Summary:
15 new OPEN, 32 new PRO (15 + 17)
Added rules:
Open:
- 2063674 - ET INFO DYNAMIC_DNS Query to a *.hannahdvm .com domain (info.rules)
- 2063675 - ET INFO DYNAMIC_DNS HTTP Request to a *.hannahdvm .com domain (info.rules)
- 2063676 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (markets .globalequity360 .com) (malware.rules)
- 2063677 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (markets .globalequity360 .com) (malware.rules)
- 2063678 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genuschs .top) (malware.rules)
- 2063679 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genuschs .top) in TLS SNI (malware.rules)
- 2063680 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (moslet .lat) (malware.rules)
- 2063681 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (moslet .lat) in TLS SNI (malware.rules)
- 2063682 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pallvlxl .lat) (malware.rules)
- 2063683 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pallvlxl .lat) in TLS SNI (malware.rules)
- 2063684 - ET HUNTING Microsoft Sharepoint Server Insecure Deserialization via Scorecard DataSet Gadget (hunting.rules)
- 2063685 - ET WEB_SPECIFIC_APPS D-Link formSetWanDhcpplus curTime Parameter Buffer Overflow Attempt (CVE-2025-7945) (web_specific_apps.rules)
- 2063686 - ET WEB_SPECIFIC_APPS Mitel webconfig upload_ringtone Unauthenticated Command Injection/File Upload Attempt (CVE-2025-47188, CVE-2025-47187) (web_specific_apps.rules)
- 2063687 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (moruk .xyz) (exploit_kit.rules)
- 2063688 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (moruk .xyz) (exploit_kit.rules)
Pro:
- 2863611 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2863612 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2863613 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2863614 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2863615 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2863616 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2863617 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2863618 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2863619 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
- 2863620 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2863621 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2863622 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2863623 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2863624 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2863625 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2863626 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2863627 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
Modified inactive rules:
- 2056179 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (roadrunnersell .com) (exploit_kit.rules)
- 2056180 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (roadrunnersell .com) (exploit_kit.rules)
- 2056197 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (md928zs .shop) (exploit_kit.rules)
- 2056198 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (md928zs .shop) (exploit_kit.rules)
- 2056199 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (cdngetmyname .biz) (exploit_kit.rules)
- 2056200 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (cdngetmyname .biz) (exploit_kit.rules)
- 2056201 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (restbycalm .com) (exploit_kit.rules)
- 2056202 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (restbycalm .com) (exploit_kit.rules)
- 2858504 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)