Ruleset Update Summary - 2025/07/18 - v10973

Ruleset Updates
1

Summary:

33 new OPEN, 43 new PRO (33 + 10)

Added rules:

Open:

  • 2063559 - ET WEB_SPECIFIC_APPS Ivanti EPMM Authenticated OS Command Injection (CVE-2025-6771) (web_specific_apps.rules)
  • 2063560 - ET INFO DYNAMIC_DNS Query to a *.betak .net domain (info.rules)
  • 2063561 - ET INFO DYNAMIC_DNS HTTP Request to a *.betak .net domain (info.rules)
  • 2063562 - ET MALWARE Win32/TA569 Gholoader Domain in DNS Lookup (mgmt .studerandson .us) (malware.rules)
  • 2063563 - ET MALWARE Win32/TA569 Gholoader Domain in TLS SNI (mgmt .studerandson .us) (malware.rules)
  • 2063564 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (dl .newtoyourgame .com) (malware.rules)
  • 2063565 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (dl .newtoyourgame .com) (malware.rules)
  • 2063566 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dktnd .top) (malware.rules)
  • 2063567 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dktnd .top) in TLS SNI (malware.rules)
  • 2063568 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famigh .shop) (malware.rules)
  • 2063569 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (famigh .shop) in TLS SNI (malware.rules)
  • 2063570 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gehkmx .top) (malware.rules)
  • 2063571 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gehkmx .top) in TLS SNI (malware.rules)
  • 2063572 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (libdm .top) (malware.rules)
  • 2063573 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (libdm .top) in TLS SNI (malware.rules)
  • 2063574 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sacrp .top) (malware.rules)
  • 2063575 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sacrp .top) in TLS SNI (malware.rules)
  • 2063576 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trbxlj .top) (malware.rules)
  • 2063577 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (trbxlj .top) in TLS SNI (malware.rules)
  • 2063578 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unxyng .top) (malware.rules)
  • 2063579 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unxyng .top) in TLS SNI (malware.rules)
  • 2063580 - ET MALWARE Rainbow Hyena Backdoor PhantomRemote (poll) C2 Traffic (malware.rules)
  • 2063581 - ET MALWARE Rainbow Hyena Backdoor PhantomRemote (result) C2 Traffic (malware.rules)
  • 2063582 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bond007 .xyz) (exploit_kit.rules)
  • 2063583 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bond007 .xyz) (exploit_kit.rules)
  • 2063584 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (socketapiupdates .com) (exploit_kit.rules)
  • 2063585 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (socketapiupdates .com) (exploit_kit.rules)
  • 2063586 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (adspixle .com) (malware.rules)
  • 2063587 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (adspixle .com) (malware.rules)
  • 2063588 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (mysticaltrekking .com) (malware.rules)
  • 2063589 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (mysticaltrekking .com) (malware.rules)
  • 2063590 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (mgmt .studerandson .us) (malware.rules)
  • 2063591 - ET MALWARE TA569 Staging Server Domain in TLS SNI (mgmt .studerandson .us) (malware.rules)

Pro:

  • 2863537 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2863538 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863539 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2863540 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2863541 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2863542 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2863543 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2863544 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2863545 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2863546 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)

Modified inactive rules:

  • 2056734 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (srftjwrty6kew .shop) (exploit_kit.rules)
  • 2056735 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (srftjwrty6kew .shop) (exploit_kit.rules)
  • 2056740 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (dareka4te .shop) (exploit_kit.rules)
  • 2056741 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (dareka4te .shop) (exploit_kit.rules)
  • 2056742 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .house .zionanakwenze .com) (malware.rules)
  • 2056743 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .house .zionanakwenze .com) (malware.rules)
  • 2056769 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (saveourmalta .com) (exploit_kit.rules)
  • 2056770 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (deltaldcenter .com) (exploit_kit.rules)
  • 2056771 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (saveourmalta .com) (exploit_kit.rules)
  • 2056772 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (deltaldcenter .com) (exploit_kit.rules)
  • 2858738 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858739 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858740 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2063471 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annwt .xyz) (malware.rules)
  • 2063487 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ungryo .shop) (malware.rules)