Summary:
3 new OPEN, 25 new PRO (3 + 22)
Thanks @aryakanetworks
Added rules:
Open:
- 2064008 - ET MALWARE Observed DNS Query to Vidar Stealer Domain (tl .dr .softlinko .com) (malware.rules)
- 2064009 - ET MALWARE Observed Vidar Stealer Domain (tl .dr .softlinko .com in TLS SNI) (malware.rules)
- 2064010 - ET MALWARE Vidar Stealer User-Agent Observed (malware.rules)
Pro:
- 2864266 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Domain in DNS Lookup (mobile_malware.rules)
- 2864267 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Domain in DNS Lookup 2 (mobile_malware.rules)
- 2864268 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Checkin (mobile_malware.rules)
- 2864269 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Checkin (mobile_malware.rules)
- 2864270 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Checkin (mobile_malware.rules)
- 2864271 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Checkin (mobile_malware.rules)
- 2864272 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Checkin (mobile_malware.rules)
- 2864273 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Checkin (mobile_malware.rules)
- 2864274 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Checkin (mobile_malware.rules)
- 2864275 - ETPRO MALWARE Observed TA425/Patchwork Donut URI Pattern (malware.rules)
- 2864276 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2864277 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2864278 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2864279 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2864280 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2864281 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2864282 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2864283 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2864284 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
- 2864285 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
- 2864286 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
- 2864287 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
Modified inactive rules:
- 2050306 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy .help) (malware.rules)
- 2050308 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (tinyurlinstant .co) (malware.rules)
- 2050309 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (urldepost .co) (malware.rules)
- 2050310 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (verifyca .online) (malware.rules)
- 2050311 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (visiononline .store) (malware.rules)
- 2050312 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (app .documentoffice .club) (malware.rules)
- 2050313 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .live) (malware.rules)
- 2050314 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .pro) (malware.rules)
- 2050315 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefiturl .pro) (malware.rules)
- 2050316 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (careagency .online) (malware.rules)
- 2050317 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (cra-receivenow .online) (malware.rules)
- 2050318 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (crareceive .site) (malware.rules)
- 2050322 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (forex .traderfree .online) (malware.rules)
- 2050324 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate .site) (malware.rules)
- 2050325 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (gstcreceive .online) (malware.rules)
- 2050326 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (instantreceive .org) (malware.rules)
- 2050327 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (nav .offlinedocument .site) (malware.rules)
- 2050328 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (receive .bio) (malware.rules)
- 2050329 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (receiveinstant .online) (malware.rules)
- 2050330 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .help) (malware.rules)
- 2050331 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .online) (malware.rules)
- 2050332 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (tinyurlinstant .co) (malware.rules)
