Ruleset Update Summary - 2025/06/16 - v10951

Summary:

22 new OPEN, 23 new PRO (22 + 1)

There will be no rule release on Thursday, June 19, 2025 on account of it being both a PFPT Holiday.


Added rules:

Open:

  • 2063001 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guerp .xyz) (malware.rules)
  • 2063002 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (guerp .xyz) in TLS SNI (malware.rules)
  • 2063003 - ET INFO DYNAMIC_DNS Query to a *.c-om .net domain (info.rules)
  • 2063004 - ET INFO DYNAMIC_DNS HTTP Request to a *.c-om .net domain (info.rules)
  • 2063005 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unlfee .xyz) (malware.rules)
  • 2063006 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unlfee .xyz) in TLS SNI (malware.rules)
  • 2063007 - ET HUNTING Dotted Quad Host Base64-Encoded Powershell Payload (hunting.rules)
  • 2063008 - ET HUNTING Dotted Quad Host Base64-Encoded PHP payload (hunting.rules)
  • 2063009 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (nodeapiintegrate .com) (exploit_kit.rules)
  • 2063010 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (nodeapiintegrate .com) (exploit_kit.rules)
  • 2063011 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (6hms .top) (exploit_kit.rules)
  • 2063012 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (6hms .top) (exploit_kit.rules)
  • 2063013 - ET INFO DYNAMIC_DNS Query to a *.jakegub .com domain (info.rules)
  • 2063014 - ET INFO DYNAMIC_DNS HTTP Request to a *.jakegub .com domain (info.rules)
  • 2063015 - ET INFO DYNAMIC_DNS Query to a *.medialoverz .com domain (info.rules)
  • 2063016 - ET INFO DYNAMIC_DNS HTTP Request to a *.medialoverz .com domain (info.rules)
  • 2063017 - ET HUNTING Dotted Quad Host Workzueg HTTP Server String Response (hunting.rules)
  • 2063018 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (cellinifurniture .com) (exploit_kit.rules)
  • 2063019 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (cellinifurniture .com) (exploit_kit.rules)
  • 2063020 - ET HUNTING Dotted Quad Host Suspected IoT Botnet Loader Shell Script (hunting.rules)
  • 2063021 - ET MALWARE Observed Subdomain Hijacker Domain to AI Slop in DNS Lookup (pgpump .github .io) (malware.rules)
  • 2063022 - ET MALWARE Observed Subdomain Hijacker Domain to AI Slop in TLS SNI (pgpump .github .io) (malware.rules)

Pro:

  • 2862225 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2061305 - ET WEB_SPECIFIC_APPS Apache Pinot Authentication Bypass (CVE-2024-56325) (web_specific_apps.rules)
  • 2062295 - ET HUNTING PHP Serialize Object Injection M1 (hunting.rules)
  • 2062297 - ET HUNTING PHP Serialize Object Injection M3 (hunting.rules)
  • 2062454 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (sorts-pushed-completely-manuals .trycloudflare .com) (exploit_kit.rules)
  • 2062455 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (sorts-pushed-completely-manuals .trycloudflare .com) (exploit_kit.rules)
  • 2062604 - ET INFO DYNAMIC_DNS Query to nip .io Domain (info.rules)
  • 2062777 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .doggiefountain .com) (malware.rules)
  • 2062780 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .doggiefountain .com) (malware.rules)
  • 2861512 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861712 - ETPRO MALWARE Observed DNS Query to TA399/Sidewinder Domain (malware.rules)
  • 2861716 - ETPRO MALWARE Observed TA399/Sidewinder Domain in TLS SNI (malware.rules)