Ruleset Update Summary - 2025/07/15 - v10970

Ruleset Updates
1

Summary:

63 new OPEN, 71 new PRO (63 + 8)

Added rules:

Open:

  • 2063450 - ET HUNTING GoogleSheets API V4 Activity (Fetch Single Cell with A1 Notation) (hunting.rules)
  • 2063451 - ET HUNTING GoogleSheets API V4 Response (Single Cell with UUID) (hunting.rules)
  • 2063452 - ET HUNTING GoogleSheets API V4 Activity (Possible Exfil) (hunting.rules)
  • 2063453 - ET MALWARE Voldemort System Info Exfil (malware.rules)
  • 2063454 - ET PHISHING Observed DNS Query to UNK_SparkyCarp Domain (phishing.rules)
  • 2063455 - ET PHISHING Observed DNS Query to UNK_SparkyCarp Domain (phishing.rules)
  • 2063456 - ET PHISHING Observed UNK_SparkyCarp Domain in TLS SNI (phishing.rules)
  • 2063457 - ET MALWARE Observed DNS Query to UNK_DropPitch Domain (malware.rules)
  • 2063458 - ET MALWARE Observed UNK_DropPitch Domain in TLS SNI (malware.rules)
  • 2063459 - ET PHISHING Observed UNK_SparkyCarp Domain in TLS SNI (phishing.rules)
  • 2063460 - ET MALWARE Observed DNS Query to UNK_DropPitch Domain (malware.rules)
  • 2063461 - ET MALWARE Observed UNK_DropPitch Domain in TLS SNI (malware.rules)
  • 2063462 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (perdvg .lat) (malware.rules)
  • 2063463 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (perdvg .lat in TLS SNI) (malware.rules)
  • 2063464 - ET EXPLOIT Broadcom Altiris IRM Unauthenticated Remote Code Execution (CVE-2025-5333) (exploit.rules)
  • 2063465 - ET INFO DYNAMIC_DNS Query to a *.envytations .com domain (info.rules)
  • 2063466 - ET INFO DYNAMIC_DNS HTTP Request to a *.envytations .com domain (info.rules)
  • 2063467 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (files .tucsonrenovationservices .com) (malware.rules)
  • 2063468 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (files .tucsonrenovationservices .com) (malware.rules)
  • 2063469 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (pre-order .sodakconcretecoatings .com) (malware.rules)
  • 2063470 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (pre-order .sodakconcretecoatings .com) (malware.rules)
  • 2063471 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annwt .xyz) (malware.rules)
  • 2063472 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (annwt .xyz) in TLS SNI (malware.rules)
  • 2063473 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bardj .xyz) (malware.rules)
  • 2063474 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bardj .xyz) in TLS SNI (malware.rules)
  • 2063475 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dryzc .xyz) (malware.rules)
  • 2063476 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dryzc .xyz) in TLS SNI (malware.rules)
  • 2063477 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (greqjfu .xyz) (malware.rules)
  • 2063478 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (greqjfu .xyz) in TLS SNI (malware.rules)
  • 2063479 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prvqhm .shop) (malware.rules)
  • 2063480 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (prvqhm .shop) in TLS SNI (malware.rules)
  • 2063481 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sorrij .top) (malware.rules)
  • 2063482 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sorrij .top) in TLS SNI (malware.rules)
  • 2063483 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tharq .shop) (malware.rules)
  • 2063484 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tharq .shop) in TLS SNI (malware.rules)
  • 2063485 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (triobm .xyz) (malware.rules)
  • 2063486 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (triobm .xyz) in TLS SNI (malware.rules)
  • 2063487 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ungryo .shop) (malware.rules)
  • 2063488 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ungryo .shop) in TLS SNI (malware.rules)
  • 2063489 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vervzv .xyz) (malware.rules)
  • 2063490 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vervzv .xyz) in TLS SNI (malware.rules)
  • 2063491 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (deathmatchuk .com) (exploit_kit.rules)
  • 2063492 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (deathmatchuk .com) (exploit_kit.rules)
  • 2063493 - ET MALWARE Raton TLS Server Certificate (malware.rules)
  • 2063494 - ET WEB_SPECIFIC_APPS Nexxt Solutions um_ping_set.cgi Ping_host_text Parameter Command Injection Attempt (CVE-2025-52377) (web_specific_apps.rules)
  • 2063495 - ET WEB_SPECIFIC_APPS Nexxt Solutions um_device3_set_aliasname DEVICE_ALIAS Parameter Cross Site Scripting Attempt (CVE-2025-52378) (web_specific_apps.rules)
  • 2063496 - ET WEB_SPECIFIC_APPS Nexxt Solutions um_web_upgrade.cgi filename Parameter Command Injection Attempt (CVE-2025-52379) (web_specific_apps.rules)
  • 2063497 - ET WEB_SPECIFIC_APPS Nexxt Solutions um_fileName_set.cgi upgradeFileName Parameter Command Injection Attempt (CVE-2025-52379) (web_specific_apps.rules)
  • 2063498 - ET INFO Observed Port Mapping/Tunneling Service Domain (portmap .io) in TLS SNI (info.rules)
  • 2063499 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (niazw .pics) (malware.rules)
  • 2063500 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (niazw .pics in TLS SNI) (malware.rules)
  • 2063501 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (daruubs .top) (malware.rules)
  • 2063502 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (daruubs .top in TLS SNI) (malware.rules)
  • 2063503 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cidtfhh .shop) (malware.rules)
  • 2063504 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cidtfhh .shop in TLS SNI) (malware.rules)
  • 2063505 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annwt .xyz) (malware.rules)
  • 2063506 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (annwt .xyz in TLS SNI) (malware.rules)
  • 2063507 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ungryo .shop) (malware.rules)
  • 2063508 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ungryo .shop in TLS SNI) (malware.rules)
  • 2063509 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rayrhs .top) (malware.rules)
  • 2063510 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rayrhs .top in TLS SNI) (malware.rules)
  • 2063511 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (furwmsx .shop) (malware.rules)
  • 2063512 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (furwmsx .shop in TLS SNI) (malware.rules)

Pro:

  • 2863499 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2863500 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863501 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2863502 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2863503 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2863504 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2863505 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2863506 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2057214 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (mercro .com) (exploit_kit.rules)
  • 2057215 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (mercro .com) (exploit_kit.rules)
  • 2057218 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vinsaca .com) (exploit_kit.rules)
  • 2057220 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mundiprep .com) (exploit_kit.rules)
  • 2057222 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (asianchow .com) (exploit_kit.rules)
  • 2057250 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chat2cams .com) (exploit_kit.rules)
  • 2057297 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vicrin .com) (exploit_kit.rules)
  • 2057298 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (vicrin .com) (exploit_kit.rules)
  • 2057332 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (junocis .com) (exploit_kit.rules)
  • 2858870 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858871 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858875 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859002 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859004 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859005 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2863249 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863263 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863266 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)

Removed rules:

  • 2857963 - ETPRO HUNTING GoogleSheets API V4 Activity (Fetch Single Cell with A1 Notation) (hunting.rules)
  • 2857964 - ETPRO HUNTING GoogleSheets API V4 Response (Single Cell with UUID) (hunting.rules)
  • 2857976 - ETPRO HUNTING GoogleSheets API V4 Activity (Possible Exfil) (hunting.rules)
  • 2858210 - ETPRO MALWARE Voldemort System Info Exfil (malware.rules)