- 2050333 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (urldepost .co) (malware.rules)
- 2050334 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (verifyca .online) (malware.rules)
- 2050335 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (visiononline .store) (malware.rules)
- 2050336 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (suezey .com) (exploit_kit.rules)
- 2050337 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (appboltonik .com) (exploit_kit.rules)
- 2050338 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (suezey .com) (exploit_kit.rules)
- 2050339 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (appboltonik .com) (exploit_kit.rules)
- 2050341 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (demonstratorleasheropw .site) (malware.rules)
- 2050344 - ET INFO Observed DNS Over HTTPS Domain (dns .jundev .org in TLS SNI) (info.rules)
- 2050346 - ET INFO Observed DNS Over HTTPS Domain (dns .schlagheck .berlin in TLS SNI) (info.rules)
- 2050347 - ET INFO Observed DNS Over HTTPS Domain (dns .retakecs .com in TLS SNI) (info.rules)
- 2050350 - ET INFO Observed DNS Over HTTPS Domain (dns2 .saferbfc .org in TLS SNI) (info.rules)
- 2050351 - ET INFO Observed DNS Over HTTPS Domain (dns .korzhyk .pp .ua in TLS SNI) (info.rules)
- 2050352 - ET INFO Observed DNS Over HTTPS Domain (adguardo .jimtay .uk in TLS SNI) (info.rules)
- 2050353 - ET INFO Observed DNS Over HTTPS Domain (dns .scarx .net in TLS SNI) (info.rules)
- 2050354 - ET INFO Observed DNS Over HTTPS Domain (adguard .rennes .despagne .net in TLS SNI) (info.rules)
- 2050355 - ET INFO Observed DNS Over HTTPS Domain (dns1 .klcd .eu in TLS SNI) (info.rules)
- 2050357 - ET INFO Observed DNS Over HTTPS Domain (dns2 .klcd .eu in TLS SNI) (info.rules)
- 2050358 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .colors .usajicgu .com) (malware.rules)
- 2050359 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .colors .usajicgu .com) (malware.rules)
- 2050360 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (bonustop-price .life) (exploit_kit.rules)
- 2050361 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (allprizeshub .life) (exploit_kit.rules)
- 2050362 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (greatbonushere .top) (exploit_kit.rules)
- 2050363 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (prizes-topwin .life) (exploit_kit.rules)
- 2050365 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (a .crystalcraft .top) (exploit_kit.rules)
- 2050366 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (logsmetrics .com) (exploit_kit.rules)
- 2050367 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (webdatatrace .com) (exploit_kit.rules)
- 2050368 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (bonustop-price .life) (exploit_kit.rules)
- 2050369 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (allprizeshub .life) (exploit_kit.rules)
- 2050370 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (greatbonushere .top) (exploit_kit.rules)
- 2050371 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (prizes-topwin .life) (exploit_kit.rules)
- 2050372 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (womanflirting .life) (exploit_kit.rules)
- 2050373 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (a .crystalcraft .top) (exploit_kit.rules)
- 2050374 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (logsmetrics .com) (exploit_kit.rules)
- 2050376 - ET INFO Observed DNS Over HTTPS Domain (dns .milangeorge .com in TLS SNI) (info.rules)
- 2050378 - ET INFO Observed DNS Over HTTPS Domain (dns .jhangy .us in TLS SNI) (info.rules)
- 2050381 - ET INFO Observed DNS Over HTTPS Domain (dns .influa-dev .fr in TLS SNI) (info.rules)
- 2050382 - ET INFO Observed DNS Over HTTPS Domain (dns .just-hosting .net in TLS SNI) (info.rules)
- 2050384 - ET INFO Observed DNS Over HTTPS Domain (adg .siudzinski .net in TLS SNI) (info.rules)
- 2050386 - ET INFO Observed DNS Over HTTPS Domain (dns .keskonet .com in TLS SNI) (info.rules)
- 2050389 - ET INFO Observed DNS Over HTTPS Domain (adguard .kiboko .it in TLS SNI) (info.rules)
- 2050390 - ET INFO Observed DNS Over HTTPS Domain (dns .rhscz .eu in TLS SNI) (info.rules)
- 2050392 - ET INFO Observed DNS Over HTTPS Domain (dns .wryhf .net in TLS SNI) (info.rules)
