Ruleset Update Summary - 2025/05/22 - v10933

rulesbot · May 22, 2025, 8:59pm

Summary:

39 new OPEN, 49 new PRO (39 + 10)

Thanks @prodaft, @harfanglab, @RecordedFuture

No Releases on 2025/05/23 or 2025/05/26 Due To Company Holiday

Added rules:

Open:

2062512 - ET EXPLOIT RSI Queue Unauthenticated Blind SQL Injection (CVE-2025-26086) (exploit.rules)
2062513 - ET EXPLOIT Windows Microsoft .XRM-MS File / NTLM Information Disclosure (exploit.rules)
2062514 - ET EXPLOIT Firefox ESR PDF.js Arbitrary Javascript Execution (CVE-2024-4367) (exploit.rules)
2062515 - ET WEB_SPECIFIC_APPS SysAid XML External Entity Injection Attempt (CVE-2025-2775) (web_specific_apps.rules)
2062516 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ankyufh .live) (malware.rules)
2062517 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ankyufh .live) in TLS SNI (malware.rules)
2062518 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bogtkr .top) (malware.rules)
2062519 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bogtkr .top) in TLS SNI (malware.rules)
2062520 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diecam .top) (malware.rules)
2062521 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (diecam .top) in TLS SNI (malware.rules)
2062522 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fliobo .run) (malware.rules)
2062523 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fliobo .run) in TLS SNI (malware.rules)
2062524 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (judiivk .live) (malware.rules)
2062525 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (judiivk .live) in TLS SNI (malware.rules)
2062526 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (korxddl .top) (malware.rules)
2062527 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (korxddl .top) in TLS SNI (malware.rules)
2062528 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (localixbiw .top) (malware.rules)
2062529 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (localixbiw .top) in TLS SNI (malware.rules)
2062530 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ordntx .top) (malware.rules)
2062531 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ordntx .top) in TLS SNI (malware.rules)
2062532 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (phoucc .digital) (malware.rules)
2062533 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (phoucc .digital) in TLS SNI (malware.rules)
2062534 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quaterujrb .shop) (malware.rules)
2062535 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (quaterujrb .shop) in TLS SNI (malware.rules)
2062536 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (releaswrlf .run) (malware.rules)
2062537 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (releaswrlf .run) in TLS SNI (malware.rules)
2062538 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strejqt .bet) (malware.rules)
2062539 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (strejqt .bet) in TLS SNI (malware.rules)
2062540 - ET MALWARE APT28 Russia Macro Loader HTTP POST (malware.rules)
2062541 - ET MALWARE Gamaredon APT TryCloudFlare CnC Activity - Known Delimiter in User-Agent (malware.rules)
2062542 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (simvascor .top) (exploit_kit.rules)
2062543 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (simvascor .top) (exploit_kit.rules)
2062544 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (fork .trace467 .com) (malware.rules)
2062545 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (fork .trace467 .com) (malware.rules)
2062546 - ET MALWARE CHERRYSPY.Backdoor Russia APT28 Initial Key Exchange (malware.rules)
2062547 - ET MALWARE Observed DNS Query to Skitnet/Bossnet Domain (100000000000000…) (malware.rules)
2062548 - ET MALWARE HATVIBE.loader Russia APT28 HTTP PUT Request (malware.rules)
2062549 - ET MALWARE CHERRYSPY.Backdoor Russia APT28 Key Exchange Response (malware.rules)
2062550 - ET MALWARE Observed Skitnet/Bossnet Domain (100000000000000… in TLS SNI) (malware.rules)

Pro:

2861804 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861805 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861806 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861807 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861808 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861809 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861810 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861811 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2861812 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2861813 - ETPRO MALWARE Generic Wallet InfoStealer CnC Checkin M1 (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/04/23 - v10912 Ruleset Updates	117	April 23, 2025
Ruleset Update Summary - 2025/04/07 - v10899 Ruleset Updates	126	April 7, 2025
Ruleset Update Summary - 2025/05/01 - v10918 Ruleset Updates	77	May 1, 2025
Ruleset Update Summary - 2025/05/05 - v10920 Ruleset Updates	83	May 5, 2025
Ruleset Update Summary - 2025/04/21 - v10910 Ruleset Updates	96	April 21, 2025

Ruleset Update Summary - 2025/05/22 - v10933

Summary:

Added rules:

Open:

Pro:

Related topics