Ruleset Update Summary - 2025/08/13 - v10992

rulesbot · August 13, 2025, 8:55pm

Summary:

7 new OPEN, 7 new PRO (7 + 0)

Added rules:

Open:

2064001 - ET WEB_SPECIFIC_APPS Xerox FreeFlow Core Arbitrary File Upload/Directory Traversal Attempt (CVE-2025-8356) (web_specific_apps.rules)
2064002 - ET WEB_SPECIFIC_APPS Xerox FreeFlow Core External XML Entity Injection Server Side Request Forgery Attempt (CVE-2025-8355) (web_specific_apps.rules)
2064003 - ET MALWARE CastleLoader User-Agent Observed (malware.rules)
2064004 - ET MALWARE CastleLoader CnC Activity (GET) (malware.rules)
2064005 - ET MALWARE CastleLoader CnC Exfil (POST) (malware.rules)
2064006 - ET MALWARE CastleLoader Payload Request (GET) (malware.rules)
2064007 - ET MALWARE CastleLoader Task Complete in URI (GET) (malware.rules)

Modified inactive rules:

2051072 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (gitbrancher .com) (exploit_kit.rules)
2051073 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (gitbrancher .com) (exploit_kit.rules)
2051074 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (machineryideas .com) (exploit_kit.rules)
2051075 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (machineryideas .com) (exploit_kit.rules)
2051078 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (funcallback .com) (exploit_kit.rules)
2051093 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (asyncfunctionapi .com) (exploit_kit.rules)
2051094 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (varinspector .com) (exploit_kit.rules)
2051095 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (asyncfunctionapi .com) (exploit_kit.rules)
2051096 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .collection .aixpirts .com) (malware.rules)
2051097 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .collection .aixpirts .com) (malware.rules)
2051099 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bbsupplyandsalon .com) (exploit_kit.rules)
2051100 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (betsmovepiyango47 .com) (exploit_kit.rules)
2051102 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eduvationgroup .com) (exploit_kit.rules)
2051103 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eoskinec .com) (exploit_kit.rules)
2051104 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ezwhatsappp .com) (exploit_kit.rules)
2051105 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (growcalm .com) (exploit_kit.rules)
2051106 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (grupodistribuidora .com) (exploit_kit.rules)
2051107 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aljannatquranteach .com) (exploit_kit.rules)
2051109 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (betsmovepiyango47 .com) (exploit_kit.rules)
2051110 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bigcuda .com) (exploit_kit.rules)
2051111 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eduvationgroup .com) (exploit_kit.rules)
2051112 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eoskinec .com) (exploit_kit.rules)
2051113 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ezwhatsappp .com) (exploit_kit.rules)
2051114 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (growcalm .com) (exploit_kit.rules)
2051115 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (grupodistribuidora .com) (exploit_kit.rules)
2051132 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (egisela .com) (exploit_kit.rules)
2051133 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (egisela .com) (exploit_kit.rules)
2051158 - ET PHISHING Savvy Seahorse CNAME TDS Related Domain in DNS Lookup (getyourapi .site) (phishing.rules)
2051434 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (africanbeatmaker .com) (exploit_kit.rules)
2051435 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aiifolrida .com) (exploit_kit.rules)
2051436 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (amarod .com) (exploit_kit.rules)
2051437 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (auburnartwalk .com) (exploit_kit.rules)
2051438 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (africanbeatmaker .com) (exploit_kit.rules)
2051439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aiifolrida .com) (exploit_kit.rules)
2051440 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (amarod .com) (exploit_kit.rules)
2051441 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (auburnartwalk .com) (exploit_kit.rules)
2051442 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns4 .lonet .org in TLS SNI) (info.rules)
2051443 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns2 .lonet .org in TLS SNI) (info.rules)
2051444 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns1 .lonet .org in TLS SNI) (info.rules)
2051445 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns5 .lonet .org in TLS SNI) (info.rules)
2051464 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .aus .mimico-cooperative .org) (malware.rules)
2051465 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .aus .mimico-cooperative .org) (malware.rules)
2051466 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (briefscala .com) (exploit_kit.rules)
2051467 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (briefscala .com) (exploit_kit.rules)
2051482 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .funj) (malware.rules)
2051483 - ET MALWARE Observed Lumma Stealer Related Domain (problemregardybuiwo .funj in TLS SNI) (malware.rules)
2051493 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (apicachebot .com) (exploit_kit.rules)
2051494 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (apicachebot .com) (exploit_kit.rules)
2051495 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .distributors .commdistinc .com) (malware.rules)
2051496 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .distributors .commdistinc .com) (malware.rules)
2051498 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (executivebrakeji .shop) (malware.rules)
2051499 - ET MALWARE Observed Lumma Stealer Related Domain (executivebrakeji .shop in TLS SNI) (malware.rules)
2051500 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (oneclickyporkeiw .fun) (malware.rules)
2051501 - ET MALWARE Observed Lumma Stealer Related Domain (oneclickyporkeiw .fun in TLS SNI) (malware.rules)
2051543 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fieldtrollyeowskwe .shop) (malware.rules)