- 2050393 - ET INFO Observed DNS Over HTTPS Domain (www .pukanuragan .ru in TLS SNI) (info.rules)
- 2050394 - ET INFO Observed DNS Over HTTPS Domain (dns .ithg .ru in TLS SNI) (info.rules)
- 2050395 - ET INFO Observed DNS Over HTTPS Domain (dns .internal .hosmatic .com in TLS SNI) (info.rules)
- 2050399 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (vesselspeedcrosswakew .site) (malware.rules)
- 2050400 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (communicationinchoicer .site) (malware.rules)
- 2050402 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (retainfactorypunishjkw .site) (malware.rules)
- 2050403 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (willpoweragreebokkskiew .site) (malware.rules)
- 2050408 - ET MALWARE Observed Lumma Stealer Related Domain (brickabsorptiondullyi .site in TLS SNI) (malware.rules)
- 2050409 - ET MALWARE Observed Lumma Stealer Related Domain (retainfactorypunishjkw .site in TLS SNI) (malware.rules)
- 2050411 - ET MALWARE Observed Lumma Stealer Related Domain (willpoweragreebokkskiew .site in TLS SNI) (malware.rules)
- 2050412 - ET MALWARE Observed Lumma Stealer Related Domain (carvewomanflavourwop .site in TLS SNI) (malware.rules)
- 2050415 - ET MALWARE Observed Lumma Stealer Related Domain (racerecessionrestrai .site in TLS SNI) (malware.rules)
- 2050416 - ET MALWARE Observed Lumma Stealer Related Domain (braidfadefriendklypk .site in TLS SNI) (malware.rules)
- 2050417 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (gearboomchocolateowfs .site) (malware.rules)
- 2050418 - ET MALWARE Observed Lumma Stealer Related Domain (gearboomchocolateowfs .site in TLS SNI) (malware.rules)
- 2050435 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M2 (CVE-2024-0204) (web_specific_apps.rules)
- 2050437 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M2 (CVE-2024-0204) (web_specific_apps.rules)
- 2050438 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (climosfevelt .com) (exploit_kit.rules)
- 2050439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (climosfevelt .com) (exploit_kit.rules)
- 2050448 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (cachetransferjs .com) (exploit_kit.rules)
- 2050449 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (cachewebspace .com) (exploit_kit.rules)
- 2050450 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (googlecloudad .com) (exploit_kit.rules)
- 2050455 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (webcachedata .com) (exploit_kit.rules)
- 2050457 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (cachetransferjs .com) (exploit_kit.rules)
- 2050458 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (cachewebspace .com) (exploit_kit.rules)
- 2050459 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (googlecloudad .com) (exploit_kit.rules)
- 2050464 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (webcachedata .com) (exploit_kit.rules)
- 2050467 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (crisisestimatehealtwh .site) (malware.rules)
- 2050468 - ET MALWARE Observed Lumma Stealer Related Domain (crisisestimatehealtwh .site in TLS SNI) (malware.rules)
- 2050471 - ET INFO Observed DNS Over HTTPS Domain (cynntex .fun in TLS SNI) (info.rules)
- 2050472 - ET INFO Observed DNS Over HTTPS Domain (dns .tb4 .me in TLS SNI) (info.rules)
- 2050473 - ET INFO Observed DNS Over HTTPS Domain (dns .f97 .xyz in TLS SNI) (info.rules)
- 2050475 - ET INFO Observed DNS Over HTTPS Domain (dns .unx .io in TLS SNI) (info.rules)
- 2050477 - ET INFO Observed DNS Over HTTPS Domain (dns .thebuckners .org in TLS SNI) (info.rules)
- 2050478 - ET INFO Observed DNS Over HTTPS Domain (dns .hujiayucc .cn in TLS SNI) (info.rules)
- 2050482 - ET INFO Observed DNS Over HTTPS Domain (ychen .gq in TLS SNI) (info.rules)
- 2050483 - ET INFO Observed DNS Over HTTPS Domain (dns .sstomp .nl in TLS SNI) (info.rules)
- 2050484 - ET INFO Observed DNS Over HTTPS Domain (ads .hunga1k47 .com in TLS SNI) (info.rules)
- 2050485 - ET INFO Observed DNS Over HTTPS Domain (dns .huseynov .work in TLS SNI) (info.rules)
- 2050486 - ET INFO Observed DNS Over HTTPS Domain (sdns22 .gkonuralp .com in TLS SNI) (info.rules)
- 2050487 - ET INFO Observed DNS Over HTTPS Domain (tokyodns .songnguyen .name .vn in TLS SNI) (info.rules)
