Ruleset Update Summary - 2025/05/14 - v10927

Ruleset Updates
1

Summary:

43 new OPEN, 52 new PRO (43 + 9)

Added rules:

Open:

  • 2062332 - ET MALWARE SMOKEDHAM/Thundershell CnC Checkin (malware.rules)
  • 2062333 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (tool .municipiodechepo .org) (malware.rules)
  • 2062334 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (api .incapdns .kz) (malware.rules)
  • 2062335 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (blog .jasonlees .com) (malware.rules)
  • 2062336 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (report .monicabellucci .kz) (malware.rules)
  • 2062337 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (developer .master .org .kz) (malware.rules)
  • 2062338 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (cast .voxcdn .kz) (malware.rules)
  • 2062339 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (host .moresecurity .kz) (malware.rules)
  • 2062340 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (ryanberardi .com) (malware.rules)
  • 2062341 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (onlinemail .kz) (malware.rules)
  • 2062342 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (contactlistsagregator .com) (malware.rules)
  • 2062343 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (stats .wp .org .kz) (malware.rules)
  • 2062344 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (ssl .gstatic .kz) (malware.rules)
  • 2062345 - ET MALWARE Observed DNS Query to Venom Spider/TA4557 Domain (beta .w3 .org .kz) (malware.rules)
  • 2062346 - ET MALWARE Observed Venom Spider/TA4557 Domain (tool .municipiodechepo .org in TLS SNI) (malware.rules)
  • 2062347 - ET MALWARE Observed Venom Spider/TA4557 Domain (api .incapdns .kz in TLS SNI) (malware.rules)
  • 2062348 - ET MALWARE Observed Venom Spider/TA4557 Domain (blog .jasonlees .com in TLS SNI) (malware.rules)
  • 2062349 - ET MALWARE Observed Venom Spider/TA4557 Domain (report .monicabellucci .kz in TLS SNI) (malware.rules)
  • 2062350 - ET MALWARE Observed Venom Spider/TA4557 Domain (developer .master .org .kz in TLS SNI) (malware.rules)
  • 2062351 - ET MALWARE Observed Venom Spider/TA4557 Domain (cast .voxcdn .kz in TLS SNI) (malware.rules)
  • 2062352 - ET MALWARE Observed Venom Spider/TA4557 Domain (host .moresecurity .kz in TLS SNI) (malware.rules)
  • 2062353 - ET MALWARE Observed Venom Spider/TA4557 Domain (ryanberardi .com in TLS SNI) (malware.rules)
  • 2062354 - ET MALWARE Observed Venom Spider/TA4557 Domain (onlinemail .kz in TLS SNI) (malware.rules)
  • 2062355 - ET MALWARE Observed Venom Spider/TA4557 Domain (contactlistsagregator .com in TLS SNI) (malware.rules)
  • 2062356 - ET MALWARE Observed Venom Spider/TA4557 Domain (stats .wp .org .kz in TLS SNI) (malware.rules)
  • 2062357 - ET MALWARE Observed Venom Spider/TA4557 Domain (ssl .gstatic .kz in TLS SNI) (malware.rules)
  • 2062358 - ET MALWARE Observed Venom Spider/TA4557 Domain (beta .w3 .org .kz in TLS SNI) (malware.rules)
  • 2062359 - ET INFO DYNAMIC_DNS Query to a *.fourie .co .uk domain (info.rules)
  • 2062360 - ET INFO DYNAMIC_DNS HTTP Request to a *.fourie .co .uk domain (info.rules)
  • 2062361 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (blameaowi .run) (malware.rules)
  • 2062362 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blameaowi .run) in TLS SNI (malware.rules)
  • 2062363 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (changenwg .run) (malware.rules)
  • 2062364 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changenwg .run) in TLS SNI (malware.rules)
  • 2062365 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (flamingof .run) (malware.rules)
  • 2062366 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (flamingof .run) in TLS SNI (malware.rules)
  • 2062367 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (macjajm .digital) (malware.rules)
  • 2062368 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (macjajm .digital) in TLS SNI (malware.rules)
  • 2062369 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (frederichoms .com) (exploit_kit.rules)
  • 2062370 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (frederichoms .com) (exploit_kit.rules)
  • 2062371 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pravaix .top) (exploit_kit.rules)
  • 2062372 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pravaix .top) (exploit_kit.rules)
  • 2062373 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (beginning .sparkattraction .com) (malware.rules)
  • 2062374 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (beginning .sparkattraction .com) (malware.rules)

