Ruleset Update Summary - 2025/05/02 - v10919

Ruleset Updates
1

Summary:

29 new OPEN, 37 new PRO (29 + 8)

Added rules:

Open:

  • 2062074 - ET MALWARE TerraStealerV2 New Victim Checkin via Telegram API (malware.rules)
  • 2062075 - ET INFO DYNAMIC_DNS Query to a *.defdc .com domain (info.rules)
  • 2062076 - ET INFO DYNAMIC_DNS HTTP Request to a *.defdc .com domain (info.rules)
  • 2062077 - ET INFO DYNAMIC_DNS Query to a *.roedernallee .com domain (info.rules)
  • 2062078 - ET INFO DYNAMIC_DNS HTTP Request to a *.roedernallee .com domain (info.rules)
  • 2062079 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (baseurzv .run) (malware.rules)
  • 2062080 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (baseurzv .run) in TLS SNI (malware.rules)
  • 2062081 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eczakozmetik .net) (malware.rules)
  • 2062082 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eczakozmetik .net) in TLS SNI (malware.rules)
  • 2062083 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eczamedikal .org) (malware.rules)
  • 2062084 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eczamedikal .org) in TLS SNI (malware.rules)
  • 2062085 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lemuruy .live) (malware.rules)
  • 2062086 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lemuruy .live) in TLS SNI (malware.rules)
  • 2062087 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (medicalbitkisel .net) (malware.rules)
  • 2062088 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (medicalbitkisel .net) in TLS SNI (malware.rules)
  • 2062089 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (orijinalecza .net) (malware.rules)
  • 2062090 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (orijinalecza .net) in TLS SNI (malware.rules)
  • 2062091 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (orijinalecza .org) (malware.rules)
  • 2062092 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (orijinalecza .org) in TLS SNI (malware.rules)
  • 2062093 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (orjinalecza .net) (malware.rules)
  • 2062094 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (orjinalecza .net) in TLS SNI (malware.rules)
  • 2062095 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptorumh .live) (malware.rules)
  • 2062096 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (scriptorumh .live) in TLS SNI (malware.rules)
  • 2062097 - ET MALWARE TerraStealerV2 Data Exfil via WeTransfers (malware.rules)
  • 2062098 - ET WEB_SPECIFIC_APPS Wangshen SecGate 3600 obj_area_export_save filename parameter Directory Traversal Attempt (2025-4185) (web_specific_apps.rules)
  • 2062099 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (feedback .5moves2monetizechallenge .com) (malware.rules)
  • 2062100 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (feedback .5moves2monetizechallenge .com) (malware.rules)
  • 2062101 - ET MALWARE TerraStealerV2 Victim Checkin via Telegram API (Wallet Count) (malware.rules)
  • 2062102 - ET MALWARE TerraStealerV2 CnC Telegram Bot Response (malware.rules)

Pro:

  • 2861557 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861558 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861559 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861560 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861561 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861562 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861563 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861564 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)