Ruleset Update Summary - 2025/07/14 - v10969

Ruleset Updates
1

Summary:

61 new OPEN, 73 new PRO (61 + 12)

Thanks @ActiveCmeasures, @corelight

Added rules:

Open:

  • 2021178 - ET RETIRED Metasploit Meterpreter Reverse HTTPS certificate (retired.rules)
  • 2044789 - ET RETIRED MacOS/MacStealer Data Exfiltration Attempt (retired.rules)
  • 2045175 - ET RETIRED JLORAT CnC Checkin (retired.rules)
  • 2048099 - ET RETIRED DCRAT CnC Domain in DNS Lookup (akamaitechcdns .com) (retired.rules)
  • 2048316 - ET RETIRED TA444 MacOS/ProcessRequest CnC Domain in DNS Lookup (swissborg .blog) (retired.rules)
  • 2048398 - ET RETIRED BunnyLoader Initial CnC Checkin Response (retired.rules)
  • 2049408 - ET RETIRED JynxLoaderV2 CnC Checkin (retired.rules)
  • 2050013 - ET RETIRED Epsilon Stealer Domain in DNS Lookup (3ps1l0n .life) (retired.rules)
  • 2050014 - ET RETIRED Observed Epsilon Stealer Domain (3ps1l0n .life) in TLS SNI (retired.rules)
  • 2050544 - ET RETIRED Allakore RAT CnC Domain in DNS Lookup (hhplaytom .com) (retired.rules)
  • 2050545 - ET RETIRED Allakore RAT CnC Domain in DNS Lookup (uperrunplay .com) (retired.rules)
  • 2050546 - ET RETIRED Allakore RAT CnC Domain in DNS Lookup (zulabra .com) (retired.rules)
  • 2050547 - ET RETIRED Allakore RAT CnC Domain in DNS Lookup (uplayground .online) (retired.rules)
  • 2050548 - ET RETIRED Allakore RAT CnC Domain in DNS Lookup (flapawer .com) (retired.rules)
  • 2050549 - ET RETIRED Allakore RAT CnC Domain in DNS Lookup (chaucheneguer .com) (retired.rules)
  • 2051131 - ET RETIRED TA421 Wineloader CnC Checkin (retired.rules)
  • 2051490 - ET RETIRED [ANY.RUN] PlanetStealer CnC Checkin (retired.rules)
  • 2051492 - ET RETIRED PlanetStealer Data Exfiltration Attempt (retired.rules)
  • 2051519 - ET RETIRED EvasivePanda/Daggerfly APT CnC Domain in DNS Lookup (devicebug .com) (retired.rules)
  • 2051520 - ET RETIRED Observed EvasivePanda/Daggerfly APT Domain (devicebug .com) in TLS SNI (retired.rules)
  • 2051521 - ET RETIRED NGC2180/DFKRAT CnC Domain in DNS Lookup (windowscer .shop) (retired.rules)
  • 2051522 - ET RETIRED Observed NGC2180/DFKRAT CnC Domain (windowscer .shop) in TLS SNI (retired.rules)
  • 2051806 - ET RETIRED TheMoon CnC Checkin (retired.rules)
  • 2052119 - ET RETIRED Win32/SSLoad Module Request (GET) (retired.rules)
  • 2052120 - ET RETIRED Win32/SSLoad Payload Request (GET) (retired.rules)
  • 2052121 - ET RETIRED Win32/SSLoad Payload Response (retired.rules)
  • 2052123 - ET RETIRED Anonymous RAT CnC Domain in DNS Lookup (anonymousrat8 .com) (retired.rules)
  • 2052571 - ET RETIRED SecShow Domain DNS Lookup (secshow .net) (retired.rules)
  • 2052572 - ET RETIRED SecShow Domain DNS Lookup (secshow .online) (retired.rules)
  • 2052573 - ET RETIRED SecShow Domain DNS Lookup (secdns .site) (retired.rules)
  • 2063419 - ET INFO DYNAMIC_DNS Query to a *.ryanng .com domain (info.rules)
  • 2063420 - ET INFO DYNAMIC_DNS HTTP Request to a *.ryanng .com domain (info.rules)
  • 2063421 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gecoea .lat) (malware.rules)
  • 2063422 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gecoea .lat) in TLS SNI (malware.rules)
  • 2063423 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (josyfs .shop) (malware.rules)
  • 2063424 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (josyfs .shop) in TLS SNI (malware.rules)
  • 2063425 - ET EXPLOIT HTTP POST with Common Ruby RCE Technique in Body (exploit.rules)
  • 2063426 - ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M1 (web_specific_apps.rules)
  • 2063427 - ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M2 (web_specific_apps.rules)
  • 2063428 - ET WEB_SPECIFIC_APPS Roundcube Post-Auth RCE via PHP Object Deserialization (CVE-2025-49113) (web_specific_apps.rules)
  • 2063429 - ET INFO DYNAMIC_DNS Query to a *.myowndamnnode .com domain (info.rules)
  • 2063430 - ET INFO DYNAMIC_DNS HTTP Request to a *.myowndamnnode .com domain (info.rules)
  • 2063431 - ET INFO DYNAMIC_DNS Query to a *.adventuregameclub .com domain (info.rules)
  • 2063432 - ET INFO DYNAMIC_DNS HTTP Request to a *.adventuregameclub .com domain (info.rules)
  • 2063433 - ET INFO DYNAMIC_DNS Query to a *.martyluther .com domain (info.rules)
  • 2063434 - ET INFO DYNAMIC_DNS HTTP Request to a *.martyluther .com domain (info.rules)
  • 2063435 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (cpanel .quantumconcretecoatings .com) (malware.rules)
  • 2063436 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (cpanel .quantumconcretecoatings .com) (malware.rules)
  • 2063437 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abremeh .top) (malware.rules)
  • 2063438 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abremeh .top) in TLS SNI (malware.rules)
  • 2063439 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eyertyn .lat) (malware.rules)
  • 2063440 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eyertyn .lat) in TLS SNI (malware.rules)
  • 2063441 - ET MALWARE Numinon CnC Activity via WebSockets (malware.rules)
  • 2063442 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (buyedmeds .top) (exploit_kit.rules)
  • 2063443 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (buyedmeds .top) (exploit_kit.rules)
  • 2063444 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (smithenv .com) (exploit_kit.rules)
  • 2063445 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (smithenv .com) (exploit_kit.rules)
  • 2063446 - ET PHISHING Tycoon2FA Phish Landing Page 2025-07-14 (phishing.rules)
  • 2063447 - ET PHISHING Tycoon2FA Phish Redirected Decoy Page 2025-07-14, EduVision (phishing.rules)
  • 2063448 - ET PHISHING Tycoon2FA Phish Redirected Decoy Page 2025-07-14, Portfolio Agency (phishing.rules)
  • 2063449 - ET PHISHING Tycoon2FA Phish Redirected Decoy Page 2025-07-14, Generic (phishing.rules)