- 2050488 - ET INFO Observed DNS Over HTTPS Domain (dash .flylcc .cc in TLS SNI) (info.rules)
- 2050489 - ET INFO Observed DNS Over HTTPS Domain (portal .iddqd .uk in TLS SNI) (info.rules)
- 2050490 - ET INFO Observed DNS Over HTTPS Domain (doh .infracell .net in TLS SNI) (info.rules)
- 2050500 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (visitclouds .com) (exploit_kit.rules)
- 2050501 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (visitclouds .com) (exploit_kit.rules)
- 2050505 - ET EXPLOIT_KIT Balada Domain in TLS SNI (lightsteper .com) (exploit_kit.rules)
- 2050515 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (lookup-domain .com) (exploit_kit.rules)
- 2050516 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (lookup-domain .com) (exploit_kit.rules)
- 2050520 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (tonguehypnothesislan .shop) (malware.rules)
- 2050521 - ET MALWARE Observed Lumma Stealer Related Domain (tonguehypnothesislan .shop in TLS SNI) (malware.rules)
- 2050522 - ET INFO Observed DNS Over HTTPS Domain (adguard .eoghan-net .com in TLS SNI) (info.rules)
- 2050523 - ET INFO Observed DNS Over HTTPS Domain (agh .fltn .us in TLS SNI) (info.rules)
- 2050524 - ET INFO Observed DNS Over HTTPS Domain (dns01 .enginyring .com in TLS SNI) (info.rules)
- 2050525 - ET INFO Observed DNS Over HTTPS Domain (doh .fatucloud .gosprout .org in TLS SNI) (info.rules)
- 2050526 - ET INFO Observed DNS Over HTTPS Domain (dns .huizegunsing .nl in TLS SNI) (info.rules)
- 2050527 - ET INFO Observed DNS Over HTTPS Domain (dns .freddys .my .id in TLS SNI) (info.rules)
- 2050528 - ET INFO Observed DNS Over HTTPS Domain (jp1 .f7b6h9 .tk in TLS SNI) (info.rules)
- 2050529 - ET INFO Observed DNS Over HTTPS Domain (dns .timboeh .me in TLS SNI) (info.rules)
- 2050531 - ET INFO Observed DNS Over HTTPS Domain (ag .hostme .co .il in TLS SNI) (info.rules)
- 2050532 - ET INFO Observed DNS Over HTTPS Domain (dns .hugo0 .moe in TLS SNI) (info.rules)
- 2050533 - ET INFO Observed DNS Over HTTPS Domain (urology .wiki in TLS SNI) (info.rules)
- 2050534 - ET INFO Observed DNS Over HTTPS Domain (adguard .darrenhizon .com in TLS SNI) (info.rules)
- 2050535 - ET INFO Observed DNS Over HTTPS Domain (qual .cuprum .ru in TLS SNI) (info.rules)
- 2050536 - ET INFO Observed DNS Over HTTPS Domain (faradns .net in TLS SNI) (info.rules)
- 2050537 - ET INFO Observed DNS Over HTTPS Domain (dns .frguthrie .app in TLS SNI) (info.rules)
- 2050538 - ET INFO Observed DNS Over HTTPS Domain (adguard .lista .my .id in TLS SNI) (info.rules)
- 2050539 - ET INFO Observed DNS Over HTTPS Domain (dot .dns-ga .de in TLS SNI) (info.rules)
- 2050540 - ET INFO Observed DNS Over HTTPS Domain (dns .lista .my .id in TLS SNI) (info.rules)
- 2050541 - ET INFO Observed DNS Over HTTPS Domain (home .enjoymylife .net in TLS SNI) (info.rules)
- 2050550 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ripnoticebook .com) (exploit_kit.rules)
- 2050551 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (andiandnoah .com) (exploit_kit.rules)
- 2050552 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ghostcitygames .com) (exploit_kit.rules)
- 2050553 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ripnoticebook .com) (exploit_kit.rules)
- 2050554 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (andiandnoah .com) (exploit_kit.rules)
- 2050555 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ghostcitygames .com) (exploit_kit.rules)
- 2050558 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .honors .howamerica .com) (malware.rules)
- 2050559 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .honors .howamerica .com) (malware.rules)
- 2050579 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (nationalistvetecanve .shop) (malware.rules)
- 2050580 - ET MALWARE Observed Lumma Stealer Related Domain (nationalistvetecanve .shop in TLS SNI) (malware.rules)
- 2050582 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bombertublestylebanws .fun) (malware.rules)
- 2050586 - ET MALWARE Observed Lumma Stealer Related Domain (cakecoldsplurgrewe .pw in TLS SNI) (malware.rules)
- 2050587 - ET MALWARE Observed Lumma Stealer Related Domain (bombertublestylebanws .fun in TLS SNI) (malware.rules)
