Ruleset Update Summary - 2025/05/05 - v10920

Summary:

23 new OPEN, 24 new PRO (23 + 1)


Added rules:

Open:

  • 2062103 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aureliae .run) (malware.rules)
  • 2062104 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aureliae .run) in TLS SNI (malware.rules)
  • 2062105 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formydab .run) (malware.rules)
  • 2062106 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (formydab .run) in TLS SNI (malware.rules)
  • 2062107 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hedgehocvg .digital) (malware.rules)
  • 2062108 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hedgehocvg .digital) in TLS SNI (malware.rules)
  • 2062109 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (himselcaked .digital) (malware.rules)
  • 2062110 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (himselcaked .digital) in TLS SNI (malware.rules)
  • 2062111 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snakejh .top) (malware.rules)
  • 2062112 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (snakejh .top) in TLS SNI (malware.rules)
  • 2062113 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tortoisgfe .top) (malware.rules)
  • 2062114 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tortoisgfe .top) in TLS SNI (malware.rules)
  • 2062115 - ET INFO DYNAMIC_DNS Query to a *.virtualsiam .com domain (info.rules)
  • 2062116 - ET INFO DYNAMIC_DNS HTTP Request to a *.virtualsiam .com domain (info.rules)
  • 2062117 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aeneasq .live) (malware.rules)
  • 2062118 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aeneasq .live) in TLS SNI (malware.rules)
  • 2062119 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drypingzyr .run) (malware.rules)
  • 2062120 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drypingzyr .run) in TLS SNI (malware.rules)
  • 2062121 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starfiswh .live) (malware.rules)
  • 2062122 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (starfiswh .live) in TLS SNI (malware.rules)
  • 2062123 - ET ATTACK_RESPONSE Observed ClickFix Landing Page Inbound (attack_response.rules)
  • 2062124 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (order .meetandeatsac .com) (malware.rules)
  • 2062125 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (order .meetandeatsac .com) (malware.rules)

Pro:

  • 2861566 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Removed rules:

  • 2011803 - ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected (shellcode.rules)
  • 2011804 - ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected (shellcode.rules)
  • 2012087 - ET SHELLCODE Possible Call with No Offset UDP Shellcode (shellcode.rules)
  • 2012088 - ET SHELLCODE Possible Call with No Offset TCP Shellcode (shellcode.rules)
  • 2012089 - ET SHELLCODE Possible Call with No Offset UDP Shellcode (shellcode.rules)
  • 2012090 - ET SHELLCODE Possible Call with No Offset TCP Shellcode (shellcode.rules)
  • 2012091 - ET SHELLCODE Possible Call with No Offset UDP Shellcode (shellcode.rules)
  • 2012092 - ET SHELLCODE Possible Call with No Offset TCP Shellcode (shellcode.rules)
  • 2012093 - ET SHELLCODE Possible Call with No Offset UDP Shellcode (shellcode.rules)