Pro:

  • 2861696 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861697 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861698 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861699 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861700 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861701 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861702 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861703 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861704 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2054523 - ET MALWARE DNS Query to Payload Downloader Domain (italy700 .blogspot .com) (malware.rules)
  • 2054524 - ET MALWARE DNS Query to Payload Downloader Domain (800french .blogspot .com) (malware.rules)
  • 2054525 - ET MALWARE DNS Query to Payload Downloader Domain (800germany .blogspot .com) (malware.rules)
  • 2054526 - ET MALWARE DNS Query to Payload Downloader Domain (900cap .blogspot .com) (malware.rules)
  • 2054527 - ET MALWARE DNS Query to Payload Downloader Domain (others500 .blogspot .com) (malware.rules)
  • 2054528 - ET MALWARE DNS Query to Payload Downloader Domain (backpupcpa .blogspot .com) (malware.rules)
  • 2054529 - ET MALWARE Observed Payload Downloader Domain (italy700 .blogspot .com in TLS SNI) (malware.rules)
  • 2054530 - ET MALWARE Observed Payload Downloader Domain (800french .blogspot .com in TLS SNI) (malware.rules)
  • 2054531 - ET MALWARE Observed Payload Downloader Domain (800germany .blogspot .com in TLS SNI) (malware.rules)
  • 2054532 - ET MALWARE Observed Payload Downloader Domain (900cap .blogspot .com in TLS SNI) (malware.rules)
  • 2054533 - ET MALWARE Observed Payload Downloader Domain (others500 .blogspot .com in TLS SNI) (malware.rules)
  • 2054534 - ET MALWARE Observed Payload Downloader Domain (backpupcpa .blogspot .com in TLS SNI) (malware.rules)
  • 2054535 - ET MALWARE DNS Query to Payload Downloader Domain (pupuputu .blogspot .com) (malware.rules)
  • 2054536 - ET MALWARE DNS Query to Payload Downloader Domain (capclean2024may .blogspot .com) (malware.rules)
  • 2054537 - ET MALWARE Observed Payload Downloader Domain (pupuputu .blogspot .com in TLS SNI) (malware.rules)
  • 2056123 - ET MALWARE SnipBot CnC Domain in DNS Lookup (xeontime .com) (malware.rules)
  • 2056124 - ET MALWARE SnipBot CnC Domain in DNS Lookup (cethernet .com) (malware.rules)
  • 2056125 - ET MALWARE Observed SnipBot CnC Domain (webtimeapi .com in TLS SNI) (malware.rules)
  • 2056126 - ET MALWARE Observed SnipBot CnC Domain (cloudcreative .digital in TLS SNI) (malware.rules)
  • 2056127 - ET MALWARE Observed SnipBot CnC Domain (fileshare .direct in TLS SNI) (malware.rules)
  • 2056128 - ET MALWARE Observed SnipBot CnC Domain (mcprotect .cloud in TLS SNI) (malware.rules)
  • 2056129 - ET MALWARE Observed SnipBot CnC Domain (sitepanel .top in TLS SNI) (malware.rules)
  • 2056130 - ET MALWARE Observed SnipBot CnC Domain (docstorage .link in TLS SNI) (malware.rules)
  • 2056131 - ET MALWARE Observed SnipBot CnC Domain (drv2ms .com in TLS SNI) (malware.rules)
  • 2056132 - ET MALWARE Observed SnipBot CnC Domain (ilogicflow .com in TLS SNI) (malware.rules)
  • 2056133 - ET MALWARE Observed SnipBot CnC Domain (certifysop .com in TLS SNI) (malware.rules)
  • 2056134 - ET MALWARE Observed SnipBot CnC Domain (dns-msn .com in TLS SNI) (malware.rules)
  • 2056135 - ET MALWARE Observed SnipBot CnC Domain (linedrv .com in TLS SNI) (malware.rules)