- 2050588 - ET MALWARE Observed Lumma Stealer Related Domain (diagramfiremonkeyowwa .fun in TLS SNI) (malware.rules)
- 2050589 - ET MALWARE Observed Lumma Stealer Related Domain (dayfarrichjwclik .fun in TLS SNI) (malware.rules)
- 2050590 - ET MALWARE Observed Lumma Stealer Related Domain (ratefacilityframw .fun in TLS SNI) (malware.rules)
- 2050591 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (healthrankunderow .fun) (malware.rules)
- 2050592 - ET MALWARE Observed Lumma Stealer Related Domain (healthrankunderow .fun in TLS SNI) (malware.rules)
- 2050593 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cakecoldsplurgrewe .pw) (malware.rules)
- 2050594 - ET MALWARE Observed Lumma Stealer Related Domain (cakecoldsplurgrewe .pw in TLS SNI) (malware.rules)
- 2050597 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M1 (malware.rules)
- 2050598 - ET MALWARE [ANY.RUN] BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M2 (malware.rules)
- 2050599 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Response (APT Mustang Panda / Earth Preta) M1 (malware.rules)
- 2050600 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Response (APT Mustang Panda / Earth Preta) M2 (malware.rules)
- 2050607 - ET INFO Observed DNS Over HTTPS Domain (filter .das .sch .id in TLS SNI) (info.rules)
- 2050608 - ET INFO Observed DNS Over HTTPS Domain (tienpham .id .vn in TLS SNI) (info.rules)
- 2050611 - ET INFO Observed DNS Over HTTPS Domain (dns-fr-psv1 .cloudsides .com in TLS SNI) (info.rules)
- 2050612 - ET INFO Observed DNS Over HTTPS Domain (los .conana .info in TLS SNI) (info.rules)
- 2050613 - ET INFO Observed DNS Over HTTPS Domain (block .coconut .id in TLS SNI) (info.rules)
- 2050614 - ET INFO Observed DNS Over HTTPS Domain (fezgate .ovh in TLS SNI) (info.rules)
- 2050615 - ET INFO Observed DNS Over HTTPS Domain (quic .lol in TLS SNI) (info.rules)
- 2050616 - ET INFO Observed DNS Over HTTPS Domain (uradoori .org in TLS SNI) (info.rules)
- 2050617 - ET INFO Observed DNS Over HTTPS Domain (jp .conana .info in TLS SNI) (info.rules)
- 2050618 - ET INFO Observed DNS Over HTTPS Domain (adguard .gewete .cloud in TLS SNI) (info.rules)
- 2050619 - ET INFO Observed DNS Over HTTPS Domain (www .chungocoai .name .vn in TLS SNI) (info.rules)
- 2050620 - ET INFO Observed DNS Over HTTPS Domain (takhtakh .domyah .net in TLS SNI) (info.rules)
- 2050621 - ET INFO Observed DNS Over HTTPS Domain (dns .haboy .top in TLS SNI) (info.rules)
- 2050622 - ET INFO Observed DNS Over HTTPS Domain (dns .skrep .in in TLS SNI) (info.rules)
- 2050623 - ET INFO Observed DNS Over HTTPS Domain (naganohara-yoimiya .momokko .moe in TLS SNI) (info.rules)
- 2050625 - ET INFO Observed DNS Over HTTPS Domain (shield1 .eranext .net in TLS SNI) (info.rules)
- 2050627 - ET INFO Observed DNS Over HTTPS Domain (dns .354688 .xyz in TLS SNI) (info.rules)
- 2050628 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fantasticabnormally .shop) (malware.rules)
- 2050629 - ET MALWARE Observed Lumma Stealer Related Domain (fantasticabnormally .shop in TLS SNI) (malware.rules)
- 2050654 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gigeconomycase .com) (exploit_kit.rules)
- 2050655 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pngairservices .com) (exploit_kit.rules)
- 2050656 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gigeconomycase .com) (exploit_kit.rules)
- 2050657 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pngairservices .com) (exploit_kit.rules)
- 2050665 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (knonkcdalfyhitt .shop) (malware.rules)
- 2050666 - ET MALWARE Observed Lumma Stealer Related Domain (knonkcdalfyhitt .shop in TLS SNI) (malware.rules)
- 2050667 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (birdvigorousedetertyw .shop) (malware.rules)
- 2050668 - ET MALWARE Observed Lumma Stealer Related Domain (birdvigorousedetertyw .shop in TLS SNI) (malware.rules)
- 2050669 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (telldruggcommitetter .shop) (malware.rules)
- 2050670 - ET MALWARE Observed Lumma Stealer Related Domain (telldruggcommitetter .shop in TLS SNI) (malware.rules)
- 2050678 - ET MALWARE Suspected TA451 Related FalseFont Backdoor Response (malware.rules)
- 2050679 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (cdn3-jquery .info) (exploit_kit.rules)
