Ruleset Update Summary - 2025/05/08 - v10923

rulesbot · May 8, 2025, 10:12pm

Summary:

51 new OPEN, 51 new PRO (51 + 0)

Thanks @Cyberteam008, @cyber_ra1

Added rules:

Open:

2062169 - ET WEB_SPECIFIC_APPS Tenda P2pListFilter page Parameter Buffer Overflow Attempt (web_specific_apps.rules)
2062170 - ET WEB_SPECIFIC_APPS Tenda L7Im page Parameter Buffer Overflow Attempt (web_specific_apps.rules)
2062171 - ET WEB_SPECIFIC_APPS Totolink formPortFw service_type Parameter Buffer Overflow Attempt (CVE-2025-3988) (web_specific_apps.rules)
2062172 - ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt multiple URI endpoints submit-url Parameter Buffer Overflow Attempt (CVE-2025-3990-2025-3993) (web_specific_apps.rules)
2062173 - ET MALWARE AresRAT CnC Exfil (POST) (malware.rules)
2062174 - ET MALWARE AresRAT CnC Checkin (POST) (malware.rules)
2062175 - ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt formWsc localPin Parameter Buffer Overflow Attempt (web_specific_apps.rules)
2062176 - ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt formRoute metric Parameter Denial of Service Attempt (web_specific_apps.rules)
2062177 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apronsxrum .digital) (malware.rules)
2062178 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (apronsxrum .digital) in TLS SNI (malware.rules)
2062179 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ariosefqcu .shop) (malware.rules)
2062180 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ariosefqcu .shop) in TLS SNI (malware.rules)
2062181 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (descenrugb .bet) (malware.rules)
2062182 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (descenrugb .bet) in TLS SNI (malware.rules)
2062183 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grizzlqzuk .live) (malware.rules)
2062184 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grizzlqzuk .live) in TLS SNI (malware.rules)
2062185 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (homelecyfi .digital) (malware.rules)
2062186 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (homelecyfi .digital) in TLS SNI (malware.rules)
2062187 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (homewappzb .top) (malware.rules)
2062188 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (homewappzb .top) in TLS SNI (malware.rules)
2062189 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (insidegrah .run) (malware.rules)
2062190 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (insidegrah .run) in TLS SNI (malware.rules)
2062191 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (octalfbsh .bet) (malware.rules)
2062192 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (octalfbsh .bet) in TLS SNI (malware.rules)
2062193 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (onemiltxny .shop) (malware.rules)
2062194 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (onemiltxny .shop) in TLS SNI (malware.rules)
2062195 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quaestort .live) (malware.rules)
2062196 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (quaestort .live) in TLS SNI (malware.rules)
2062197 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (romulusy .digital) (malware.rules)
2062198 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (romulusy .digital) in TLS SNI (malware.rules)
2062199 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sidebyafzy .digital) (malware.rules)
2062200 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sidebyafzy .digital) in TLS SNI (malware.rules)
2062201 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stuffgull .top) (malware.rules)
2062202 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stuffgull .top) in TLS SNI (malware.rules)
2062203 - ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt formWsc localPin Command Injection Attempt (CVE-2025-3987) (web_specific_apps.rules)
2062204 - ET WEB_SPECIFIC_APPS Tenda dhcpsCfgSet altDNS parameter Buffer Overflow Attempt (CVE-2025-4007) (web_specific_apps.rules)
2062205 - ET WEB_SPECIFIC_APPS Tenda sysUplinkCheckSet hostIp parameters Buffer Overflow Attempt (CVE-2025-3820) (web_specific_apps.rules)
2062206 - ET WEB_SPECIFIC_APPS Tenda sysScheduleRebootSet rebootDate parameter Buffer Overflow Attempt (CVE-2025-3803) (web_specific_apps.rules)
2062207 - ET WEB_SPECIFIC_APPS Tenda pingSet pingIp parameter Buffer Overflow Attempt (CVE-2023-50991) (web_specific_apps.rules)
2062208 - ET WEB_SPECIFIC_APPS Tenda wifiRadioSetIndoor extChannel parameter Buffer Overflow Attempt (CVE-2025-3693) (web_specific_apps.rules)
2062209 - ET WEB_SPECIFIC_APPS Totolink EX1800T setWiFiExtenderConfig apcliKey/key command injection attempt (CVE-2025-2094) (web_specific_apps.rules)
2062210 - ET EXPLOIT_KIT Observed DNS Query to Clickfix Domain (wwwcloudfiare .com) (exploit_kit.rules)
2062211 - ET EXPLOIT_KIT Observed DNS Query to Clickfix Domain (wwwc1oudflare .com) (exploit_kit.rules)
2062212 - ET EXPLOIT_KIT Observed DNS Query to Clickfix Domain (wwwcioudflare .com) (exploit_kit.rules)
2062213 - ET EXPLOIT_KIT Observed ClickFix Domain (wwwcloudfiare .com in TLS SNI) (exploit_kit.rules)
2062214 - ET EXPLOIT_KIT Observed ClickFix Domain (wwwc1oudflare .com in TLS SNI) (exploit_kit.rules)
2062215 - ET EXPLOIT_KIT Observed ClickFix Domain (wwwcioudflare .com in TLS SNI) (exploit_kit.rules)
2062216 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (motocyclenews .top) (exploit_kit.rules)
2062217 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (motocyclenews .top) (exploit_kit.rules)
2062218 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .thefertilemine .com) (malware.rules)
2062219 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .thefertilemine .com) (malware.rules)

Disabled and modified rules:

2850704 - ETPRO MALWARE Loozer Stealer Activity M6 (malware.rules)
2861596 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861599 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861601 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861606 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861607 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2861608 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/04/04 - v10898 Ruleset Updates	167	April 4, 2025
Ruleset Update Summary - 2025/03/11 - v10876 Ruleset Updates	122	March 11, 2025
Ruleset Update Summary - 2025/04/18 - v10909 Ruleset Updates	120	April 18, 2025
Ruleset Update Summary - 2025/04/07 - v10899 Ruleset Updates	115	April 7, 2025
Ruleset Update Summary - 2025/01/10 - v10835 Ruleset Updates	110	January 10, 2025

Ruleset Update Summary - 2025/05/08 - v10923

Summary:

Added rules:

Open:

Disabled and modified rules:

Related topics