Ruleset Update Summary - 2025/07/21 - v10974

rulesbot · July 21, 2025, 8:36pm

Summary:

55 new OPEN, 67 new PRO (55 + 12)

Thanks @ActiveCmeasures, @corelight

Added rules:

Open:

2063592 - ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header (hunting.rules)
2063593 - ET INFO DYNAMIC_DNS Query to a *.badrodent .com domain (info.rules)
2063594 - ET INFO DYNAMIC_DNS HTTP Request to a *.badrodent .com domain (info.rules)
2063595 - ET INFO DYNAMIC_DNS Query to a *.michaelfoody .com domain (info.rules)
2063596 - ET INFO DYNAMIC_DNS HTTP Request to a *.michaelfoody .com domain (info.rules)
2063597 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cooawbi .top) (malware.rules)
2063598 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cooawbi .top) in TLS SNI (malware.rules)
2063599 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mnemvlk .top) (malware.rules)
2063600 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mnemvlk .top) in TLS SNI (malware.rules)
2063601 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ourkbpw .top) (malware.rules)
2063602 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ourkbpw .top) in TLS SNI (malware.rules)
2063603 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dogbij .top) (malware.rules)
2063604 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dogbij .top) in TLS SNI (malware.rules)
2063605 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (permwgp .xyz) (malware.rules)
2063606 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (permwgp .xyz) in TLS SNI (malware.rules)
2063607 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (recopcwr .top) (malware.rules)
2063608 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (recopcwr .top) in TLS SNI (malware.rules)
2063609 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resqtk .top) (malware.rules)
2063610 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resqtk .top) in TLS SNI (malware.rules)
2063611 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seruneqy .live) (malware.rules)
2063612 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seruneqy .live) in TLS SNI (malware.rules)
2063613 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (siniavzv .life) (malware.rules)
2063614 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (siniavzv .life) in TLS SNI (malware.rules)
2063615 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strujqwn .xyz) (malware.rules)
2063616 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (strujqwn .xyz) in TLS SNI (malware.rules)
2063617 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (swalocf .lat) (malware.rules)
2063618 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (swalocf .lat) in TLS SNI (malware.rules)
2063619 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thoqp .lat) (malware.rules)
2063620 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thoqp .lat) in TLS SNI (malware.rules)
2063621 - ET WEB_SPECIFIC_APPS Cisco RV Series Router form-file-upload Stored Cross Site Scripting Attempt (CVE-2023-20073) (web_specific_apps.rules)
2063622 - ET WEB_SPECIFIC_APPS Cisco RV Series Router sys_setting.htm md5_password Parameter Command Injection Attempt (CVE-2023-20117) (web_specific_apps.rules)
2063623 - ET WEB_SPECIFIC_APPS Cisco RV Series Router import_config.cgi USBconfigfile Command Injection Attempt (CVE-2023-20128) (web_specific_apps.rules)
2063624 - ET WEB_SPECIFIC_APPS Microsoft Exchange OWA Authenticated Server-Side Request Forgery (ZDI-CAN-22101) M1 (web_specific_apps.rules)
2063625 - ET WEB_SPECIFIC_APPS Microsoft Exchange OWA Authenticated Server-Side Request Forgery (ZDI-CAN-22101) M2 (web_specific_apps.rules)
2063626 - ET WEB_SPECIFIC_APPS Microsoft Exchange OWA Authenticated Server-Side Request Forgery (usd-2021-0021) M1 (web_specific_apps.rules)
2063627 - ET WEB_SPECIFIC_APPS Microsoft Exchange OWA Authenticated Server-Side Request Forgery (usd-2021-0021) M2 (web_specific_apps.rules)
2063628 - ET INFO DYNAMIC_DNS Query to a *.devenam .com domain (info.rules)
2063629 - ET INFO DYNAMIC_DNS HTTP Request to a *.devenam .com domain (info.rules)
2063630 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (app .novationseo .com) (malware.rules)
2063631 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (app .novationseo .com) (malware.rules)
2063632 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tunenrnc .top) (malware.rules)
2063633 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tunenrnc .top) in TLS SNI (malware.rules)
2063634 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ultracpj .xyz) (malware.rules)
2063635 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ultracpj .xyz) in TLS SNI (malware.rules)
2063636 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vegemuoe .top) (malware.rules)
2063637 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vegemuoe .top) in TLS SNI (malware.rules)
2063638 - ET WEB_SPECIFIC_APPS Cisco RV Series Router sys_snmp.htm Multiple Parameters Command Injection Attempt (web_specific_apps.rules)
2063639 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (streaming-films .xyz) (exploit_kit.rules)
2063640 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (streaming-films .xyz) (exploit_kit.rules)
2063641 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (www .airdriediamondcabs .ca) (malware.rules)
2063642 - ET MALWARE TA569 Staging Server Domain in TLS SNI (www .airdriediamondcabs .ca) (malware.rules)
2063643 - ET HUNTING Microsoft Exchange OWA Authenticated Unsigned JSON Web Token (JWT) Request M1 (hunting.rules)
2063644 - ET HUNTING Microsoft Exchange OWA Authenticated Unsigned JSON Web Token (JWT) Request M2 (hunting.rules)
2063645 - ET WEB_SPECIFIC_APPS Microsoft Sharepoint WebPartPages Authenticated Remote Code Execution (CVE-2021-28474) (web_specific_apps.rules)
2063646 - ET WEB_SPECIFIC_APPS Joomla JS jobs Plugin jsjobs GDPR Multiple Parameters SQL Injection Attempt (CVE-2025-222066, CVE-2025-22208) (web_specific_apps.rules)

