Ruleset Update Summary - 2025/07/08 - v10965

rulesbot · July 8, 2025, 8:40pm

Summary:

34 new OPEN, 44 new PRO (34 + 10)

Added rules:

Open:

2063327 - ET INFO Open-source Customer Service Platform Domain in DNS Lookup (chatwoot .com) (info.rules)
2063328 - ET INFO Open-source Customer Service Platform Domain in TLS SNI (chatwoot .com) (info.rules)
2063329 - ET INFO Observed RMM Domain in DNS Lookup ( * .monitic .com) (info.rules)
2063330 - ET INFO Observed RMM Domain in TLS SNI ( * .monitic .com) (info.rules)
2063331 - ET INFO DYNAMIC_DNS Query to a *.bestprogramsforkids .com domain (info.rules)
2063332 - ET INFO DYNAMIC_DNS HTTP Request to a *.bestprogramsforkids .com domain (info.rules)
2063333 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (abtsi .com) (exploit_kit.rules)
2063334 - ET EXPLOIT_KIT LandUpdate808 Domain (abtsi .com) in TLS SNI (exploit_kit.rules)
2063335 - ET WEB_SPECIFIC_APPS Totolink X15 formIPv6Addr submit-url Parameter Buffer Overflow Attempt (web_specific_apps.rules)
2063336 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (www .thelist2win .com) (malware.rules)
2063337 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (www .thelist2win .com) (malware.rules)
2063338 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fiuylj .top) (malware.rules)
2063339 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fiuylj .top) in TLS SNI (malware.rules)
2063340 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (giyewf .shop) (malware.rules)
2063341 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (giyewf .shop) in TLS SNI (malware.rules)
2063342 - ET MALWARE NordDragonScan CnC Checkin (malware.rules)
2063343 - ET EXPLOIT Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation (CVE-2017-12635) (exploit.rules)
2063344 - ET EXPLOIT Apache Struts Local File Inclusion Attempt Inbound (CVE-2016-3082) (exploit.rules)
2063345 - ET MALWARE NordDragonScan Data Exfiltration Attempt (malware.rules)
2063346 - ET MALWARE NordDragonScan CnC Domain in DNS Lookup (secfileshare .com) (malware.rules)
2063347 - ET MALWARE NordDragonScan CnC Domain in DNS Lookup (kpuszkiev .com) (malware.rules)
2063348 - ET MALWARE Observed NordDragonScan Domain (secfileshare .com) in TLS SNI (malware.rules)
2063349 - ET MALWARE Observed NordDragonScan Domain (kpuszkiev .com) in TLS SNI (malware.rules)
2063350 - ET INFO Monitic RMM API Activity (Installer) (info.rules)
2063351 - ET INFO Monitic RMM API Activity (Profiling) (info.rules)
2063352 - ET INFO Monitic RMM API Activity (Detect User IP) (info.rules)
2063353 - ET INFO Monitic RMM API Activity (Get Config) (info.rules)
2063354 - ET INFO Monitic RMM API Activity (Get Token) (info.rules)
2063355 - ET INFO Monitic RMM API Activity (Download Installer) (info.rules)
2063356 - ET EXPLOIT ManageEngine Desktop Central Unauthorized Administrative Password Reset (CVE-2015-2560) (exploit.rules)
2063357 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jqueryapishelpers .com) (exploit_kit.rules)
2063358 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (fetchapiutility .com) (exploit_kit.rules)
2063359 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (jqueryapishelpers .com) (exploit_kit.rules)
2063360 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (fetchapiutility .com) (exploit_kit.rules)

Pro:

2863396 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2863397 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2863398 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2863399 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2863400 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2863401 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2863402 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2863403 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2863404 - ETPRO HUNTING Microsoft SPNEGO Extended Negotiation (NEGOEX) Unauthenticated Remote Code Execution (CVE-2025-47981) (hunting.rules)
2863405 - ETPRO EXPLOIT Microsoft SharePoint Unauthenticated Remote Code Execution (CVE-2025-49704) (exploit.rules)

Modified inactive rules:

