Ruleset Update Summary - 2025/04/30 - v10917

Ruleset Updates
1

Summary:

9 new OPEN, 127 new PRO (9 + 118)

Added rules:

Open:

  • 2061985 - ET EXPLOIT_KIT Observed ClickFix Related Domain (life223 .center in TLS SNI) (exploit_kit.rules)
  • 2062001 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (portal .bottomlinepracticesolutions .com) (malware.rules)
  • 2062002 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (portal .bottomlinepracticesolutions .com) (malware.rules)
  • 2062003 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (yourcialsupply .top) (exploit_kit.rules)
  • 2062004 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (yourcialsupply .top) (exploit_kit.rules)
  • 2062005 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (uhaknews .com) (exploit_kit.rules)
  • 2062006 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (uhaknews .com) (exploit_kit.rules)
  • 2062007 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nodepathr .run) (malware.rules)
  • 2062008 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nodepathr .run) in TLS SNI (malware.rules)

Pro:

  • 2861392 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861393 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861394 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861395 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861396 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861397 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861398 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861399 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861400 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861401 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861402 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861403 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861404 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861405 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861406 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861407 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861408 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861409 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861410 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861411 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861412 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861413 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861414 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861415 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861416 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861417 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861418 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861419 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861420 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861421 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861422 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861423 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861424 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861425 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861426 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861427 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861428 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861429 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861430 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861431 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861432 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861433 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861434 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861435 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861436 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861437 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861438 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861439 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861440 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861441 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861442 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861443 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861444 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861445 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861446 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2861447 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861448 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861449 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861450 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861451 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861452 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861453 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861454 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861455 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861456 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861457 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861458 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861459 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861460 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861461 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861462 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861463 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861464 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861465 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861466 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861467 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861468 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861469 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861470 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861471 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861472 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861473 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861474 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861475 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861476 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861477 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861478 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861479 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861480 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861481 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861482 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861483 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861484 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861485 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861486 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861487 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861488 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861489 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861490 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861491 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861492 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861493 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861494 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861495 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861496 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861497 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861498 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861499 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861500 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861501 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2861502 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861503 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861504 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861505 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861506 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861507 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861508 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861509 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

  • 2051158 - ET PHISHING Savvy Seahorse CNAME TDS Related Domain in DNS Lookup (getyourapi .site) (phishing.rules)
  • 2061996 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (jimriehls .com) (exploit_kit.rules)
  • 2061998 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (jimriehls .com) (exploit_kit.rules)
  • 2861366 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861381 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)

Removed rules:

  • 2061985 - ET MALWARE Observed ClickFix Related Domain (life223 .center in TLS SNI) (malware.rules)