Ruleset Update Summary - 2025/05/19 - v10930

Ruleset Updates
1

Summary:

56 new OPEN, 112 new PRO (56 + 56)

Added rules:

Open:

  • 2046175 - ET RETIRED IIS-Raid Module Backdoor - Successful PING in HTTP Response (PONG) (retired.rules)
  • 2048403 - ET RETIRED BunnyLoader Heartbeat Acknowledgement (retired.rules)
  • 2062407 - ET MALWARE Interlock Ransomware Fake Updater CnC Command (Terminate) (malware.rules)
  • 2062408 - ET MALWARE Interlock RAT CnC Checkin (malware.rules)
  • 2062409 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (sorts-pushed-completely-manuals .trycloudflare .com) (exploit_kit.rules)
  • 2062410 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (sorts-pushed-completely-manuals .trycloudflare .com) (exploit_kit.rules)
  • 2062411 - ET MALWARE Interlock CnC Domain in DNS Lookup (hours-affected-personals-grey .trycloudflare .com) (malware.rules)
  • 2062412 - ET MALWARE Interlock CnC Domain in TLS SNI (hours-affected-personals-grey .trycloudflare .com) (malware.rules)
  • 2062413 - ET MALWARE Interlock CnC Domain in DNS Lookup (sublime-tragedy-counties-sculpture .trycloudflare .com) (malware.rules)
  • 2062414 - ET MALWARE Interlock CnC Domain in TLS SNI (sublime-tragedy-counties-sculpture .trycloudflare .com) (malware.rules)
  • 2062415 - ET WEB_SPECIFIC_APPS Planet web_aaa_loginAuthlistEdit authName Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062416 - ET WEB_SPECIFIC_APPS Planet web_acl_ipv4BasedAceAdd ipv4Aclkey Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062417 - ET WEB_SPECIFIC_APPS Planet web_acl_bindEdit_post bindEditMACName Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062418 - ET WEB_SPECIFIC_APPS Planet web_acl_mgmt_Rules_Apply_post ruleName Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062419 - ET WEB_SPECIFIC_APPS Ivanti EPMM Authentication Bypass and Remote Code Execution Attempt (CVE-2025-4427,2025-4428) (web_specific_apps.rules)
  • 2062420 - ET WEB_SPECIFIC_APPS Linksys E5600 CI_InternetConnection ifname Parameter Command Injection Attempt (CVE-2025-45487) (web_specific_apps.rules)
  • 2062421 - ET WEB_SPECIFIC_APPS Linksys E5600 runtime.ddnsStatus Multiple Parameters Command Injection Attempt (CVE-2025-45488-2025-45491) (web_specific_apps.rules)
  • 2062422 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (chproduct .com) (exploit_kit.rules)
  • 2062423 - ET EXPLOIT_KIT LandUpdate808 Domain (chproduct .com) in TLS SNI (exploit_kit.rules)
  • 2062424 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (anesthwtcm .run) (malware.rules)
  • 2062425 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (anesthwtcm .run) in TLS SNI (malware.rules)
  • 2062426 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cladwybn .digital) (malware.rules)
  • 2062427 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cladwybn .digital) in TLS SNI (malware.rules)
  • 2062428 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (comexisj .digital) (malware.rules)
  • 2062429 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (comexisj .digital) in TLS SNI (malware.rules)
  • 2062430 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (conmog .digital) (malware.rules)
  • 2062431 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (conmog .digital) in TLS SNI (malware.rules)
  • 2062432 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jackthyfuc .run) (malware.rules)
  • 2062433 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jackthyfuc .run) in TLS SNI (malware.rules)
  • 2062434 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jugulagklc .live) (malware.rules)
  • 2062435 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jugulagklc .live) in TLS SNI (malware.rules)
  • 2062436 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (narrathfpt .top) (malware.rules)
  • 2062437 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (narrathfpt .top) in TLS SNI (malware.rules)
  • 2062438 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ofttimkong .run) (malware.rules)
  • 2062439 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ofttimkong .run) in TLS SNI (malware.rules)
  • 2062440 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (onehunqpom .life) (malware.rules)
  • 2062441 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (onehunqpom .life) in TLS SNI (malware.rules)
  • 2062442 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (panhanhsyp) (malware.rules)
  • 2062443 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (panhanhsyp) in TLS SNI (malware.rules)
  • 2062444 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (retechlabp .run) (malware.rules)
  • 2062445 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (retechlabp .run) in TLS SNI (malware.rules)
  • 2062446 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strengbllk .live) (malware.rules)
  • 2062447 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (strengbllk .live) in TLS SNI (malware.rules)
  • 2062448 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (worldpofadventure .today) (malware.rules)
  • 2062449 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (worldpofadventure .today) in TLS SNI (malware.rules)
  • 2062450 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .aamplify .media) (malware.rules)
  • 2062451 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (feedback .greeneconsultinggroup .com) (malware.rules)
  • 2062452 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .aamplify .media) (malware.rules)
  • 2062453 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (feedback .greeneconsultinggroup .com) (malware.rules)
  • 2062454 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (sorts-pushed-completely-manuals .trycloudflare .com) (exploit_kit.rules)
  • 2062455 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (sorts-pushed-completely-manuals .trycloudflare .com) (exploit_kit.rules)
  • 2062456 - ET HUNTING Possible Obfuscated PowerShell Script Download - Excessive CHAR (hunting.rules)
  • 2062457 - ET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M1 (hunting.rules)
  • 2062458 - ET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M2 (hunting.rules)
  • 2062459 - ET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M3 (hunting.rules)
  • 2062460 - ET HUNTING Possible Obfuscated PowerShell Script Download - Excessive Split String M4 (hunting.rules)

Pro:

  • 2861734 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861735 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861736 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861737 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861738 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861739 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2861740 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2861741 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2861742 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2861743 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861744 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2861745 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861746 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2861747 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861748 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861749 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2861750 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861751 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861752 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861753 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861754 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861755 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861756 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2861757 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2861758 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2861759 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2861760 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861761 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2861762 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861763 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2861764 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861765 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861766 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2861767 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861768 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861769 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861770 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861771 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861772 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2861773 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861774 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2861775 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861776 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2861777 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861778 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861779 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2861780 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861781 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861782 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861783 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861784 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861785 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861786 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861787 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861788 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861789 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Removed rules:

  • 2046175 - ET MALWARE IIS-Raid Module Backdoor - Successful PING in HTTP Response (PONG) (malware.rules)
  • 2048403 - ET MALWARE BunnyLoader Heartbeat Acknowledgement (malware.rules)