Ruleset Update Summary - 2025/08/01 - v10984

Ruleset Updates
1

Summary:

13 new OPEN, 31 new PRO (13 + 18)

Added rules:

Open:

  • 2063866 - ET MALWARE Storm-2603 CnC Domain in DNS Lookup (updatemicfosoft .com) (malware.rules)
  • 2063867 - ET MALWARE Storm-2603 CnC Domain in DNS Lookup (microsfot .org) (malware.rules)
  • 2063868 - ET WEB_SPECIFIC_APPS PaperCut MF/NG RCE vis Cross-Site Request Forgery (CVE-2023-2533) (web_specific_apps.rules)
  • 2063869 - ET WEB_SPECIFIC_APPS D-Link formSetWAN Multiple Endpoints curTime Parameter Buffer Overflow Attempt (CVE-2025-8184, CVE-2025-8169, CVE,2025-8168) (web_specific_apps.rules)
  • 2063870 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vishneviyjazz .ru) (malware.rules)
  • 2063871 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vishneviyjazz .ru) in TLS SNI (malware.rules)
  • 2063872 - ET MALWARE Storm-2603 AK47C2 HTTP Backdoor CnC Checkin (malware.rules)
  • 2063873 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (clients .lamusicana .com) (malware.rules)
  • 2063874 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (clients .lamusicana .com) (malware.rules)
  • 2063875 - ET INFO Observed RMM Domain in DNS Lookup ( * .action1-com .b-cdn .net) (info.rules)
  • 2063876 - ET INFO Observed RMM Domain in TLS SNI ( * .action1-com .b-cdn .net) (info.rules)
  • 2063877 - ET INFO Observed RMM Domain in DNS Lookup (a1-backend-packages-* .s3 .amazonaws .com) (info.rules)
  • 2063878 - ET INFO Observed RMM Domain in TLS SNI (a1-backend-packages-* .s3 .amazonaws .com) (info.rules)

Pro:

  • 2863953 - ETPRO HUNTING Inbound HTTP Header Name/Value Delimiter Uses 0x09 (hunting.rules)
  • 2863954 - ETPRO HUNTING Outbound HTTP Header Name/Value Delimiter Uses 0x09 (hunting.rules)
  • 2863955 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2863956 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863957 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2863958 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2863959 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2863960 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2863961 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2863962 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2863963 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2863964 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2863965 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2863966 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2863967 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2863968 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2863969 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2863970 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

  • 2063845 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (download .romeropizza .com) (malware.rules)
  • 2063846 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (download .romeropizza .com) (malware.rules)
  • 2863701 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)