Pro:

  • 2856589 - ETPRO RETIRED Malicious Payload Delivery Domain in DNS Lookup (retired.rules)
  • 2856590 - ETPRO RETIRED Malicious Payload Delivery Domain in TLS SNI (retired.rules)
  • 2863489 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2863490 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863491 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2863492 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2863493 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2863494 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2863495 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2863496 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2863497 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2863498 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)

Disabled and modified rules:

  • 2036934 - ET MALWARE Win32/RecordBreaker CnC Checkin M1 (malware.rules)

Removed rules:

  • 2021178 - ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate (attack_response.rules)
  • 2044789 - ET MALWARE MacOS/MacStealer Data Exfiltration Attempt (malware.rules)
  • 2045175 - ET MALWARE JLORAT CnC Checkin (malware.rules)
  • 2048099 - ET MALWARE DCRAT CnC Domain in DNS Lookup (akamaitechcdns .com) (malware.rules)
  • 2048316 - ET MALWARE TA444 MacOS/ProcessRequest CnC Domain in DNS Lookup (swissborg .blog) (malware.rules)
  • 2048398 - ET MALWARE BunnyLoader Initial CnC Checkin Response (malware.rules)
  • 2049408 - ET MALWARE JynxLoaderV2 CnC Checkin (malware.rules)
  • 2050013 - ET MALWARE Epsilon Stealer Domain in DNS Lookup (3ps1l0n .life) (malware.rules)
  • 2050014 - ET MALWARE Observed Epsilon Stealer Domain (3ps1l0n .life) in TLS SNI (malware.rules)
  • 2050544 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (hhplaytom .com) (malware.rules)
  • 2050545 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (uperrunplay .com) (malware.rules)
  • 2050546 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (zulabra .com) (malware.rules)
  • 2050547 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (uplayground .online) (malware.rules)
  • 2050548 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (flapawer .com) (malware.rules)
  • 2050549 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (chaucheneguer .com) (malware.rules)
  • 2051131 - ET MALWARE TA421 Wineloader CnC Checkin (malware.rules)
  • 2051490 - ET MALWARE [ANY.RUN] PlanetStealer CnC Checkin (malware.rules)
  • 2051492 - ET MALWARE PlanetStealer Data Exfiltration Attempt (malware.rules)
  • 2051519 - ET MALWARE EvasivePanda/Daggerfly APT CnC Domain in DNS Lookup (devicebug .com) (malware.rules)
  • 2051520 - ET MALWARE Observed EvasivePanda/Daggerfly APT Domain (devicebug .com) in TLS SNI (malware.rules)
  • 2051521 - ET MALWARE NGC2180/DFKRAT CnC Domain in DNS Lookup (windowscer .shop) (malware.rules)
  • 2051522 - ET MALWARE Observed NGC2180/DFKRAT CnC Domain (windowscer .shop) in TLS SNI (malware.rules)
  • 2051806 - ET MALWARE TheMoon CnC Checkin (malware.rules)
  • 2052119 - ET MALWARE Win32/SSLoad Module Request (GET) (malware.rules)
  • 2052120 - ET MALWARE Win32/SSLoad Payload Request (GET) (malware.rules)
  • 2052121 - ET MALWARE Win32/SSLoad Payload Response (malware.rules)
  • 2052123 - ET MALWARE Anonymous RAT CnC Domain in DNS Lookup (anonymousrat8 .com) (malware.rules)
  • 2052571 - ET MALWARE SecShow Domain DNS Lookup (secshow .net) (malware.rules)
  • 2052572 - ET MALWARE SecShow Domain DNS Lookup (secshow .online) (malware.rules)
  • 2052573 - ET MALWARE SecShow Domain DNS Lookup (secdns .site) (malware.rules)
  • 2856589 - ETPRO MALWARE Malicious Payload Delivery Domain in DNS Lookup (malware.rules)
  • 2856590 - ETPRO MALWARE Malicious Payload Delivery Domain in TLS SNI (malware.rules)