Ruleset Update Summary - 2025/07/10 - v10967

Ruleset Updates
1

Summary:

33 new OPEN, 34 new PRO (33 + 1)

Added rules:

Open:

  • 2063378 - ET EXPLOIT GTPDoor Client Beacon Response (TCP) (exploit.rules)
  • 2063379 - ET WEB_SPECIFIC_APPS ServiceNow Platform Unauthorized Data Inference via Conditional ACLs (CVE-2025-3648) (web_specific_apps.rules)
  • 2063380 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (accsrf .top) (malware.rules)
  • 2063381 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (accsrf .top in TLS SNI) (malware.rules)
  • 2063382 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atlantqlpt .bet) (malware.rules)
  • 2063383 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atlantqlpt .bet in TLS SNI) (malware.rules)
  • 2063384 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genmkh .xyz) (malware.rules)
  • 2063385 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genmkh .xyz in TLS SNI) (malware.rules)
  • 2063386 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lodib .xyz) (malware.rules)
  • 2063387 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lodib .xyz in TLS SNI) (malware.rules)
  • 2063388 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dkkig .xyz) (malware.rules)
  • 2063389 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dkkig .xyz in TLS SNI) (malware.rules)
  • 2063390 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dzyzb .xyz) (malware.rules)
  • 2063391 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dzyzb .xyz in TLS SNI) (malware.rules)
  • 2063392 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ryxpq .xyz) (malware.rules)
  • 2063393 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ryxpq .xyz in TLS SNI) (malware.rules)
  • 2063394 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lnofi .xyz) (malware.rules)
  • 2063395 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lnofi .xyz in TLS SNI) (malware.rules)
  • 2063396 - ET EXPLOIT ASUSWRT Command Injection via load_script Hook in appGet.cgi (CVE-2018-14714) (exploit.rules)
  • 2063397 - ET INFO DYNAMIC_DNS Query to a *.casiomexico .com .mx domain (info.rules)
  • 2063398 - ET INFO DYNAMIC_DNS HTTP Request to a *.casiomexico .com .mx domain (info.rules)
  • 2063399 - ET MALWARE Agent Tesla CnC Exfil via TCP (malware.rules)
  • 2063400 - ET INFO DYNAMIC_DNS Query to a *.coybu .com domain (info.rules)
  • 2063401 - ET INFO DYNAMIC_DNS HTTP Request to a *.coybu .com domain (info.rules)
  • 2063402 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (praimr .xyz) (malware.rules)
  • 2063403 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (praimr .xyz) in TLS SNI (malware.rules)
  • 2063404 - ET WEB_SPECIFIC_APPS Belkin formSetWanStatic Mulitple Parameters Command Injection Attempt (CVE-2025-7081) (web_specific_apps.rules)
  • 2063405 - ET WEB_SPECIFIC_APPS Belkin formSetWanStatic Mulitple Parameters Buffer Overflow Attempt (CVE-2025-7090) (web_specific_apps.rules)
  • 2063406 - ET WEB_SPECIFIC_APPS Belkin formWlanMP Mulitple Parameters Buffer Overflow Attempt (CVE-2025-7091) (web_specific_apps.rules)
  • 2063407 - ET WEB_SPECIFIC_APPS Belkin formWlanSetupWPS Mulitple Parameters Buffer Overflow Attempt (CVE-2025-7092) (web_specific_apps.rules)
  • 2063408 - ET WEB_SPECIFIC_APPS Belkin formSetLanguage webpage Parameter Buffer Overflow Attempt (CVE-2025-7093) (web_specific_apps.rules)
  • 2063409 - ET MALWARE TA569 Stage 2 Domain in DNS Lookup (www .split2econd .com) (malware.rules)
  • 2063410 - ET MALWARE TA569 Stage 2 Domain in TLS SNI (www .split2econd .com) (malware.rules)

Pro:

  • 2863430 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2063377 - ET MALWARE GTPDoor Ack Beacon Request (TCP) (malware.rules)

Removed rules:

  • 2063378 - ET MALWARE GTPDoor Client Beacon Response (TCP) (malware.rules)