Ruleset Update Summary - 2025/05/15 - v10928

Ruleset Updates
1

Summary:

26 new OPEN, 29 new PRO (26 + 3)

Added rules:

Open:

  • 2062375 - ET WEB_SPECIFIC_APPS Winstar WN572HP3 upload.cgi HTTP Cookie buffer overflow attempt (web_specific_apps.rules)
  • 2062376 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cornerdurv .top) (malware.rules)
  • 2062377 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cornerdurv .top) in TLS SNI (malware.rules)
  • 2062378 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (emphatakpn .bet) (malware.rules)
  • 2062379 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (emphatakpn .bet) in TLS SNI (malware.rules)
  • 2062380 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hunterinrx .run) (malware.rules)
  • 2062381 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hunterinrx .run) in TLS SNI (malware.rules)
  • 2062382 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (laminaflbx .shop) (malware.rules)
  • 2062383 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (laminaflbx .shop) in TLS SNI (malware.rules)
  • 2062384 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racxilb .digital) (malware.rules)
  • 2062385 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racxilb .digital) in TLS SNI (malware.rules)
  • 2062386 - ET WEB_SPECIFIC_APPS Wavlink WL-WN579A3 Multiple Parameters Command Injection Attempt (web_specific_apps.rules)
  • 2062387 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (saxecocnak .live) (malware.rules)
  • 2062388 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (saxecocnak .live) in TLS SNI (malware.rules)
  • 2062389 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (testcawepr .run) (malware.rules)
  • 2062390 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (testcawepr .run) in TLS SNI (malware.rules)
  • 2062391 - ET WEB_SPECIFIC_APPS Wavlink WL-WN579A3 qos.cgi qos_bandwidth Parameter Command Injection Attempt (web_specific_apps.rules)
  • 2062392 - ET WEB_SPECIFIC_APPS Wavlink WL-WN579A3 firewall.cgi del_flag Parameter Command Injection Attempt (web_specific_apps.rules)
  • 2062393 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Compromised Domain (memelock .app) (exploit_kit.rules)
  • 2062394 - ET EXPLOIT_KIT Observed ClickFix Compromised Domain (memelock .app in TLS SNI) (exploit_kit.rules)
  • 2062395 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Compromised Domain (pump .fun .ong) (exploit_kit.rules)
  • 2062396 - ET MALWARE Observed ClickFix Compromised Domain (pump .fun .ong in TLS SNI) (malware.rules)
  • 2062397 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (regopramide .top) (exploit_kit.rules)
  • 2062398 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (regopramide .top) (exploit_kit.rules)
  • 2062399 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .rivercitymech .biz) (malware.rules)
  • 2062400 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .rivercitymech .biz) (malware.rules)

Pro:

  • 2861707 - ETPRO MALWARE Havoc Demon CnC Request (COMMAND_NOJOB) (malware.rules)
  • 2861708 - ETPRO PHISHING Generic Phish Landing Page 2025-05-14 (phishing.rules)
  • 2861709 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)