Ruleset Update Summary - 2025/06/11 - v10948

Summary:

39 new OPEN, 41 new PRO (39 + 2)


Added rules:

Open:

  • 2062875 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (obs-studio .live) (exploit_kit.rules)
  • 2062876 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (streamcore .pro) (exploit_kit.rules)
  • 2062877 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (fb-extension .com) (exploit_kit.rules)
  • 2062878 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (instchr .icu) (exploit_kit.rules)
  • 2062879 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (aderir .com) (exploit_kit.rules)
  • 2062880 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (obs-studio .live) (exploit_kit.rules)
  • 2062881 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (streamcore .pro) (exploit_kit.rules)
  • 2062882 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (fb-extension .com) (exploit_kit.rules)
  • 2062883 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (instchr .icu) (exploit_kit.rules)
  • 2062884 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (aderir .com) (exploit_kit.rules)
  • 2062885 - ET HUNTING HTTP Response Containing Base64-Encoded and Compressed Powershell Payload Keywords (hunting.rules)
  • 2062886 - ET MALWARE GorillaBot CnC Server Probe (malware.rules)
  • 2062887 - ET MALWARE GorillaBot CnC Magic-Byte Response (Bot Configuration) (malware.rules)
  • 2062888 - ET HUNTING HTTP Response Containing Base64-Encoded Powershell Payload Keywords (hunting.rules)
  • 2062889 - ET MALWARE GorillaBot Victim BotID Sent to CnC Server (malware.rules)
  • 2062890 - ET INFO DYNAMIC_DNS Query to a *.maganaki .com domain (info.rules)
  • 2062891 - ET INFO DYNAMIC_DNS HTTP Request to a *.maganaki .com domain (info.rules)
  • 2062892 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (leftykreh .com) (exploit_kit.rules)
  • 2062893 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (leftykreh .com) (exploit_kit.rules)
  • 2062894 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (secure .nashbashmotorsports .com) (malware.rules)
  • 2062895 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (secure .nashbashmotorsports .com) (malware.rules)
  • 2062896 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jqueryapihelpers .com) (exploit_kit.rules)
  • 2062897 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (angularapiworld .com) (exploit_kit.rules)
  • 2062898 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (jqueryapihelpers .com) (exploit_kit.rules)
  • 2062899 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (angularapiworld .com) (exploit_kit.rules)
  • 2062900 - ET MALWARE TA569 Stage 2 Domain in DNS Lookup (www .vesglobal .org) (malware.rules)
  • 2062901 - ET MALWARE TA569 Stage 2 Domain in TLS SNI (www .vesglobal .org) (malware.rules)
  • 2062902 - ET MALWARE Interlock CnC Domain in DNS Lookup (config-edge-assets .live) (malware.rules)
  • 2062903 - ET MALWARE Interlock CnC Domain in TLS SNI (config-edge-assets .live) (malware.rules)
  • 2062904 - ET MALWARE Interlock CnC Domain in DNS Lookup (showing-bl-order-skiing .trycloudflare .com) (malware.rules)
  • 2062905 - ET MALWARE Interlock CnC Domain in TLS SNI (showing-bl-order-skiing .trycloudflare .com) (malware.rules)
  • 2062906 - ET MALWARE Interlock CnC Domain in DNS Lookup (scary-halo-designing-time .trycloudflare .com) (malware.rules)
  • 2062907 - ET MALWARE Interlock CnC Domain in TLS SNI (scary-halo-designing-time .trycloudflare .com) (malware.rules)
  • 2062908 - ET MALWARE Interlock CnC Domain in DNS Lookup (ears-circus-cam-lake .trycloudflare .com) (malware.rules)
  • 2062909 - ET MALWARE Interlock CnC Domain in TLS SNI (ears-circus-cam-lake .trycloudflare .com) (malware.rules)
  • 2062910 - ET MALWARE Interlock CnC Domain in DNS Lookup (reached-loose-cashiers-logic .trycloudflare .com) (malware.rules)
  • 2062911 - ET MALWARE Interlock CnC Domain in TLS SNI (reached-loose-cashiers-logic .trycloudflare .com) (malware.rules)
  • 2062912 - ET MALWARE Interlock CnC Domain in DNS Lookup (never-powered-agency-hear .trycloudflare .com) (malware.rules)
  • 2062913 - ET MALWARE Interlock CnC Domain in TLS SNI (never-powered-agency-hear .trycloudflare .com) (malware.rules)

Pro:

  • 2862150 - ETPRO PHISHING Observed DNS Query to TA399 Domain (phishing.rules)
  • 2862151 - ETPRO PHISHING Observed TA399 Domain in TLS SNI (phishing.rules)