Summary:
33 new OPEN, 43 new PRO (33 + 10)
Added rules:
Open:
- 2063559 - ET WEB_SPECIFIC_APPS Ivanti EPMM Authenticated OS Command Injection (CVE-2025-6771) (web_specific_apps.rules)
- 2063560 - ET INFO DYNAMIC_DNS Query to a *.betak .net domain (info.rules)
- 2063561 - ET INFO DYNAMIC_DNS HTTP Request to a *.betak .net domain (info.rules)
- 2063562 - ET MALWARE Win32/TA569 Gholoader Domain in DNS Lookup (mgmt .studerandson .us) (malware.rules)
- 2063563 - ET MALWARE Win32/TA569 Gholoader Domain in TLS SNI (mgmt .studerandson .us) (malware.rules)
- 2063564 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (dl .newtoyourgame .com) (malware.rules)
- 2063565 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (dl .newtoyourgame .com) (malware.rules)
- 2063566 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dktnd .top) (malware.rules)
- 2063567 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dktnd .top) in TLS SNI (malware.rules)
- 2063568 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famigh .shop) (malware.rules)
- 2063569 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (famigh .shop) in TLS SNI (malware.rules)
- 2063570 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gehkmx .top) (malware.rules)
- 2063571 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gehkmx .top) in TLS SNI (malware.rules)
- 2063572 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (libdm .top) (malware.rules)
- 2063573 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (libdm .top) in TLS SNI (malware.rules)
- 2063574 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sacrp .top) (malware.rules)
- 2063575 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sacrp .top) in TLS SNI (malware.rules)
- 2063576 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trbxlj .top) (malware.rules)
- 2063577 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (trbxlj .top) in TLS SNI (malware.rules)
- 2063578 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unxyng .top) (malware.rules)
- 2063579 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unxyng .top) in TLS SNI (malware.rules)
- 2063580 - ET MALWARE Rainbow Hyena Backdoor PhantomRemote (poll) C2 Traffic (malware.rules)
- 2063581 - ET MALWARE Rainbow Hyena Backdoor PhantomRemote (result) C2 Traffic (malware.rules)
- 2063582 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bond007 .xyz) (exploit_kit.rules)
- 2063583 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bond007 .xyz) (exploit_kit.rules)
- 2063584 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (socketapiupdates .com) (exploit_kit.rules)
- 2063585 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (socketapiupdates .com) (exploit_kit.rules)
- 2063586 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (adspixle .com) (malware.rules)
- 2063587 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (adspixle .com) (malware.rules)
- 2063588 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (mysticaltrekking .com) (malware.rules)
- 2063589 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (mysticaltrekking .com) (malware.rules)
- 2063590 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (mgmt .studerandson .us) (malware.rules)
- 2063591 - ET MALWARE TA569 Staging Server Domain in TLS SNI (mgmt .studerandson .us) (malware.rules)
Pro:
- 2863537 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2863538 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2863539 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2863540 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2863541 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2863542 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2863543 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2863544 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2863545 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
- 2863546 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
Modified inactive rules:
- 2056734 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (srftjwrty6kew .shop) (exploit_kit.rules)
- 2056735 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (srftjwrty6kew .shop) (exploit_kit.rules)
- 2056740 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (dareka4te .shop) (exploit_kit.rules)
- 2056741 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (dareka4te .shop) (exploit_kit.rules)
- 2056742 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .house .zionanakwenze .com) (malware.rules)
- 2056743 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .house .zionanakwenze .com) (malware.rules)
- 2056769 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (saveourmalta .com) (exploit_kit.rules)
- 2056770 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (deltaldcenter .com) (exploit_kit.rules)
- 2056771 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (saveourmalta .com) (exploit_kit.rules)
- 2056772 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (deltaldcenter .com) (exploit_kit.rules)
- 2858738 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2858739 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2858740 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
Disabled and modified rules:
- 2063471 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annwt .xyz) (malware.rules)
- 2063487 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ungryo .shop) (malware.rules)