.rules)
  • 2061942 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (smartbitsx .digital) in TLS SNI (malware.rules)
  • 2061943 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surmisehotte .click) (malware.rules)
  • 2061944 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (surmisehotte .click) in TLS SNI (malware.rules)
  • 2061945 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (intelhube .live) (malware.rules)
  • 2061946 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (intelhube .live in TLS SNI) (malware.rules)
  • 2061947 - ET WEB_SPECIFIC_APPS GL-iNet Authentication Bypass attempt (CVE-2024-45261) (web_specific_apps.rules)
  • 2061948 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (jimriehls .com) (exploit_kit.rules)
  • 2061949 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (jimriehls .com) (exploit_kit.rules)
  • 2061950 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (smart-american .com) (exploit_kit.rules)
  • 2061951 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (smart-american .com) (exploit_kit.rules)
  • 2061952 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (xelesex .top) (exploit_kit.rules)
  • 2061953 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (xelesex .top) (exploit_kit.rules)
  • 2061954 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .paulmaguire .com) (malware.rules)
  • 2061955 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .paulmaguire .com) (malware.rules)
  • 2061956 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (clients .contology .com) (exploit_kit.rules)
  • 2061957 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (clients .contology .com) (exploit_kit.rules)

Pro:

  • 2861306 - ETPRO HUNTING Generic HTTP Header Check - http.content_len Contains Non-Numeric (hunting.rules)
  • 2861307 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861308 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861309 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861310 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861311 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861312 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861313 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861314 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861315 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861316 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861317 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861318 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861319 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861320 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2861321 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2861322 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2861323 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2861324 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861325 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2861326 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861327 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2861328 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861329 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861330 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2861331 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861332 - ETPRO HUNTING TAR Archive Inbound With Content-Type Mismatch (image/) (hunting.rules)
  • 2861333 - ETPRO HUNTING Single Character Image Downloaded via PowerShell (Likely Concealed Payload) (hunting.rules)
  • 2861334 - ETPRO ATTACK_RESPONSE Powershell Commands Embedded Within An Image (attack_response.rules)
  • 2861335 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861336 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861337 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861338 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861339 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861340 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2861341 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2861342 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2861343 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2861344 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861345 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2861346 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861347 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2861348 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861349 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861350 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2861351 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861352 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2000488 - ET EXPLOIT MS-SQL SQL Injection closing string plus line comment (exploit.rules)