- 2050680 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (telotrace .com) (exploit_kit.rules)
- 2050681 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (cdn3-jquery .info) (exploit_kit.rules)
- 2050682 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (telotrace .com) (exploit_kit.rules)
- 2050683 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (eeatgoodx .com) (exploit_kit.rules)
- 2050684 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (eeatgoodx .com) (exploit_kit.rules)
- 2050685 - ET INFO Observed DNS Over HTTPS Domain (ad-dns .lista .my .id in TLS SNI) (info.rules)
- 2050686 - ET INFO Observed DNS Over HTTPS Domain (uf-dns .lista .my .id in TLS SNI) (info.rules)
- 2050701 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (feturepoudbicchteo .shop) (malware.rules)
- 2050702 - ET MALWARE Observed Lumma Stealer Related Domain (feturepoudbicchteo .shop in TLS SNI) (malware.rules)
- 2050703 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (pavementpreferencewjiao .site) (malware.rules)
- 2050704 - ET MALWARE Observed Lumma Stealer Related Domain (pavementpreferencewjiao .site in TLS SNI) (malware.rules)
- 2050705 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (despairphtsograpgp .shop) (malware.rules)
- 2050710 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mysticselect .com) (exploit_kit.rules)
- 2050711 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (oemmasters .com) (exploit_kit.rules)
- 2050712 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mysticselect .com) (exploit_kit.rules)
- 2050713 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (oemmasters .com) (exploit_kit.rules)
- 2050718 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (tnoodlezy .com) (exploit_kit.rules)
- 2050719 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (gspiceyl .com) (exploit_kit.rules)
- 2050720 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (snackfunp .com) (exploit_kit.rules)
- 2050721 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (tnoodlezy .com) (exploit_kit.rules)
- 2050722 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (gspiceyl .com) (exploit_kit.rules)
- 2050723 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (snackfunp .com) (exploit_kit.rules)
- 2050724 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .our .openarmscv .org) (malware.rules)
- 2050725 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .our .openarmscv .org) (malware.rules)
- 2050726 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (samplepoisonbarryntj .shop) (malware.rules)
- 2050727 - ET MALWARE Observed Lumma Stealer Related Domain (samplepoisonbarryntj .shop in TLS SNI) (malware.rules)
- 2050728 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (decorousnumerousieo .shop) (malware.rules)
- 2050729 - ET MALWARE Observed Lumma Stealer Related Domain (decorousnumerousieo .shop in TLS SNI) (malware.rules)
- 2050739 - ET INFO Suspicious Application Related Domain in DNS Lookup (info.rules)
- 2050740 - ET INFO Observed Suspicious Application Related Domain in TLS SNI (info.rules)
- 2050743 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (landgateindirectdangre .shop) (malware.rules)
- 2050744 - ET MALWARE Observed Lumma Stealer Related Domain (landgateindirectdangre .shop in TLS SNI) (malware.rules)
- 2050770 - ET INFO Observed DNS Over HTTPS Domain (dns .andersfarms .ltd in TLS SNI) (info.rules)
- 2050773 - ET INFO Observed DNS Over HTTPS Domain (dns .wellstsai .com in TLS SNI) (info.rules)
- 2050780 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (exitassumebangpastcone .shop) (malware.rules)
- 2050785 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (ronreznick .com) (exploit_kit.rules)
- 2050786 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (ronreznick .com) (exploit_kit.rules)
- 2050793 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .day .50adayplan .com) (malware.rules)
- 2050794 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .day .50adayplan .com) (malware.rules)
- 2050795 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (grantallardserver .com) (exploit_kit.rules)
- 2050797 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (grantallardserver .com) (exploit_kit.rules)
