Ruleset Update Summary - 2025/07/24 - v10977

Ruleset Updates
1

Summary:

29 new OPEN, 50 new PRO (29 + 21)

Added rules:

Open:

  • 2063689 - ET INFO ISLOnline RMM Installer Activity (info.rules)
  • 2063690 - ET INFO Default PolarSSL/mbedTLS Certificate Issuer Observed in Certificate M2 (info.rules)
  • 2063691 - ET INFO Default PolarSSL/mbedTLS Certificate Subject Observed in Certificate (info.rules)
  • 2063692 - ET INFO Commonly Actor Abused Online Service Domain (0zz0 .com) (info.rules)
  • 2063693 - ET INFO Observed Commonly Actor Abused Online Service Domain (0zz0 .com in TLS SNI) (info.rules)
  • 2063694 - ET INFO DYNAMIC_DNS Query to a *.redecasas .com domain (info.rules)
  • 2063695 - ET INFO DYNAMIC_DNS HTTP Request to a *.redecasas .com domain (info.rules)
  • 2063696 - ET INFO DYNAMIC_DNS Query to a *.sachhot .com domain (info.rules)
  • 2063697 - ET INFO DYNAMIC_DNS HTTP Request to a *.sachhot .com domain (info.rules)
  • 2063698 - ET INFO DYNAMIC_DNS Query to a *.vinoniv .com domain (info.rules)
  • 2063699 - ET INFO DYNAMIC_DNS HTTP Request to a *.vinoniv .com domain (info.rules)
  • 2063700 - ET INFO DYNAMIC_DNS Query to a *.dufwa .org domain (info.rules)
  • 2063701 - ET INFO DYNAMIC_DNS HTTP Request to a *.dufwa .org domain (info.rules)
  • 2063702 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (files .businessmondo .com) (malware.rules)
  • 2063703 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (files .businessmondo .com) (malware.rules)
  • 2063704 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eartheea .life) (malware.rules)
  • 2063705 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eartheea .life) in TLS SNI (malware.rules)
  • 2063706 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (familkqo .xyz) (malware.rules)
  • 2063707 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (familkqo .xyz) in TLS SNI (malware.rules)
  • 2063708 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (glassma .live) (malware.rules)
  • 2063709 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (glassma .live) in TLS SNI (malware.rules)
  • 2063710 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keepnody .top) (malware.rules)
  • 2063711 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (keepnody .top) in TLS SNI (malware.rules)
  • 2063712 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mosaicia .top) (malware.rules)
  • 2063713 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mosaicia .top) in TLS SNI (malware.rules)
  • 2063714 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (neocskfj .lol) (malware.rules)
  • 2063715 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (neocskfj .lol) in TLS SNI (malware.rules)
  • 2063716 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bestproductreviews .xyz) (exploit_kit.rules)
  • 2063717 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bestproductreviews .xyz) (exploit_kit.rules)

Pro:

