Ruleset Update Summary - 2025/08/06 - v10987

Ruleset Updates
1

Summary:

15 new OPEN, 28 new PRO (15 + 13)

Added rules:

Open:

  • 2063905 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .365axissolution .com) (malware.rules)
  • 2063906 - ET WEB_SPECIFIC_APPS ABB Cylon Aspect logYumLookup logfile Parameter Authenticated Directory Traversal Attempt (web_specific_apps.rules)
  • 2063907 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .365axissolution .com) (malware.rules)
  • 2063908 - ET WEB_SPECIFIC_APPS ABB Cylon Aspect ProjectUpdateBSXFileProcess.php Authenticated Command Injection Attempt (web_specific_apps.rules)
  • 2063909 - ET WEB_SPECIFIC_APPS ABB Cylon Aspect logMixDownload instance Parameter Authenticated Command Injection Attempt (web_specific_apps.rules)
  • 2063910 - ET INFO DYNAMIC_DNS Query to a *.ozium1 .org domain (info.rules)
  • 2063911 - ET INFO DYNAMIC_DNS HTTP Request to a *.ozium1 .org domain (info.rules)
  • 2063912 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thinkrz .lol) (malware.rules)
  • 2063913 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thinkrz .lol) in TLS SNI (malware.rules)
  • 2063914 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (yrokistorii .ru) (malware.rules)
  • 2063915 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yrokistorii .ru) in TLS SNI (malware.rules)
  • 2063916 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zechaxrp .my) (malware.rules)
  • 2063917 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zechaxrp .my) in TLS SNI (malware.rules)
  • 2063918 - ET EXPLOIT_KIT Observed ClickFix Webpage Inbound (exploit_kit.rules)
  • 2063919 - ET WEB_SPECIFIC_APPS ABB Cylon Aspect productRemovalUpdate instance Parameter Authenticated Command Injection Attempt (web_specific_apps.rules)

Pro:

  • 2864097 - ETPRO EXPLOIT pgAdmin Command Injection Attempt Inbound (CVE-2022-4223) (exploit.rules)
  • 2864098 - ETPRO EXPLOIT Supervene RazDC Create User CGI Form OS Command Injection Attempt Inbound (CVE-2018-15551) (exploit.rules)
  • 2864099 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864100 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864101 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2864102 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2864103 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864104 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2864105 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864106 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2864107 - ETPRO EXPLOIT Inductive Automation Ignition ServerMessage Insecure Deserialization (CVE-2022-35870) (exploit.rules)
  • 2864108 - ETPRO EXPLOIT SonicWall SMA 100 Appliances Stack-Based Buffer Overflow (CVE-2021-20038) (exploit.rules)
  • 2864109 - ETPRO HUNTING Suspicious - Observed Non-Ascii Characters in Large HTTP URI (hunting.rules)

Modified inactive rules:

  • 2053407 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .team .jessicabarrett .com) (malware.rules)
  • 2053830 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .partners .gloriadeicr .com) (malware.rules)
  • 2054194 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .fans .smalladventureguide .com) (malware.rules)
  • 2054354 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .parish .chuathuongxot .org) (malware.rules)
  • 2054498 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .award .vuheritagefoundation .org) (malware.rules)
  • 2054633 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .loyalty .hienphucuanhanloai .org) (malware.rules)
  • 2054720 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .living .miraclesofeucharisticjesus .org) (malware.rules)
  • 2054866 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .donors .eucharisticjesus .net) (malware.rules)
  • 2055222 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .guide .borden-carleton .ca) (malware.rules)
  • 2055315 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .sponsor .printondemandagency .com) (malware.rules)
  • 2055738 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .podcast .lisameyerson .com) (malware.rules)
  • 2055769 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .benefits .melanatedbloodlinesrestoration .com) (malware.rules)
  • 2055867 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .therapy .emergencepsychservices .com) (malware.rules)
  • 2056032 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .free .thebitmeister .com) (malware.rules)
  • 2056321 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .shades .whatisaweekend .com) (malware.rules)
  • 2056554 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .outfit .dianamercer .com) (malware.rules)
  • 2057065 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .range .cccinvolve .org) (malware.rules)
  • 2060874 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (support .traininghub .world) (malware.rules)
  • 2060875 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (support .traininghub .world) (malware.rules)

Disabled and modified rules:

  • 2053453 - ET EXPLOIT Telerik Authentication Bypass Attempt Inbound (CVE-2024-4358) (exploit.rules)