Pro:

2863551 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2863552 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2863553 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2863554 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2863555 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2863556 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2863557 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2863558 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2863559 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
2863560 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
2863561 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2863562 - ETPRO EXPLOIT Microsoft SharePoint ToolPane Authentication Bypass (CVE-2025-53771) (exploit.rules)

Modified inactive rules:

2056309 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (internationalcricketboard .com) (exploit_kit.rules)
2056310 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (internationalcricketboard .com) (exploit_kit.rules)
2056348 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (innerglowjourney .com) (exploit_kit.rules)
2056349 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (reputationb .com) (exploit_kit.rules)
2056350 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (paperbearsweets .com) (exploit_kit.rules)
2056351 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (innerglowjourney .com) (exploit_kit.rules)
2056352 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (reputationb .com) (exploit_kit.rules)
2056353 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (paperbearsweets .com) (exploit_kit.rules)
2056377 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (indoprimitiveart .com) (exploit_kit.rules)
2056378 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (indoprimitiveart .com) (exploit_kit.rules)
2056386 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (thehyperfocus .quest) (exploit_kit.rules)
2056387 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (yaseraljazeera .com) (exploit_kit.rules)
2056388 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (thehyperfocus .quest) (exploit_kit.rules)
2056389 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (yaseraljazeera .com) (exploit_kit.rules)
2056432 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tecstify .com) (exploit_kit.rules)
2056433 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jerescarla .com) (exploit_kit.rules)
2056434 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (shaoriffandco .com) (exploit_kit.rules)
2056437 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tecstify .com) (exploit_kit.rules)
2056438 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jerescarla .com) (exploit_kit.rules)
2056439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (shaoriffandco .com) (exploit_kit.rules)
2056489 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (chartzend .com) (exploit_kit.rules)
2056527 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (souguru .com) (exploit_kit.rules)
2056528 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (robotprintmoney .com) (exploit_kit.rules)
2056529 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tratoragricola .com) (exploit_kit.rules)
2056532 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (souguru .com) (exploit_kit.rules)
2056533 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (robotprintmoney .com) (exploit_kit.rules)
2056534 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tratoragricola .com) (exploit_kit.rules)
2056535 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (pushcg .com) (exploit_kit.rules)
2056536 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (pushcg .com) (exploit_kit.rules)
2056548 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ggoryo .com) (exploit_kit.rules)
2056549 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ggoryo .com) (exploit_kit.rules)
2056576 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (unsbrtng .cfd) (exploit_kit.rules)
2056577 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (unsbrtng .cfd) (exploit_kit.rules)
2056617 - ET MALWARE Observed CleanUp Loader Domain (crystalmaker .pro in TLS SNI) (malware.rules)
2056618 - ET MALWARE Observed CleanUp Loader Domain (crystal-maker .com in TLS SNI) (malware.rules)
2056619 - ET MALWARE Observed CleanUp Loader Domain (firscountryours .eu in TLS SNI) (malware.rules)
