Summary:
36 new OPEN, 40 new PRO (36 + 4)
Added rules:
Open:
- 2063830 - ET MALWARE Kimsuky CnC Chunked Exfil (POST) (malware.rules)
- 2063831 - ET MALWARE Kimsuky CnC Keyloggger Exfil (POST) (malware.rules)
- 2063832 - ET MALWARE Kimsuky CnC AppKey Request (malware.rules)
- 2063833 - ET MALWARE Kimsuky CnC AppKey Deletion Request (malware.rules)
- 2063834 - ET MALWARE Kimsuky CnC Exfil (POST) (malware.rules)
- 2063835 - ET MALWARE Kimsuky CnC Victim File Exfiltration Request (GET) (malware.rules)
- 2063836 - ET MALWARE Kimsuky Victim CnC Payload Request (GET) (malware.rules)
- 2063837 - ET MALWARE Kimsuky Victim CnC Command Request (GET) (malware.rules)
- 2063838 - ET MALWARE Kimsuky Payload Request (GET) (malware.rules)
- 2063839 - ET MALWARE Kimsuky CnC Domain in DNS Lookup (malware.rules)
- 2063840 - ET MALWARE Observed Kimsuky Domain in TLS SNI (malware.rules)
- 2063841 - ET EXPLOIT Bloomberg Comdb2 Distributed Transaction Commit Operation DoS (CVE-2025-46354) (exploit.rules)
- 2063842 - ET EXPLOIT Bloomberg Comdb2 Distributed Transaction Abort Operation DoS (CVE-2025-46354) (exploit.rules)
- 2063843 - ET EXPLOIT Bloomberg Comdb2 Distributed Transaction Heartbeat Operation DoS (CVE-2025-46354) (exploit.rules)
- 2063844 - ET WEB_SPECIFIC_APPS Niagara Workbench Anti-CSRF Token Disclosure (CVE-2025-3943) (web_specific_apps.rules)
- 2063845 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (download .romeropizza .com) (malware.rules)
- 2063846 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (download .romeropizza .com) (malware.rules)
- 2063847 - ET WEB_SPECIFIC_APPS SonicWall Pre-Auth Stack-Based Buffer Overflow (CVE-2025-40596) (web_specific_apps.rules)
- 2063848 - ET WEB_SPECIFIC_APPS SonicWall Pre-Auth Heap-Based Buffer Overflow (CVE-2025-40597) (web_specific_apps.rules)
- 2063849 - ET HUNTING Niagara Framework Authenticated Jetty Logging (ALL) Set (hunting.rules)
- 2063850 - ET WEB_SPECIFIC_APPS SonicWall CGI Reflected Cross-Site Scripting (CVE-2025-40598) (web_specific_apps.rules)
- 2063851 - ET EXPLOIT Bloomberg Comdb2 net_connectmsg Protocol Buffer Message Null Pointer Dereference (CVE-2025-36520) (exploit.rules)
- 2063852 - ET INFO DYNAMIC_DNS Query to a *.trionyx-sal .com domain (info.rules)
- 2063853 - ET INFO DYNAMIC_DNS HTTP Request to a *.trionyx-sal .com domain (info.rules)
- 2063854 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (download .romeropizza .com) (malware.rules)
- 2063855 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (download .romeropizza .com) (malware.rules)
- 2063856 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cezgroup .contact) (malware.rules)
- 2063857 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cezgroup .contact) in TLS SNI (malware.rules)
- 2063858 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stockwises .eu) (malware.rules)
- 2063859 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stockwises .eu) in TLS SNI (malware.rules)
- 2063860 - ET INFO Observed RMM Domain in DNS Lookup ( * .action1 .com) (info.rules)
- 2063861 - ET INFO Observed RMM Domain in TLS SNI ( * .action1 .com) (info.rules)
- 2063862 - ET INFO Observed RMM Domain in DNS Lookup (* .optitune .us) (info.rules)
- 2063863 - ET INFO Observed RMM Domain in TLS SNI ( * .optitune .us) (info.rules)
- 2063864 - ET INFO Observed RMM Domain in DNS Lookup ( * .opti-tune .com) (info.rules)
- 2063865 - ET INFO Observed RMM Domain in TLS SNI ( * .opti-tune .com) (info.rules)
Pro:
- 2863795 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2863796 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2863797 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2863798 - ETPRO HUNTING Observed Suspicious Character Escape Sequence Often Used In Command Injection Attempts (hunting.rules)
Modified inactive rules:
- 2849482 - ETPRO HUNTING Generic HTTP Header Buffer Overflow Check - http.host (hunting.rules)
- 2849647 - ETPRO HUNTING Generic Buffer Overflow - HTTP Host Field (hunting.rules)