Ruleset Update Summary - 2025/05/07 - v10922

Summary:

24 new OPEN, 59 new PRO (24 + 35)

Thanks @James_inthe_box


Added rules:

Open:

  • 2062145 - ET MALWARE Interlock Ransomware Fake Updater CnC Callback (malware.rules)
  • 2062146 - ET INFO DYNAMIC_DNS Query to a *.burgermap .org domain (info.rules)
  • 2062147 - ET INFO DYNAMIC_DNS HTTP Request to a *.burgermap .org domain (info.rules)
  • 2062148 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (medicalbitkisel .org) (malware.rules)
  • 2062149 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (medicalbitkisel .org) in TLS SNI (malware.rules)
  • 2062150 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (medikalbitkisel .net) (malware.rules)
  • 2062151 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (medikalbitkisel .net) in TLS SNI (malware.rules)
  • 2062152 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thinkellk .run) (malware.rules)
  • 2062153 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thinkellk .run) in TLS SNI (malware.rules)
  • 2062154 - ET MALWARE VKeylogger CnC Checkin (malware.rules)
  • 2062155 - ET MALWARE VKeylogger Payload Delivery Domain (lenovo-sync .com) in DNS Lookup (malware.rules)
  • 2062156 - ET MALWARE Observed VKeylogger Payload Delivery Domain (lenovo-sync .com) in TLS SNI (malware.rules)
  • 2062157 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (aimpes .com) (exploit_kit.rules)
  • 2062158 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (aimpes .com) (exploit_kit.rules)
  • 2062159 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jerseysus .top) (exploit_kit.rules)
  • 2062160 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (christianlouboutin2017 .top) (exploit_kit.rules)
  • 2062161 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (watchesbest .top) (exploit_kit.rules)
  • 2062162 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (levciavia .top) (exploit_kit.rules)
  • 2062163 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jerseysus .top) (exploit_kit.rules)
  • 2062164 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (christianlouboutin2017 .top) (exploit_kit.rules)
  • 2062165 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (watchesbest .top) (exploit_kit.rules)
  • 2062166 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (levciavia .top) (exploit_kit.rules)
  • 2062167 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (charity .cafedantorels .com) (malware.rules)
  • 2062168 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (charity .cafedantorels .com) (malware.rules)

Pro:

  • 2861589 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861590 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861591 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2861592 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2861593 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861594 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2861595 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861596 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861597 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861598 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861599 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861600 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2861601 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861602 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2861603 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861604 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2861605 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861606 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861607 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2861608 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861609 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861610 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861611 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861612 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861613 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2861614 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861615 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2861616 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861617 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2861618 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861619 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861620 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2861621 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861622 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2861623 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Enabled and modified rules:

  • 2044846 - ET MALWARE SocGholish Domain in DNS Lookup (life .judyfay .com) (malware.rules)
  • 2050556 - ET MALWARE SocGholish Domain in DNS Lookup (miner .eastestsite .com) (malware.rules)
  • 2050557 - ET MALWARE SocGholish Domain in TLS SNI (miner .eastestsite .com) (malware.rules)
  • 2054705 - ET MALWARE SocGholish Domain in DNS Lookup (books .friendsofthefolsomlibrary .org) (malware.rules)
  • 2054706 - ET MALWARE SocGholish Domain in TLS SNI (books .friendsofthefolsomlibrary .org) (malware.rules)