2056620 - ET MALWARE Observed CleanUp Loader Domain (backuppingplanseasy .com in TLS SNI) (malware.rules)
2056621 - ET MALWARE Observed CleanUp Loader Domain (prodfindfeatures .com in TLS SNI) (malware.rules)
2056622 - ET MALWARE Observed CleanUp Loader Domain (microssoft-teams .com in TLS SNI) (malware.rules)
2056623 - ET MALWARE Observed CleanUp Loader Domain (buydotclearlynet .com in TLS SNI) (malware.rules)
2056624 - ET MALWARE Observed CleanUp Loader Domain (metalforthecoredream .com in TLS SNI) (malware.rules)
2056625 - ET MALWARE Observed CleanUp Loader Domain (itisthebestforyou .eu in TLS SNI) (malware.rules)
2056626 - ET MALWARE Observed CleanUp Loader Domain (whereverhomebe .com in TLS SNI) (malware.rules)
2056627 - ET MALWARE Observed CleanUp Loader Domain (micrsoft-teams-download .com in TLS SNI) (malware.rules)
2056628 - ET MALWARE Observed CleanUp Loader Domain (time-check-broker .com in TLS SNI) (malware.rules)
2056629 - ET MALWARE Observed CleanUp Loader Domain (microsoftt-teams .com in TLS SNI) (malware.rules)
2056630 - ET MALWARE Observed CleanUp Loader Domain (docsfromthewest .com in TLS SNI) (malware.rules)
2056631 - ET MALWARE Observed CleanUp Loader Domain (auttodessk .com in TLS SNI) (malware.rules)
2056632 - ET MALWARE Observed CleanUp Loader Domain (lakeshorehomebuilders .com in TLS SNI) (malware.rules)
2056633 - ET MALWARE Observed CleanUp Loader Domain (heartwithinadream .com in TLS SNI) (malware.rules)
2056634 - ET MALWARE Observed CleanUp Loader Domain (aut0deskk .com in TLS SNI) (malware.rules)
2056638 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (megaarmshop .com) (exploit_kit.rules)
2056639 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (megaarmshop .com) (exploit_kit.rules)
2056647 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .rooms .fierceatfifty .com) (malware.rules)
2056648 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .rooms .fierceatfifty .com) (malware.rules)
2056681 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (y553488469 .top) (exploit_kit.rules)
2056682 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bailingla .com) (exploit_kit.rules)
2056683 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (y553488469 .top) (exploit_kit.rules)
2056684 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bailingla .com) (exploit_kit.rules)
2056718 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (milan77burn .top) (exploit_kit.rules)
2056719 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (raptwinter .shop) (exploit_kit.rules)
2056720 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (10086623 .top) (exploit_kit.rules)
2056721 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tqshoes .shop) (exploit_kit.rules)
2056722 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (milan77burn .top) (exploit_kit.rules)
2056723 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (raptwinter .shop) (exploit_kit.rules)
2056724 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (10086623 .top) (exploit_kit.rules)
2056725 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tqshoes .shop) (exploit_kit.rules)
2858508 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858509 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858510 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858511 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858534 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858535 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858640 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858641 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858679 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858680 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858710 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Removed rules:

2038840 - ET MALWARE Brute Ratel Fake User-Agent (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/01/27 - v10846 Ruleset Updates	100	January 27, 2025
Ruleset Update Summary - 2025/04/28 - v10915 Ruleset Updates	127	April 28, 2025
Ruleset Update Summary - 2025/04/21 - v10910 Ruleset Updates	114	April 21, 2025
Ruleset Update Summary - 2025/07/08 - v10965 Ruleset Updates	90	July 8, 2025
Ruleset Update Summary - 2025/01/22 - v10843 Ruleset Updates	285	January 22, 2025

Ruleset Update Summary - 2025/07/21 - v10974

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Removed rules:

Related topics