Ruleset Update Summary - 2025/07/03 - v10963

Summary:

20 new OPEN, 21 new PRO (20 + 1)


Added rules:

Open:

  • 2063279 - ET HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M1 (hunting.rules)
  • 2063280 - ET HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M2 (hunting.rules)
  • 2063281 - ET WEB_SPECIFIC_APPS Four-Faith adjust_sys_time adj_time Command Injection Attempt (CVE-2024-12856) (web_specific_apps.rules)
  • 2063282 - ET WEB_SPECIFIC_APPS H3C sys_dia_data_check file_name Parameter Directory Traversal Attempt (web_specific_apps.rules)
  • 2063283 - ET WEB_SPECIFIC_APPS HikVision triggerSnapshot fileUrl Parameter Arbitrary File Download Attempt (web_specific_apps.rules)
  • 2063284 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (git .xtertexter .com) (malware.rules)
  • 2063285 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (git .xtertexter .com) (malware.rules)
  • 2063286 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (images .venthalpyapp .com) (malware.rules)
  • 2063287 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (images .venthalpyapp .com) (malware.rules)
  • 2063288 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (casupfi .shop) (malware.rules)
  • 2063289 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (casupfi .shop) in TLS SNI (malware.rules)
  • 2063290 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nbcsfar .xyz) (malware.rules)
  • 2063291 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nbcsfar .xyz) in TLS SNI (malware.rules)
  • 2063292 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tarewry .xyz) (malware.rules)
  • 2063293 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tarewry .xyz) in TLS SNI (malware.rules)
  • 2063294 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ycvduc .xyz) (malware.rules)
  • 2063295 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ycvduc .xyz) in TLS SNI (malware.rules)
  • 2063296 - ET WEB_SPECIFIC_APPS HikVision upload.action JSP Webshell Upload Attempt (web_specific_apps.rules)
  • 2063297 - ET MALWARE UrgentBot Requesting Command From CnC Server (GET) (malware.rules)
  • 2063298 - ET MALWARE UrgentBot Sending Results to CnC Server (POST) (malware.rules)

Pro:

  • 2863375 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2060145 - ET MALWARE Observed DNS Query to REF7707 Domain (update .hobiter .com) (malware.rules)
  • 2060146 - ET MALWARE Observed DNS Query to REF7707 Domain (support .fortineat .com) (malware.rules)
  • 2060148 - ET MALWARE Observed DNS Query to REF7707 Domain (d-links .net) (malware.rules)
  • 2060150 - ET MALWARE Observed DNS Query to REF7707 Domain (cloud .autodiscovar .com) (malware.rules)
  • 2060152 - ET MALWARE Observed DNS Query to REF7707 Domain (support .vmphere .com) (malware.rules)
  • 2060154 - ET MALWARE Observed REF7707 Domain (support .fortineat .com in TLS SNI) (malware.rules)
  • 2060155 - ET MALWARE Observed REF7707 Domain (digert .ictnsc .com in TLS SNI) (malware.rules)
  • 2060159 - ET MALWARE Observed REF7707 Domain (vm-clouds .net in TLS SNI) (malware.rules)
  • 2060160 - ET MALWARE Observed REF7707 Domain (support .vmphere .com in TLS SNI) (malware.rules)
  • 2060199 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (ap-1739871718-ioj2rc-omeiiwaw3fgs3uq4wuooeceed5a96euw1b-s3alias .s3 .eu-west-1 .amazonaws .com) (exploit_kit.rules)
  • 2060201 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (ap-1739871718-ioj2rc-omeiiwaw3fgs3uq4wuooeceed5a96euw1b-s3alias .s3 .eu-west-1 .amazonaws .com) (exploit_kit.rules)
  • 2060224 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (onlinelas .com) (exploit_kit.rules)
  • 2060626 - ET MALWARE Observed DNS Query to OtterCookie Domain (alchemy-api-v3 .cloud) (malware.rules)
  • 2060627 - ET MALWARE Observed DNS Query to OtterCookie Domain (blastapi .org) (malware.rules)
  • 2060628 - ET MALWARE Observed OtterCookie Domain (alchemy-api-v3 .cloud in TLS SNI) (malware.rules)
  • 2060629 - ET MALWARE Observed OtterCookie Domain (blastapi .org in TLS SNI) (malware.rules)
  • 2060680 - ET MALWARE Observed DNS Query to ClickFix Domain (lydbonkersbimpjc .blogspot .com) (malware.rules)
  • 2060681 - ET MALWARE Observed DNS Query to ClickFix Domain (bookimanagerev .com) (malware.rules)
  • 2060682 - ET MALWARE Observed DNS Query to ClickFix Domain (cpth-cant .com) (malware.rules)
  • 2060683 - ET MALWARE Observed ClickFix Domain (lydbonkersbimpjc .blogspot .com in TLS SNI) (malware.rules)
  • 2060684 - ET MALWARE Observed ClickFix Domain (bookimanagerev .com in TLS SNI) (malware.rules)
  • 2060685 - ET MALWARE Observed ClickFix Domain (cpth-cant .com in TLS SNI) (malware.rules)
  • 2060762 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060776 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2060781 - ET MALWARE Observed DNS Query to ClickFix Domain (booking-sup-lang-eng .com) (malware.rules)
  • 2060782 - ET MALWARE Observed ClickFix Domain (booking-sup-lang-eng .com in TLS SNI) (malware.rules)
  • 2061094 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (javascripterhub .com) (exploit_kit.rules)
  • 2061100 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (javascripterhub .com) (exploit_kit.rules)
  • 2860356 - ETPRO MALWARE Observed DNS Query to TA399 Domain (malware.rules)
  • 2860357 - ETPRO MALWARE Observed DNS Query to TA399 Domain (malware.rules)
  • 2860358 - ETPRO MALWARE Observed TA399 Domain in TLS SNI (malware.rules)
  • 2860359 - ETPRO MALWARE Observed TA399 Domain in TLS SNI (malware.rules)
  • 2860786 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)
  • 2860789 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)