Ruleset Update Summary - 2025/07/25 - v10978

Summary:

41 new OPEN, 41 new PRO (41 + 0)

Added rules:

Open:

• 2063718 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eliminhd .lol) (malware.rules)
• 2063719 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eliminhd .lol in TLS SNI) (malware.rules)
• 2063720 - ET WEB_SPECIFIC_APPS Totolink formWlanMultipleAP submit-url Parameter Buffer Overflow Attempt (CVE-2025-8140) (web_specific_apps.rules)
• 2063721 - ET INFO DYNAMIC_DNS Query to a *.osistemas .com domain (info.rules)
• 2063722 - ET INFO DYNAMIC_DNS HTTP Request to a *.osistemas .com domain (info.rules)
• 2063723 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (app .dessertshouse .com) (malware.rules)
• 2063724 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (app .dessertshouse .com) (malware.rules)
• 2063725 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (blegekei .lol) (malware.rules)
• 2063726 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blegekei .lol) in TLS SNI (malware.rules)
• 2063727 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (columnez .shop) (malware.rules)
• 2063728 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (columnez .shop) in TLS SNI (malware.rules)
• 2063729 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cousmf .lat) (malware.rules)
• 2063730 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cousmf .lat) in TLS SNI (malware.rules)
• 2063731 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foundrr .bet) (malware.rules)
• 2063732 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (foundrr .bet) in TLS SNI (malware.rules)
• 2063733 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jambnwz .top) (malware.rules)
• 2063734 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jambnwz .top) in TLS SNI (malware.rules)
• 2063735 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixp .digital) (malware.rules)
• 2063736 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mixp .digital) in TLS SNI (malware.rules)
• 2063737 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nanoceus .run) (malware.rules)
• 2063738 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nanoceus .run) in TLS SNI (malware.rules)
• 2063739 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ondcvxe .top) (malware.rules)
• 2063740 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ondcvxe .top) in TLS SNI (malware.rules)
• 2063741 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (royaltbn .xyz) (malware.rules)
• 2063742 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (royaltbn .xyz) in TLS SNI (malware.rules)
• 2063743 - ET WEB_SPECIFIC_APPS Totolink formOneKeyAccessButton submit-url Parameter Buffer Overflow Attempt (CVE-2025-8138) (web_specific_apps.rules)
• 2063744 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sabrkqw .lol) (malware.rules)
• 2063745 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sabrkqw .lol) in TLS SNI (malware.rules)
• 2063746 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sparklfm .xyz) (malware.rules)
• 2063747 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sparklfm .xyz) in TLS SNI (malware.rules)
• 2063748 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stfota .xyz) (malware.rules)
• 2063749 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stfota .xyz) in TLS SNI (malware.rules)
• 2063750 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sworwdcp .top) (malware.rules)
• 2063751 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sworwdcp .top) in TLS SNI (malware.rules)
• 2063752 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (woodenso .top) (malware.rules)
• 2063753 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (woodenso .top) in TLS SNI (malware.rules)
• 2063754 - ET WEB_SPECIFIC_APPS Tenda SetSysTimeCfg timeZone Parameter Buffer Overflow Attempt (CVE-2025-51085, CVE-2025-8160) (web_specific_apps.rules)
• 2063755 - ET WEB_SPECIFIC_APPS D-Link vb.htm paratest Parameter Cross Site Scripting Attempt (CVE-2025-8155) (web_specific_apps.rules)
• 2063756 - ET WEB_SPECIFIC_APPS D-Link formLanguageChange currTime Parameter Buffer Overflow Attempt (CVE-2025-8159) (web_specific_apps.rules)
• 2063757 - ET WEB_SPECIFIC_APPS Tenda saveParentControlInfo timeZone Parameter Buffer Overflow Attempt (CVE-2025-51087) (web_specific_apps.rules)
• 2063758 - ET WEB_SPECIFIC_APPS Tenda WifiGuestSet shareSpeed Parameter Buffer Overflow Attempt (CVE-2025-51088) (web_specific_apps.rules)

Modified inactive rules:

• 2055920 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (updatechrllom .com) (exploit_kit.rules)
• 2055921 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (updatechrllom .com) (exploit_kit.rules)
• 2055922 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (notablelibrary .com) (exploit_kit.rules)
• 2055923 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (notablelibrary .com) (exploit_kit.rules)
• 2055925 - ET MALWARE DNS Query to Emmenhtal Loader Domain (potexo .b-cdn .net) (malware.rules)
• 2055926 - ET MALWARE DNS Query to Emmenhtal Loader Domain (peco .b-cdn .net) (malware.rules)
• 2055954 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (download .instructionclub .com) (malware.rules)
• 2055955 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (download .instructionclubs .com) (malware.rules)
• 2055956 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (document-publisher .org) (malware.rules)
• 2055957 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (controlleractiveserver .com) (malware.rules)
• 2055959 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (download .instructionclub .com in TLS SNI) (malware.rules)
• 2055960 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (download .instructionclubs .com in TLS SNI) (malware.rules)
• 2055961 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (document-publisher .org in TLS SNI) (malware.rules)
• 2055962 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (controlleractiveserver .com in TLS SNI) (malware.rules)
• 2055963 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (trackmyshipeng .site) (malware.rules)
• 2055964 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (ceeaapaint .xyz) (malware.rules)
• 2055965 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (robshippings .cloud) (malware.rules)
• 2055966 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (trackingshipmentt .xyz) (malware.rules)
• 2055967 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (onedrive-microsoft .redirectme .net) (malware.rules)
• 2055968 - ET MALWARE DNS Query to PeakLight/Emmenhtal Loader Domain (trackmyshipeng .sitehealthtipsart .com) (malware.rules)
• 2055969 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (trackmyshipeng .site in TLS SNI) (malware.rules)
• 2055970 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (ceeaapaint .xyz in TLS SNI) (malware.rules)
• 2055971 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (robshippings .cloud in TLS SNI) (malware.rules)
• 2055972 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (trackingshipmentt .xyz in TLS SNI) (malware.rules)
• 2055973 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (onedrive-microsoft .redirectme .net in TLS SNI) (malware.rules)
• 2055974 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (trackmyshipeng .sitehealthtipsart .com in TLS SNI) (malware.rules)
• 2055975 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (theaeroescorts .com) (exploit_kit.rules)
• 2055976 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (theaeroescorts .com) (exploit_kit.rules)

Disabled and modified rules:

• 2061956 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (clients .contology .com) (exploit_kit.rules)
• 2061957 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (clients .contology .com) (exploit_kit.rules)