2051544 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fune) (malware.rules)
2051545 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fune) (malware.rules)
2051546 - ET MALWARE Observed Lumma Stealer Related Domain (fieldtrollyeowskwe .shop in TLS SNI) (malware.rules)
2051547 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .fune in TLS SNI) (malware.rules)
2051548 - ET MALWARE Observed Lumma Stealer Related Domain (lighterepisodeheighte .fune in TLS SNI) (malware.rules)
2051549 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .funs) (malware.rules)
2051550 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (superemeboxlogosites .pro) (malware.rules)
2051551 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .funs) (malware.rules)
2051552 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pww) (malware.rules)
2051553 - ET MALWARE Observed Lumma Stealer Related Domain (lighterepisodeheighte .funs in TLS SNI) (malware.rules)
2051554 - ET MALWARE Observed Lumma Stealer Related Domain (superemeboxlogosites .pro in TLS SNI) (malware.rules)
2051555 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .funs in TLS SNI) (malware.rules)
2051556 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pww in TLS SNI) (malware.rules)
2051576 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (advanceddataenterprise .com) (exploit_kit.rules)
2051577 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (advanceddataenterprise .com) (exploit_kit.rules)
2051578 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fund) (malware.rules)
2051579 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pwf) (malware.rules)
2051580 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fund) (malware.rules)
2051581 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .fund in TLS SNI) (malware.rules)
2051582 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pwf in TLS SNI) (malware.rules)
2051583 - ET MALWARE Observed Lumma Stealer Related Domain (lighterepisodeheighte .fund in TLS SNI) (malware.rules)
2051585 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fung) (malware.rules)
2051589 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .fung in TLS SNI) (malware.rules)
2051590 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pwq in TLS SNI) (malware.rules)
2051593 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pwq) (malware.rules)
2051594 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (scrapedirtyieoqk .shop) (malware.rules)
2051595 - ET MALWARE Observed Lumma Stealer Related Domain (scrapedirtyieoqk .shop in TLS SNI) (malware.rules)
2051608 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .round .fishingreelinvestment .com) (malware.rules)
2051609 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .round .fishingreelinvestment .com) (malware.rules)
2051610 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ausgov .pro) (exploit_kit.rules)
2051611 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (digestlivepro .com) (exploit_kit.rules)
2051612 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ausgov .pro) (exploit_kit.rules)
2051613 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (digestlivepro .com) (exploit_kit.rules)
2051614 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bestopgoespink .com) (exploit_kit.rules)
2051615 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bestopgoespink .com) (exploit_kit.rules)
2051616 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (asyncawaitapi .com) (exploit_kit.rules)
2051617 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (asyncawaitapi .com) (exploit_kit.rules)
2051618 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (herdbescuitinjurywu .shop) (malware.rules)
2051634 - ET MALWARE SocGholish Domain in DNS Lookup (welcome .visionaryyouth .org) (malware.rules)
2051635 - ET MALWARE SocGholish Domain in TLS SNI (welcome .visionaryyouth .org) (malware.rules)
2051636 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .funq) (malware.rules)
2051637 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .funq in TLS SNI) (malware.rules)
2051671 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (doughmebinnybunio .shop) (malware.rules)
2051688 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (edulokam .com) (exploit_kit.rules)
2051692 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (7commbeta .com) (exploit_kit.rules)
2051694 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ezshipsy .com) (exploit_kit.rules)
2051695 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ezshipsy .com) (exploit_kit.rules)
2051772 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (prematuresolvehumoew .shop) (malware.rules)
2051775 - ET MALWARE Observed Lumma Stealer Related Domain (spokespersonunjuriwo .shop in TLS SNI) (malware.rules)
2051796 - ET MALWARE SocGholish Domain in DNS Lookup (camps .topgunnbaseball .com) (malware.rules)
2051902 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (foradopicadeiro .com) (exploit_kit.rules)
2051905 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (elmworldacademy .com) (exploit_kit.rules)
2051957 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fairfurryfriends .com) (exploit_kit.rules)
2856397 - ETPRO MALWARE Suspected TA453 Domain in TLS SNI (malware.rules)
2856409 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2856410 - ETPRO EXPLOIT_KIT ZPHP Lure Request M6 (exploit_kit.rules)
2856411 - ETPRO EXPLOIT_KIT ZPHP Lure Request M7 (exploit_kit.rules)
2856427 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2856462 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
2856465 - ETPRO MALWARE Observed Hello2Malware Domain in TLS SNI (malware.rules)
2856484 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2856505 - ETPRO EXPLOIT_KIT Malicious Keitaro TDS Domain in DNS Lookup (exploit_kit.rules)
2856552 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/07/08 - v10965 Ruleset Updates	110	July 8, 2025
Ruleset Update Summary - 2025/03/10 - v10875 Ruleset Updates	138	March 10, 2025
Ruleset Update Summary - 2025/08/12 - v10991 Ruleset Updates	79	August 12, 2025
Ruleset Update Summary - 2025/08/27 - v11002 Ruleset Updates	55	August 27, 2025
Ruleset Update Summary - 2025/08/20 - v10997 Ruleset Updates	58	August 20, 2025

Ruleset Update Summary - 2025/08/13 - v10992

Summary:

Added rules:

Open:

Modified inactive rules:

Related topics