  • 2863628 - ETPRO MALWARE Formbook CnC Domain in DNS Lookup (malware.rules)
  • 2863629 - ETPRO MALWARE Observed Formbook Domain in TLS SNI (malware.rules)
  • 2863630 - ETPRO MALWARE Request to Abused Image Hosting With PowerShell User-Agent (malware.rules)
  • 2863631 - ETPRO ATTACK_RESPONSE Obfuscated Powershell Script Impersonating Image Inbound (attack_response.rules)
  • 2863632 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863633 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863634 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863635 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863636 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863637 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863638 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863639 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
  • 2863640 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863641 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863642 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863643 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863644 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863645 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863646 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863647 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
  • 2863648 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2055978 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chefspavilion .com) (exploit_kit.rules)
  • 2055979 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chefspavilion .com) (exploit_kit.rules)
  • 2055996 - ET EXPLOIT_KIT Fake Java Update Domain in DNS Lookup (javadevssdk .com) (exploit_kit.rules)
  • 2055997 - ET EXPLOIT_KIT Fake Java Update Domain in TLS SNI (javadevssdk .com) (exploit_kit.rules)
  • 2055998 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mtpolice2030 .com) (exploit_kit.rules)
  • 2055999 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mtpolice2030 .com) (exploit_kit.rules)
  • 2056029 - ET EXPLOIT_KIT Fake Java Update Domain in DNS Lookup (mozilaupgrade .com) (exploit_kit.rules)
  • 2056030 - ET EXPLOIT_KIT Fake Java Update Domain in TLS SNI (mozilaupgrade .com) (exploit_kit.rules)
  • 2056082 - ET EXPLOIT_KIT Fake Java Update Domain in DNS Lookup (edgeupgrade .com) (exploit_kit.rules)
  • 2056083 - ET EXPLOIT_KIT Fake Java Update Domain in TLS SNI (edgeupgrade .com) (exploit_kit.rules)
  • 2056084 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (virtana-tech .com) (exploit_kit.rules)
  • 2056085 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (virtana-tech .com) (exploit_kit.rules)
  • 2056104 - ET EXPLOIT_KIT Fake Update Domain in DNS Lookup (mediamic .info) (exploit_kit.rules)
  • 2056105 - ET EXPLOIT_KIT Fake Update Domain in TLS SNI (mediamic .info) (exploit_kit.rules)
  • 2056106 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (flyjeta .com) (exploit_kit.rules)
  • 2056107 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (flyjeta .com) (exploit_kit.rules)
  • 2056108 - ET MALWARE SnipBot CnC Domain in DNS Lookup (webtimeapi .com) (malware.rules)
  • 2056109 - ET MALWARE SnipBot CnC Domain in DNS Lookup (cloudcreative .digital) (malware.rules)
  • 2056111 - ET MALWARE SnipBot CnC Domain in DNS Lookup (mcprotect .cloud) (malware.rules)
  • 2056112 - ET MALWARE SnipBot CnC Domain in DNS Lookup (sitepanel .top) (malware.rules)
  • 2056113 - ET MALWARE SnipBot CnC Domain in DNS Lookup (docstorage .link) (malware.rules)
  • 2056114 - ET MALWARE SnipBot CnC Domain in DNS Lookup (drv2ms .com) (malware.rules)
  • 2056115 - ET MALWARE SnipBot CnC Domain in DNS Lookup (ilogicflow .com) (malware.rules)
  • 2056116 - ET MALWARE SnipBot CnC Domain in DNS Lookup (certifysop .com) (malware.rules)
  • 2056117 - ET MALWARE SnipBot CnC Domain in DNS Lookup (dns-msn .com) (malware.rules)
  • 2056118 - ET MALWARE SnipBot CnC Domain in DNS Lookup (linedrv .com) (malware.rules)
  • 2056119 - ET MALWARE SnipBot CnC Domain in DNS Lookup (publicshare .link) (malware.rules)
  • 2056120 - ET MALWARE SnipBot CnC Domain in DNS Lookup (fastshare .click) (malware.rules)
  • 2056121 - ET MALWARE SnipBot CnC Domain in DNS Lookup (drvmcprotect .com) (malware.rules)
  • 2056122 - ET MALWARE SnipBot CnC Domain in DNS Lookup (olminx .com) (malware.rules)
  • 2056123 - ET MALWARE SnipBot CnC Domain in DNS Lookup (xeontime .com) (malware.rules)
  • 2056124 - ET MALWARE SnipBot CnC Domain in DNS Lookup (cethernet .com) (malware.rules)
  • 2056125 - ET MALWARE Observed SnipBot CnC Domain (webtimeapi .com in TLS SNI) (malware.rules)
  • 2056126 - ET MALWARE Observed SnipBot CnC Domain (cloudcreative .digital in TLS SNI) (malware.rules)
  • 2056127 - ET MALWARE Observed SnipBot CnC Domain (fileshare .direct in TLS SNI) (malware.rules)
  • 2056128 - ET MALWARE Observed SnipBot CnC Domain (mcprotect .cloud in TLS SNI) (malware.rules)
  • 2056129 - ET MALWARE Observed SnipBot CnC Domain (sitepanel .top in TLS SNI) (malware.rules)
  • 2056130 - ET MALWARE Observed SnipBot CnC Domain (docstorage .link in TLS SNI) (malware.rules)
  • 2056131 - ET MALWARE Observed SnipBot CnC Domain (drv2ms .com in TLS SNI) (malware.rules)
  • 2056132 - ET MALWARE Observed SnipBot CnC Domain (ilogicflow .com in TLS SNI) (malware.rules)
  • 2056133 - ET MALWARE Observed SnipBot CnC Domain (certifysop .com in TLS SNI) (malware.rules)
  • 2056134 - ET MALWARE Observed SnipBot CnC Domain (dns-msn .com in TLS SNI) (malware.rules)
  • 2056135 - ET MALWARE Observed SnipBot CnC Domain (linedrv .com in TLS SNI) (malware.rules)
  • 2056136 - ET MALWARE Observed SnipBot CnC Domain (publicshare .link in TLS SNI) (malware.rules)
  • 2056137 - ET MALWARE Observed SnipBot CnC Domain (fastshare .click in TLS SNI) (malware.rules)
  • 2056138 - ET MALWARE Observed SnipBot CnC Domain (drvmcprotect .com in TLS SNI) (malware.rules)
  • 2056139 - ET MALWARE Observed SnipBot CnC Domain (olminx .com in TLS SNI) (malware.rules)
  • 2056140 - ET MALWARE Observed SnipBot CnC Domain (xeontime .com in TLS SNI) (malware.rules)
  • 2056141 - ET MALWARE Observed SnipBot CnC Domain (cethernet .com in TLS SNI) (malware.rules)
  • 2056166 - ET EXPLOIT aiohttp Directory Traversal in Static Routing (CVE-2024-23334) (exploit.rules)
  • 2829228 - ETPRO MALWARE Observed Malicious SSL Cert (Dridex CnC) (malware.rules)
  • 2837411 - ETPRO ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS Certificate Observed M58 (attack_response.rules)
  • 2858414 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858415 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858438 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858439 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858446 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)