  • 2056136 - ET MALWARE Observed SnipBot CnC Domain (publicshare .link in TLS SNI) (malware.rules)
  • 2056137 - ET MALWARE Observed SnipBot CnC Domain (fastshare .click in TLS SNI) (malware.rules)
  • 2056138 - ET MALWARE Observed SnipBot CnC Domain (drvmcprotect .com in TLS SNI) (malware.rules)
  • 2056139 - ET MALWARE Observed SnipBot CnC Domain (olminx .com in TLS SNI) (malware.rules)
  • 2056140 - ET MALWARE Observed SnipBot CnC Domain (xeontime .com in TLS SNI) (malware.rules)
  • 2056141 - ET MALWARE Observed SnipBot CnC Domain (cethernet .com in TLS SNI) (malware.rules)
  • 2056617 - ET MALWARE Observed CleanUp Loader Domain (crystalmaker .pro in TLS SNI) (malware.rules)
  • 2056618 - ET MALWARE Observed CleanUp Loader Domain (crystal-maker .com in TLS SNI) (malware.rules)
  • 2056619 - ET MALWARE Observed CleanUp Loader Domain (firscountryours .eu in TLS SNI) (malware.rules)
  • 2056620 - ET MALWARE Observed CleanUp Loader Domain (backuppingplanseasy .com in TLS SNI) (malware.rules)
  • 2056621 - ET MALWARE Observed CleanUp Loader Domain (prodfindfeatures .com in TLS SNI) (malware.rules)
  • 2056622 - ET MALWARE Observed CleanUp Loader Domain (microssoft-teams .com in TLS SNI) (malware.rules)
  • 2056623 - ET MALWARE Observed CleanUp Loader Domain (buydotclearlynet .com in TLS SNI) (malware.rules)
  • 2056624 - ET MALWARE Observed CleanUp Loader Domain (metalforthecoredream .com in TLS SNI) (malware.rules)
  • 2056625 - ET MALWARE Observed CleanUp Loader Domain (itisthebestforyou .eu in TLS SNI) (malware.rules)
  • 2056626 - ET MALWARE Observed CleanUp Loader Domain (whereverhomebe .com in TLS SNI) (malware.rules)
  • 2056627 - ET MALWARE Observed CleanUp Loader Domain (micrsoft-teams-download .com in TLS SNI) (malware.rules)
  • 2056628 - ET MALWARE Observed CleanUp Loader Domain (time-check-broker .com in TLS SNI) (malware.rules)
  • 2056629 - ET MALWARE Observed CleanUp Loader Domain (microsoftt-teams .com in TLS SNI) (malware.rules)
  • 2056630 - ET MALWARE Observed CleanUp Loader Domain (docsfromthewest .com in TLS SNI) (malware.rules)
  • 2056631 - ET MALWARE Observed CleanUp Loader Domain (auttodessk .com in TLS SNI) (malware.rules)
  • 2056632 - ET MALWARE Observed CleanUp Loader Domain (lakeshorehomebuilders .com in TLS SNI) (malware.rules)
  • 2056633 - ET MALWARE Observed CleanUp Loader Domain (heartwithinadream .com in TLS SNI) (malware.rules)
  • 2056634 - ET MALWARE Observed CleanUp Loader Domain (aut0deskk .com in TLS SNI) (malware.rules)
  • 2057696 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs) (malware.rules)
  • 2057697 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) (malware.rules)
  • 2057698 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (p3ar11fter .sbs) (malware.rules)
  • 2057699 - ET MALWARE Observed Lumma Stealer Domain (3xp3cts1aim .sbs in TLS SNI) (malware.rules)
  • 2057700 - ET MALWARE Observed Lumma Stealer Domain (peepburry828 .sbs in TLS SNI) (malware.rules)
  • 2057701 - ET MALWARE Observed Lumma Stealer Domain (processhol .sbs in TLS SNI) (malware.rules)
  • 2057702 - ET MALWARE Observed Lumma Stealer Domain (p3ar11fter .sbs in TLS SNI) (malware.rules)
  • 2057807 - ET MALWARE Malicious CnC Domain in DNS Lookup (meowware .ddns .net) (malware.rules)
  • 2057808 - ET MALWARE Observed Malicious Domain (meowware .ddns .net in TLS SNI) (malware.rules)
  • 2858999 - ETPRO PHISHING Observed Social Security Administration Impersonation Domain in TLS SNI (phishing.rules)