Ruleset Update Summary - 2025/04/29 - v10916

rulesbot · April 29, 2025, 8:51pm

Summary:

43 new OPEN, 82 new PRO (43 + 39)

Thanks @PaloAltoNtwks

Added rules:

Open:

2061958 - ET WEB_SPECIFIC_APPS GL-iNet Authenticated Remote Code Execution Attempt (CVE-2024-45260) (web_specific_apps.rules)
2061959 - ET MALWARE Gremlin Stealer CnC Exfil (POST) (malware.rules)
2061960 - ET MALWARE Gremlin Stealer CnC Successful Exfil Confirmation (malware.rules)
2061961 - ET INFO DYNAMIC_DNS Query to a *.incorpnow .cn domain (info.rules)
2061962 - ET INFO FUNNULL CDN Domain in DNS Lookup (* .funnull .com) (info.rules)
2061963 - ET INFO DYNAMIC_DNS HTTP Request to a *.incorpnow .cn domain (info.rules)
2061964 - ET INFO DYNAMIC_DNS Query to a *.spoggi .com domain (info.rules)
2061965 - ET INFO DYNAMIC_DNS HTTP Request to a *.spoggi .com domain (info.rules)
2061966 - ET INFO Observed FUNNULL CDN Domain (funnull .com in TLS SNI) (info.rules)
2061967 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (btcgeared .live) (malware.rules)
2061968 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (btcgeared .live) in TLS SNI (malware.rules)
2061969 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (darjkafsg .digital) (malware.rules)
2061970 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (darjkafsg .digital) in TLS SNI (malware.rules)
2061971 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (medimado .run) (malware.rules)
2061972 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (medimado .run) in TLS SNI (malware.rules)
2061973 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sorcery .digital) (malware.rules)
2061974 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sorcery .digital) in TLS SNI (malware.rules)
2061975 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techguidet .digital) (malware.rules)
2061976 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techguidet .digital) in TLS SNI (malware.rules)
2061977 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techsyncq .run) (malware.rules)
2061978 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techsyncq .run) in TLS SNI (malware.rules)
2061979 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zenithcorde .top) (malware.rules)
2061980 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zenithcorde .top) in TLS SNI (malware.rules)
2061981 - ET INFO FUNNULL CDN System Error Landing Page (Domain Not Configured) (info.rules)
2061982 - ET INFO FUNNULL CDN System Error (GET) (info.rules)
2061983 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Related Domain (life223 .center) (exploit_kit.rules)
2061984 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Related Domain (aloud745 .asia) (exploit_kit.rules)
2061985 - ET MALWARE Observed ClickFix Related Domain (life223 .center in TLS SNI) (malware.rules)
2061986 - ET EXPLOIT_KIT Observed ClickFix Related Domain (aloud745 .asia in TLS SNI) (exploit_kit.rules)
2061987 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .retiremepaul .com) (malware.rules)
2061988 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .retiremepaul .com) (malware.rules)
2061989 - ET INFO Observed DNS Query to RMM Domain (gotoresolve .com) (info.rules)
2061990 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (amxdh1 .icu) (exploit_kit.rules)
2061991 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ace-project .org) (exploit_kit.rules)
2061992 - ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI) (info.rules)
2061993 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (amxdh1 .icu) (exploit_kit.rules)
2061994 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ace-project .org) (exploit_kit.rules)
2061995 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (alapige .com) (exploit_kit.rules)
2061996 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (jimriehls .com) (exploit_kit.rules)
2061997 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (alapige .com) (exploit_kit.rules)
2061998 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (jimriehls .com) (exploit_kit.rules)
2061999 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (dashboard .peripl .app) (exploit_kit.rules)
2062000 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (dashboard .peripl .app) (exploit_kit.rules)

Pro:

2861353 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861354 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861355 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861356 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861357 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861358 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861359 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861360 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861361 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861362 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861363 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861364 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861365 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861366 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861367 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2861368 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861369 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861370 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861371 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861372 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861373 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861374 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861375 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861376 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861377 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861378 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861379 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861380 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861381 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861382 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
2861383 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861384 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861385 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861386 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861387 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861388 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861389 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861390 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2861391 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/08/19 - v10669 Ruleset Updates	150	August 19, 2024
Ruleset Update Summary - 2025/03/20 - v10887 Ruleset Updates	92	March 20, 2025
Ruleset Update Summary - 2024/10/28 - v10729 Ruleset Updates	100	October 28, 2024
Ruleset Update Summary - 2025/04/28 - v10915 Ruleset Updates	93	April 28, 2025
Ruleset Update Summary - 2024/03/08 - v10548 Ruleset Updates	245	March 8, 2024

Ruleset Update Summary - 2025/04/29 - v10916

Summary:

Added rules:

Open:

Pro:

Related topics