Ruleset Update Summary - 2025/08/04 - v10985

rulesbot · August 4, 2025, 10:39pm

Summary:

22 new OPEN, 28 new PRO (22 + 6)

Thanks @Malwarebytes

Added rules:

Open:

2063879 - ET INFO DYNAMIC_DNS Query to a *.clandestina .org domain (info.rules)
2063880 - ET INFO DYNAMIC_DNS HTTP Request to a *.clandestina .org domain (info.rules)
2063881 - ET INFO DYNAMIC_DNS Query to a *.meteotodi .it domain (info.rules)
2063882 - ET INFO DYNAMIC_DNS HTTP Request to a *.meteotodi .it domain (info.rules)
2063883 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bittsgly .my) (malware.rules)
2063884 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bittsgly .my) in TLS SNI (malware.rules)
2063885 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (akkeod .com) (malware.rules)
2063886 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (akkeod .com) in TLS SNI (malware.rules)
2063887 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mocadia .com) (malware.rules)
2063888 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mocadia .com) in TLS SNI (malware.rules)
2063889 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (templfuw .my) (malware.rules)
2063890 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (templfuw .my) in TLS SNI (malware.rules)
2063891 - ET WEB_SPECIFIC_APPS Ilevia EVE X1 Server Command Injection Attempt (web_specific_apps.rules)
2063892 - ET WEB_SPECIFIC_APPS Ilevia EVE X1 Server dbcheck.php db_log parameter Pre-Auth File Disclosure Attempt (web_specific_apps.rules)
2063893 - ET MALWARE Stealerium CnC Exfil via Discord (POST) (malware.rules)
2063894 - ET WEB_SPECIFIC_APPS ABB Cylon Aspect Unauthenticated Directory Traversal and Arbitrary File Upload Attempt (web_specific_apps.rules)
2063895 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (docs .nynovation .com) (malware.rules)
2063896 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (docs .nynovation .com) (malware.rules)
2063897 - ET MALWARE Observed DNS Query to Vidar Stealer Domain (soft-gets .com) (malware.rules)
2063898 - ET MALWARE Observed DNS Query to Vidar Stealer Domain (reaitek .com) (malware.rules)
2063899 - ET MALWARE Observed Vidar Stealer Domain (soft-gets .com in TLS SNI) (malware.rules)
2063900 - ET MALWARE Observed Vidar Stealer Domain (reaitek .com in TLS SNI) (malware.rules)

Pro:

2863971 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2863972 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2863995 - ETPRO MALWARE Observed TA455 Style URI (malware.rules)
2863996 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
2863997 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
2863998 - ETPRO HUNTING Observed Suspicious Character Escape Sequence Often Used In Command Injection Attempts (hunting.rules)

Modified inactive rules:

2048902 - ET MALWARE [ANY.RUN] zgRAT / PureLogs Stealer C2 Connection M1 (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/10/16 - v10721 Ruleset Updates	104	October 16, 2024
Ruleset Update Summary - 2025/05/05 - v10920 Ruleset Updates	126	May 5, 2025
Ruleset Update Summary - 2024/10/25 - v10728 Ruleset Updates	106	October 25, 2024
Ruleset Update Summary - 2024/11/12 - v10740 Ruleset Updates	135	November 12, 2024
Ruleset Update Summary - 2024/11/28 - v10760 Ruleset Updates	62	November 28, 2024

Ruleset Update Summary - 2025/08/04 - v10985

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics