Ruleset Update Summary - 2025/06/30 - v10960

Ruleset Updates
1

Summary:

31 new OPEN, 198 new PRO (31 + 167)

Added rules:

Open:

  • 2063216 - ET INFO DYNAMIC_DNS Query to a *.nigelupchurch .com domain (info.rules)
  • 2063217 - ET INFO DYNAMIC_DNS HTTP Request to a *.nigelupchurch .com domain (info.rules)
  • 2063218 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cexpxg .xyz) (malware.rules)
  • 2063219 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cexpxg .xyz) in TLS SNI (malware.rules)
  • 2063220 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (comkxjs .xyz) (malware.rules)
  • 2063221 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (comkxjs .xyz) in TLS SNI (malware.rules)
  • 2063222 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ketxsuz .xyz) (malware.rules)
  • 2063223 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ketxsuz .xyz) in TLS SNI (malware.rules)
  • 2063224 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (liaxn .xyz) (malware.rules)
  • 2063225 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (liaxn .xyz) in TLS SNI (malware.rules)
  • 2063226 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pacwpw .xyz) (malware.rules)
  • 2063227 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pacwpw .xyz) in TLS SNI (malware.rules)
  • 2063228 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sqgzl .xyz) (malware.rules)
  • 2063229 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sqgzl .xyz) in TLS SNI (malware.rules)
  • 2063230 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trsuv .xyz) (malware.rules)
  • 2063231 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (trsuv .xyz) in TLS SNI (malware.rules)
  • 2063232 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unurew .xyz) (malware.rules)
  • 2063233 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unurew .xyz) in TLS SNI (malware.rules)
  • 2063234 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (urarfx .xyz) (malware.rules)
  • 2063235 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (urarfx .xyz) in TLS SNI (malware.rules)
  • 2063236 - ET MALWARE BitterAPT CnC Domain in DNS Lookup (sporcketngearforu .com) (malware.rules)
  • 2063237 - ET MALWARE BitterAPT CnC Domain in DNS Lookup (goalvaidclub .com) (malware.rules)
  • 2063238 - ET MALWARE BitterAPT CnC Domain in DNS Lookup (ebeninstallsvc .com) (malware.rules)
  • 2063239 - ET MALWARE BitterAPT Kiwi2.0 Data Exfiltration Attempt (malware.rules)
  • 2063240 - ET MALWARE Observed BitterAPT CnC Domain (sporcketngearforu .com) in TLS SNI (malware.rules)
  • 2063241 - ET MALWARE Observed BitterAPT CnC Domain (goalvaidclub .com) in TLS SNI (malware.rules)
  • 2063242 - ET MALWARE Observed BitterAPT CnC Domain (ebeninstallsvc .com) in TLS SNI (malware.rules)
  • 2063243 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (sample .tcroadgear .com) (malware.rules)
  • 2063244 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (sample .tcroadgear .com) (malware.rules)
  • 2063245 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lighri .top) (malware.rules)
  • 2063246 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lighri .top) in TLS SNI (malware.rules)

Pro:

  • 2863161 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2863162 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2863163 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2863164 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2863165 - ETPRO INFO Microsoft SSO Attempt with Invalid CobrandId (info.rules)
  • 2863174 - ETPRO PHISHING Generic Phish Landing Page M1 2025-06-27 (phishing.rules)
  • 2863175 - ETPRO PHISHING Generic Phish Landing Page M2 2025-06-27 (phishing.rules)
  • 2863180 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2863181 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863182 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2863183 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2863184 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2863185 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2863186 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2863187 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2863188 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2863189 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863190 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863191 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863192 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2863193 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2863194 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2863195 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2863196 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2863197 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2863198 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2863199 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2863200 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2863201 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2863202 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2863203 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2863204 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2863205 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863206 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863207 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863208 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863209 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863210 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863211 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863212 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863213 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863214 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863215 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863216 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863217 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863218 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863219 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863220 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863221 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863222 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863223 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863224 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863225 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863226 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863227 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863228 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863229 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863230 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863231 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863232 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863233 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863234 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863235 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863236 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863237 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863238 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863239 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863240 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863241 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863242 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863243 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863244 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863245 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863246 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863247 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863248 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863249 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863250 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863251 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863252 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863253 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863254 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863255 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863256 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863257 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863258 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863259 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863260 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863261 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863262 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863263 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863264 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863265 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863266 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863267 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863268 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863269 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863270 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863271 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863272 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863273 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863274 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863275 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863276 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863277 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863278 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863279 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863280 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863281 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863282 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863283 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863284 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863285 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863286 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863287 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863288 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863289 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863290 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863291 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863292 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863293 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863294 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863295 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863296 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863297 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863298 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863299 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863300 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863301 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863302 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863303 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863304 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863305 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863306 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863307 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863308 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863309 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863310 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863311 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863312 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863313 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863314 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863315 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863316 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863317 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863318 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863321 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2863322 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863323 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2863324 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2863325 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2863326 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2863327 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2863328 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2863329 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2863330 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2863331 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2863332 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2863333 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2863334 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2863335 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2863336 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2863337 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2863338 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2863339 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2863340 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2863341 - ETPRO ATTACK_RESPONSE Observed ClickFix Fake Booking .com Landing Page (attack_response.rules)