Ruleset Update Summary - 2025/06/10 - v10947

Ruleset Updates
1

Summary:

44 new OPEN, 48 new PRO (44 + 4)

Added rules:

Open:

  • 2062831 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ncmtraders .com) (exploit_kit.rules)
  • 2062832 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ncmtraders .com) (exploit_kit.rules)
  • 2062833 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (1sou .top) (exploit_kit.rules)
  • 2062834 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (islighting .top) (exploit_kit.rules)
  • 2062835 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (loispaigesimenson .com) (exploit_kit.rules)
  • 2062836 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (1sou .top) (exploit_kit.rules)
  • 2062837 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (islighting .top) (exploit_kit.rules)
  • 2062838 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (loispaigesimenson .com) (exploit_kit.rules)
  • 2062839 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .publynx .com) (malware.rules)
  • 2062840 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (dev .couplesparks .com) (malware.rules)
  • 2062841 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .publynx .com) (malware.rules)
  • 2062842 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (dev .couplesparks .com) (malware.rules)
  • 2062843 - ET MALWARE TA569 Stage 2 Domain in DNS Lookup (robertocalimera .icu) (malware.rules)
  • 2062844 - ET MALWARE TA569 Stage 2 Domain in TLS SNI (robertocalimera .icu) (malware.rules)
  • 2062845 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chromeparts .icu) (exploit_kit.rules)
  • 2062846 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chromeparts .icu) (exploit_kit.rules)
  • 2062847 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (quanthic .cloud) (exploit_kit.rules)
  • 2062848 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (quanthic .cloud) (exploit_kit.rules)
  • 2062849 - ET MALWARE Win32/TA569 Gholoader Domain in DNS Lookup (billing .roofnrack .us) (malware.rules)
  • 2062850 - ET MALWARE Win32/TA569 Gholoader Domain in TLS SNI (billing .roofnrack .us) (malware.rules)
  • 2062851 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (favgqu .shop) (malware.rules)
  • 2062852 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (favgqu .shop) in TLS SNI (malware.rules)
  • 2062853 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kinwlyo .xyz) (malware.rules)
  • 2062854 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (kinwlyo .xyz) in TLS SNI (malware.rules)
  • 2062855 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shool .digital) (malware.rules)
  • 2062856 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shool .digital) in TLS SNI (malware.rules)
  • 2062857 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sstemxehg .shop) (malware.rules)
  • 2062858 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sstemxehg .shop) in TLS SNI (malware.rules)
  • 2062859 - ET WEB_SPECIFIC_APPS Tenda multimodalAdd URI Endpoint Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062860 - ET WEB_SPECIFIC_APPS Tenda UserCongratulationsExec getuid Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2062861 - ET WEB_SPECIFIC_APPS Totolink formSaveConfig submit-url Parameter Buffer Overflow Attempt (CVE-2025-5739) (web_specific_apps.rules)
  • 2062862 - ET WEB_SPECIFIC_APPS Totolink formWirelessTbl submit-url Parameter Buffer Overflow Attempt (CVE-2025-5785) (web_specific_apps.rules)
  • 2062863 - ET WEB_SPECIFIC_APPS Totolink formDMZ submit-url Parameter Buffer Overflow Attempt (CVE-2025-5786) (web_specific_apps.rules)
  • 2062864 - ET WEB_SPECIFIC_APPS Totolink formWsc submit-url Parameter Buffer Overflow Attempt (CVE-2025-5787) (web_specific_apps.rules)
  • 2062865 - ET WEB_SPECIFIC_APPS Totolink formReflashClientTbl submit-url Parameter Buffer Overflow Attempt (CVE-2025-5788) (web_specific_apps.rules)
  • 2062866 - ET WEB_SPECIFIC_APPS Totolink formIpQoS mac Parameter Buffer Overflow Attempt (CVE-2025-5790) (web_specific_apps.rules)
  • 2062867 - ET WEB_SPECIFIC_APPS Totolink formFilter ip6addr Parameter Buffer Overflow Attempt (CVE-2025-5907) (web_specific_apps.rules)
  • 2062868 - ET WEB_SPECIFIC_APPS Totolink formStats submit-url Parameter Buffer Overflow Attempt (CVE-2025-5788) (web_specific_apps.rules)
  • 2062869 - ET WEB_SPECIFIC_APPS Totolink formWlanRedirect redirect-url Parameter Buffer Overflow Attempt (CVE-2025-5792) (web_specific_apps.rules)
  • 2062870 - ET WEB_SPECIFIC_APPS Totolink setUpgradeFW slaveIpList Parameter Command Injection Attempt (CVE-2025-5902) (web_specific_apps.rules)
  • 2062871 - ET WEB_SPECIFIC_APPS Totolink setWiFiAclRules desc Parameter Buffer Overflow Attempt (CVE-2025-5903) (web_specific_apps.rules)
  • 2062872 - ET WEB_SPECIFIC_APPS Totolink UploadFirmwareFile File Parameter Buffer Overflow Attempt (CVE-2025-5901) (web_specific_apps.rules)
  • 2062873 - ET WEB_SPECIFIC_APPS Totolink setWiFiMeshName device_name Parameter Buffer Overflow Attempt (CVE-2025-5904) (web_specific_apps.rules)
  • 2062874 - ET WEB_SPECIFIC_APPS Totolink setWiFiRepeaterCfg password Parameter Buffer Overflow Attempt (CVE-2025-5905) (web_specific_apps.rules)

Pro:

  • 2862140 - ETPRO EXPLOIT KDCProxy Use-After-Free Attempt (CVE-2025-33071) (exploit.rules)
  • 2862145 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2862146 - ETPRO EXPLOIT Microsoft Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution (CVE-2025-33053) (exploit.rules)
  • 2862147 - ETPRO MALWARE Win32/Expiro CnC Activity (POST) (malware.rules)

Disabled and modified rules:

  • 2062777 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .doggiefountain .com) (malware.rules)
  • 2062780 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .doggiefountain .com) (malware.rules)
  • 2823343 - ETPRO MALWARE APT28/SEDNIT Uploader Variant DNS Lookup (malware.rules)