Ruleset Update Summary - 2025/06/24 - v10956

Ruleset Updates
1

Summary:

18 new OPEN, 19 new PRO (18 + 1)

Thanks KevinRoss

Added rules:

Open:

  • 2063156 - ET PHISHING Observed Usage of Non-Alphanumeric Javascript Obfuscation M1 (phishing.rules)
  • 2063157 - ET INFO Observed DNS Query to Web Hosting Domain (cdn .glitch .com) (info.rules)
  • 2063158 - ET INFO Observed DNS Query to Web Hosting Domain (cdn .glitch .global) (info.rules)
  • 2063159 - ET INFO Observed Web Hosting Domain (cdn .glitch .com in TLS SNI) (info.rules)
  • 2063160 - ET INFO Observed Web Hosting Domain (cdn .glitch .global in TLS SNI) (info.rules)
  • 2063161 - ET PHISHING Observed Usage of Non-Alphanumeric Javascript Obfuscation M2 (phishing.rules)
  • 2063162 - ET MALWARE KimJongRAT Data Exfiltration Attempt (malware.rules)
  • 2063163 - ET MALWARE KimJongRAT CnC Checkin (malware.rules)
  • 2063164 - ET MALWARE Lapdogs CnC Domain in DNS Lookup (northumbra .com) (malware.rules)
  • 2063165 - ET MALWARE Observed Lapdogs CnC Domain (northumbra .com) in TLS SNI (malware.rules)
  • 2063166 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (swedrent .com) (exploit_kit.rules)
  • 2063167 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (swedrent .com) (exploit_kit.rules)
  • 2063168 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (folders .emeraldpinesolutions .com) (malware.rules)
  • 2063169 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (folders .emeraldpinesolutions .com) (malware.rules)
  • 2063170 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gizqt .xyz) (malware.rules)
  • 2063171 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gizqt .xyz) in TLS SNI (malware.rules)
  • 2063172 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (matkdpy .xyz) (malware.rules)
  • 2063173 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (matkdpy .xyz) in TLS SNI (malware.rules)

Pro:

  • 2863023 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2063134 - ET HUNTING Observed ConnectWise ScreenConnect SSL Certificate (hunting.rules)
  • 2063135 - ET HUNTING Observed ConnectWise ScreenConnect SSL Certificate (hunting.rules)
  • 2063136 - ET HUNTING Observed ConnectWise ScreenConnect SSL Certificate (hunting.rules)