Ruleset Update Summary - 2025/06/11 - v10948

rulesbot · June 11, 2025, 9:16pm

Summary:

39 new OPEN, 41 new PRO (39 + 2)

Added rules:

Open:

2062875 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (obs-studio .live) (exploit_kit.rules)
2062876 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (streamcore .pro) (exploit_kit.rules)
2062877 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (fb-extension .com) (exploit_kit.rules)
2062878 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (instchr .icu) (exploit_kit.rules)
2062879 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (aderir .com) (exploit_kit.rules)
2062880 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (obs-studio .live) (exploit_kit.rules)
2062881 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (streamcore .pro) (exploit_kit.rules)
2062882 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (fb-extension .com) (exploit_kit.rules)
2062883 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (instchr .icu) (exploit_kit.rules)
2062884 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (aderir .com) (exploit_kit.rules)
2062885 - ET HUNTING HTTP Response Containing Base64-Encoded and Compressed Powershell Payload Keywords (hunting.rules)
2062886 - ET MALWARE GorillaBot CnC Server Probe (malware.rules)
2062887 - ET MALWARE GorillaBot CnC Magic-Byte Response (Bot Configuration) (malware.rules)
2062888 - ET HUNTING HTTP Response Containing Base64-Encoded Powershell Payload Keywords (hunting.rules)
2062889 - ET MALWARE GorillaBot Victim BotID Sent to CnC Server (malware.rules)
2062890 - ET INFO DYNAMIC_DNS Query to a *.maganaki .com domain (info.rules)
2062891 - ET INFO DYNAMIC_DNS HTTP Request to a *.maganaki .com domain (info.rules)
2062892 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (leftykreh .com) (exploit_kit.rules)
2062893 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (leftykreh .com) (exploit_kit.rules)
2062894 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (secure .nashbashmotorsports .com) (malware.rules)
2062895 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (secure .nashbashmotorsports .com) (malware.rules)
2062896 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jqueryapihelpers .com) (exploit_kit.rules)
2062897 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (angularapiworld .com) (exploit_kit.rules)
2062898 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (jqueryapihelpers .com) (exploit_kit.rules)
2062899 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (angularapiworld .com) (exploit_kit.rules)
2062900 - ET MALWARE TA569 Stage 2 Domain in DNS Lookup (www .vesglobal .org) (malware.rules)
2062901 - ET MALWARE TA569 Stage 2 Domain in TLS SNI (www .vesglobal .org) (malware.rules)
2062902 - ET MALWARE Interlock CnC Domain in DNS Lookup (config-edge-assets .live) (malware.rules)
2062903 - ET MALWARE Interlock CnC Domain in TLS SNI (config-edge-assets .live) (malware.rules)
2062904 - ET MALWARE Interlock CnC Domain in DNS Lookup (showing-bl-order-skiing .trycloudflare .com) (malware.rules)
2062905 - ET MALWARE Interlock CnC Domain in TLS SNI (showing-bl-order-skiing .trycloudflare .com) (malware.rules)
2062906 - ET MALWARE Interlock CnC Domain in DNS Lookup (scary-halo-designing-time .trycloudflare .com) (malware.rules)
2062907 - ET MALWARE Interlock CnC Domain in TLS SNI (scary-halo-designing-time .trycloudflare .com) (malware.rules)
2062908 - ET MALWARE Interlock CnC Domain in DNS Lookup (ears-circus-cam-lake .trycloudflare .com) (malware.rules)
2062909 - ET MALWARE Interlock CnC Domain in TLS SNI (ears-circus-cam-lake .trycloudflare .com) (malware.rules)
2062910 - ET MALWARE Interlock CnC Domain in DNS Lookup (reached-loose-cashiers-logic .trycloudflare .com) (malware.rules)
2062911 - ET MALWARE Interlock CnC Domain in TLS SNI (reached-loose-cashiers-logic .trycloudflare .com) (malware.rules)
2062912 - ET MALWARE Interlock CnC Domain in DNS Lookup (never-powered-agency-hear .trycloudflare .com) (malware.rules)
2062913 - ET MALWARE Interlock CnC Domain in TLS SNI (never-powered-agency-hear .trycloudflare .com) (malware.rules)

Pro:

2862150 - ETPRO PHISHING Observed DNS Query to TA399 Domain (phishing.rules)
2862151 - ETPRO PHISHING Observed TA399 Domain in TLS SNI (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/01/28 - v10847 Ruleset Updates	122	January 28, 2025
Ruleset Update Summary - 2023/08/29 - v10405 Ruleset Updates	277	August 29, 2023
Ruleset Update Summary - 2024/10/21 - v10724 Ruleset Updates	119	October 21, 2024
Ruleset Update Summary - 2023/09/14 - v10417 Ruleset Updates	247	September 14, 2023
Ruleset Update Summary - 2024/06/10 - v10613 Ruleset Updates	159	June 10, 2024

Ruleset Update Summary - 2025/06/11 - v10948

Summary:

Added rules:

Open:

Pro:

Related topics