Ruleset Update Summary - 2025/06/04 - v10940

Ruleset Updates
1

Summary:

33 new OPEN, 38 new PRO (33 + 5)

Added rules:

Open:

  • 2062740 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (malware.rules)
  • 2062741 - ET WEB_SPECIFIC_APPS Infoblox NetMRI get_saml_request saml_id parameter Command Injection Attempt (CVE-2025-32813) (web_specific_apps.rules)
  • 2062742 - ET WEB_SPECIFIC_APPS Infoblox NetMRI login.tdf skipjackUsername Parameter SQL Injection Attempt - Credential Theft (CVE-2025-32814) (web_specific_apps.rules)
  • 2062743 - ET WEB_SPECIFIC_APPS Infoblox NetMRI SetRawCookie.tdf Process Manager Hard-Coded Credentials Authentication Bypass Attempt (CVE-2025-32815) (web_specific_apps.rules)
  • 2062744 - ET WEB_SPECIFIC_APPS Infoblox NetMRI ViewerFileServlet fileName Parameter Authentication Arbitrary File Read (CVE-2024-54188) (web_specific_apps.rules)
  • 2062745 - ET WEB_SPECIFIC_APPS Infoblox NetMRI Run.tdf Scripts Parameter SQL Injection Attempt - Credential theft (CVE-2024-52874) (web_specific_apps.rules)
  • 2062746 - ET WEB_SPECIFIC_APPS Totolink cstecgi.cgi langType Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062747 - ET WEB_SPECIFIC_APPS Linksys setVlan vlan_set Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062748 - ET WEB_SPECIFIC_APPS Linksys check_port_conflict single_port_rule Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062749 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (buqtnw .digital) (malware.rules)
  • 2062750 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (buqtnw .digital) in TLS SNI (malware.rules)
  • 2062751 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (domaincrop .fun) (malware.rules)
  • 2062752 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (domaincrop .fun) in TLS SNI (malware.rules)
  • 2062753 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pelcxt .digital) (malware.rules)
  • 2062754 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pelcxt .digital) in TLS SNI (malware.rules)
  • 2062755 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (plaxyrj .run) (malware.rules)
  • 2062756 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (plaxyrj .run) in TLS SNI (malware.rules)
  • 2062757 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (runtnwq .run) (malware.rules)
  • 2062758 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (runtnwq .run) in TLS SNI (malware.rules)
  • 2062759 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (statehaller .fun) (malware.rules)
  • 2062760 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (statehaller .fun) in TLS SNI (malware.rules)
  • 2062761 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tyrpsrl .live) (malware.rules)
  • 2062762 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tyrpsrl .live) in TLS SNI (malware.rules)
  • 2062763 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wepwwd .live) (malware.rules)
  • 2062764 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wepwwd .live) in TLS SNI (malware.rules)
  • 2062765 - ET WEB_SPECIFIC_APPS Linksys WPSSTAPINEnr ssid Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062766 - ET WEB_SPECIFIC_APPS Linksys upload_settings filename Parameter Command Injection Attempt (web_specific_apps.rules)
  • 2062767 - ET INFO Observed DNS Query to Online Document Sharing Service (onlyoffice .com) (info.rules)
  • 2062768 - ET INFO Observed Online Document Sharing Service Domain (onlyoffice .com in TLS SNI) (info.rules)
  • 2062769 - ET WEB_SPECIFIC_APPS Linksys upload filename Parameter Command Injection Attempt (web_specific_apps.rules)
  • 2062770 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .doggiefountain .com) (malware.rules)
  • 2062771 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .doggiefountain .com) (malware.rules)
  • 2062772 - ET USER_AGENTS Fake OneDrive User-Agent Observed (user_agents.rules)

Pro:

  • 2862129 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2862130 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2862133 - ETPRO MALWARE ClassCache CnC Checkin via Statcounter (GET) (malware.rules)
  • 2862134 - ETPRO MALWARE Observed DNS Query to ClassCache Domain (malware.rules)
  • 2862135 - ETPRO MALWARE Observed ClassCache Domain in TLS SNI (malware.rules)