2057217 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mundiprep .com) (exploit_kit.rules)
2057219 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (asianchow .com) (exploit_kit.rules)
2057221 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vinsaca .com) (exploit_kit.rules)
2057249 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chat2cams .com) (exploit_kit.rules)
2057251 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (webapiintegration .cloud) (exploit_kit.rules)
2057252 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (webapiintegration .cloud) (exploit_kit.rules)
2057293 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dailyfragrancedeals .com) (exploit_kit.rules)
2057294 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (girlsgifs .com) (exploit_kit.rules)
2057295 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dailyfragrancedeals .com) (exploit_kit.rules)
2057296 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (girlsgifs .com) (exploit_kit.rules)
2057315 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (compugest .com) (exploit_kit.rules)
2057316 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (compugest .com) (exploit_kit.rules)
2057331 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (junocis .com) (exploit_kit.rules)
2057380 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (culinarycanvasgrilling .com) (exploit_kit.rules)
2057381 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (culinarycanvasgrilling .com) (exploit_kit.rules)
2057406 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (omenkid .top) (exploit_kit.rules)
2057407 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (omenkid .top) (exploit_kit.rules)
2057408 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fencingfriends .com) (exploit_kit.rules)
2057409 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fencingfriends .com) (exploit_kit.rules)
2057438 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (xcdd1003 .com) (exploit_kit.rules)
2057439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (xcdd1003 .com) (exploit_kit.rules)
2057449 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (yimuzds .com) (exploit_kit.rules)
2057451 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (yimuzds .com) (exploit_kit.rules)
2057631 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (rshank .com) (exploit_kit.rules)
2057632 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (rshank .com) (exploit_kit.rules)
2057633 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (crickout .com) (exploit_kit.rules)
2057634 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (crickout .com) (exploit_kit.rules)
2057676 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (eliztalks .com) (exploit_kit.rules)
2057677 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (eliztalks .com) (exploit_kit.rules)
2057678 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (franklinida .com) (exploit_kit.rules)
2057679 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (franklinida .com) (exploit_kit.rules)
2057688 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (petshopsg .com) (exploit_kit.rules)
2057689 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (petshopsg .com) (exploit_kit.rules)
2057696 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs) (malware.rules)
2057697 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) (malware.rules)
2057698 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (p3ar11fter .sbs) (malware.rules)
2057699 - ET MALWARE Observed Lumma Stealer Domain (3xp3cts1aim .sbs in TLS SNI) (malware.rules)
2057700 - ET MALWARE Observed Lumma Stealer Domain (peepburry828 .sbs in TLS SNI) (malware.rules)
2057701 - ET MALWARE Observed Lumma Stealer Domain (processhol .sbs in TLS SNI) (malware.rules)
2057702 - ET MALWARE Observed Lumma Stealer Domain (p3ar11fter .sbs in TLS SNI) (malware.rules)
2057710 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (bytesbazar .com) (exploit_kit.rules)
2057712 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (inayatullah .com) (exploit_kit.rules)
2057713 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (viralnavigator .com) (exploit_kit.rules)
2057714 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eegqzvxd .shop) (exploit_kit.rules)
2057715 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (inayatullah .com) (exploit_kit.rules)
2057716 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (viralnavigator .com) (exploit_kit.rules)
2057717 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eegqzvxd .shop) (exploit_kit.rules)
2057718 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (genhil .com) (exploit_kit.rules)
2057719 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (genhil .com) (exploit_kit.rules)
2057724 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (tickerwell .com) (exploit_kit.rules)
2057725 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (tickerwell .com) (exploit_kit.rules)
2057732 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (segurofinalizar .shop) (exploit_kit.rules)
2057733 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (segurofinalizar .shop) (exploit_kit.rules)
2057734 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (nyciot .com) (exploit_kit.rules)
2057735 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (nyciot .com) (exploit_kit.rules)
2057739 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (safigdata .com) (exploit_kit.rules)
2057740 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (safigdata .com) (exploit_kit.rules)
2057776 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .cases .pcohenlaw .com) (malware.rules)
2057793 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (reviewtypes .com) (exploit_kit.rules)
2057794 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (modandcrackedapk .com) (exploit_kit.rules)
2057795 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (assetoutdoor .shop) (exploit_kit.rules)
2057796 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (opporeno8 .com) (exploit_kit.rules)
2057797 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (reviewtypes .com) (exploit_kit.rules)
2057800 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (esaleerugs .com) (exploit_kit.rules)
2057808 - ET MALWARE Observed Malicious Domain (meowware .ddns .net in TLS SNI) (malware.rules)
2057882 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (weeatsome .com) (exploit_kit.rules)
2057890 - ET MALWARE Observed Payload Delivery Domain (shopping-nice .com in TLS SNI) (malware.rules)
2057895 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (premiosdosul .com) (exploit_kit.rules)
2058020 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aquabaru .online) (exploit_kit.rules)
2058022 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bfd78 .biz) (exploit_kit.rules)
2058025 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aquabaru .online) (exploit_kit.rules)
2058026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chudautu .info) (exploit_kit.rules)
2058050 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (q8ds .net) (exploit_kit.rules)
2058121 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tasteofgoodness .info) (exploit_kit.rules)
2858872 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858873 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858874 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858876 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858877 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858883 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
2858884 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
2858885 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
2858886 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
2858930 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858999 - ETPRO PHISHING Observed Social Security Administration Impersonation Domain in TLS SNI (phishing.rules)
2859001 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859003 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859006 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859020 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859025 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859026 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859061 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859062 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859063 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859064 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859065 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859066 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859089 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859090 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859092 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859127 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859129 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859134 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859141 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859201 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859249 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859253 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859254 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859259 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859359 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/04/21 - v10910 Ruleset Updates	114	April 21, 2025
Ruleset Update Summary - 2025/02/18 - v10861 Ruleset Updates	188	February 18, 2025
Ruleset Update Summary - 2025/01/06 - v10830 Ruleset Updates	164	January 6, 2025
Ruleset Update Summary - 2024/11/25 - v10750 Ruleset Updates	78	November 25, 2024
Ruleset Update Summary - 2025/03/10 - v10875 Ruleset Updates	135	March 10, 2025

Ruleset Update Summary - 2025/07/08 - v10965

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics