Ruleset Update Summary - 2025/07/17 - v10972

Ruleset Updates
1

Summary:

14 new OPEN, 22 new PRO (14 + 8)

Added rules:

Open:

  • 2063545 - ET WEB_SPECIFIC_APPS Cisco ISE ERS API Unauthenticated RCE (CVE-2025-20281) (web_specific_apps.rules)
  • 2063546 - ET INFO DYNAMIC_DNS Query to a *.stardustcommercialservices .com domain (info.rules)
  • 2063547 - ET INFO DYNAMIC_DNS HTTP Request to a *.stardustcommercialservices .com domain (info.rules)
  • 2063548 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (secure .clinchstar .com) (malware.rules)
  • 2063549 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (secure .clinchstar .com) (malware.rules)
  • 2063550 - ET WEB_SPECIFIC_APPS Totolink formLoginAuth.htm Authentication Bypass Attempt (CVE-2024-31814) (web_specific_apps.rules)
  • 2063551 - ET WEB_SPECIFIC_APPS Totolink cstecgi.cgi setUssd ussd Parameter Command Injection Attempt (CVE-2024-53333) (web_specific_apps.rules)
  • 2063552 - ET WEB_SPECIFIC_APPS Totolink cstecgi.cgi setIPPortFilterRules Mulitple Parameters Buffer Overflow Attempt (web_specific_apps.rules)
  • 2063553 - ET WEB_SPECIFIC_APPS Totolink cstecgi.cgi setDiagnosisCfg ip Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2063554 - ET WEB_SPECIFIC_APPS Totolink cstecgi.cgi setLanguageCfg lang Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2063555 - ET WEB_SPECIFIC_APPS Alcatel AP1361D Command Injection in Web Login (CVE-2025-52688) (web_specific_apps.rules)
  • 2063556 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (as5yo .top) (exploit_kit.rules)
  • 2063557 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (as5yo .top) (exploit_kit.rules)
  • 2063558 - ET EXPLOIT Alcatel AP1361D Command Injection in cluster_cor Service (CVE-2025-52690) (exploit.rules)

Pro:

  • 2863527 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2863529 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863530 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2863531 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2863532 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2863533 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2863534 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2863535 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)