- 2050798 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (casinovipclubs .com) (exploit_kit.rules)
- 2050802 - ET MALWARE Observed MacOS RustDoor Related Domain (serviceicloud .com in TLS SNI) (malware.rules)
- 2050814 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vfxfilmschool .com) (exploit_kit.rules)
- 2050815 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vfxfilmschool .com) (exploit_kit.rules)
- 2050816 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bicyclesunhygenico .fun) (malware.rules)
- 2050817 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (reechoingkaolizationp .fun) (malware.rules)
- 2050818 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (antiuncontemporary .fun) (malware.rules)
- 2050819 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pielumchalotpostwo .fun) (malware.rules)
- 2050820 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (unexaminablespectrall .fun) (malware.rules)
- 2050821 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (muggierdragstemmio .fun) (malware.rules)
- 2050822 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fishboatnurrybeauti .fun) (malware.rules)
- 2050823 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (mazumaponyanthus .fun) (malware.rules)
- 2050824 - ET MALWARE Observed Lumma Stealer Related Domain (bicyclesunhygenico .fun in TLS SNI) (malware.rules)
- 2050825 - ET MALWARE Observed Lumma Stealer Related Domain (reechoingkaolizationp .fun in TLS SNI) (malware.rules)
- 2050826 - ET MALWARE Observed Lumma Stealer Related Domain (antiuncontemporary .fun in TLS SNI) (malware.rules)
- 2050827 - ET MALWARE Observed Lumma Stealer Related Domain (pielumchalotpostwo .fun in TLS SNI) (malware.rules)
- 2050828 - ET MALWARE Observed Lumma Stealer Related Domain (unexaminablespectrall .fun in TLS SNI) (malware.rules)
- 2050829 - ET MALWARE Observed Lumma Stealer Related Domain (muggierdragstemmio .fun in TLS SNI) (malware.rules)
- 2050830 - ET MALWARE Observed Lumma Stealer Related Domain (fishboatnurrybeauti .fun in TLS SNI) (malware.rules)
- 2050831 - ET MALWARE Observed Lumma Stealer Related Domain (mazumaponyanthus .fun in TLS SNI) (malware.rules)
- 2050832 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bleednumberrottern .home) (malware.rules)
- 2050833 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (brakesummitfiightre .pics) (malware.rules)
- 2050834 - ET MALWARE Observed Lumma Stealer Related Domain (bleednumberrottern .home in TLS SNI) (malware.rules)
- 2050835 - ET MALWARE Observed Lumma Stealer Related Domain (brakesummitfiightre .pics in TLS SNI) (malware.rules)
- 2050836 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lawwormroleveinn .mom) (malware.rules)
- 2050837 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (baresoakopiniocowe .fun) (malware.rules)
- 2050841 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (developmentalveiop .home) (malware.rules)
- 2050842 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (hunterstrawmersp .home) (malware.rules)
- 2050843 - ET MALWARE Observed Lumma Stealer Related Domain (lawwormroleveinn .mom in TLS SNI) (malware.rules)
- 2050844 - ET MALWARE Observed Lumma Stealer Related Domain (baresoakopiniocowe .fun in TLS SNI) (malware.rules)
- 2050845 - ET MALWARE Observed Lumma Stealer Related Domain (baketransparentadw .pics in TLS SNI) (malware.rules)
- 2050846 - ET MALWARE Observed Lumma Stealer Related Domain (legislationdictater .mom in TLS SNI) (malware.rules)
- 2050847 - ET MALWARE Observed Lumma Stealer Related Domain (mercyaloofprincipleo .pics in TLS SNI) (malware.rules)
- 2050848 - ET MALWARE Observed Lumma Stealer Related Domain (developmentalveiop .home in TLS SNI) (malware.rules)
- 2050849 - ET MALWARE Observed Lumma Stealer Related Domain (hunterstrawmersp .home in TLS SNI) (malware.rules)
- 2050850 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ironshottallinko .funu) (malware.rules)
- 2050851 - ET MALWARE Observed Lumma Stealer Related Domain (ironshottallinko .funu in TLS SNI) (malware.rules)
- 2050852 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lawwormroleveinn .momu) (malware.rules)
- 2050853 - ET MALWARE Observed Lumma Stealer Related Domain (lawwormroleveinn .momu in TLS SNI) (malware.rules)
- 2050854 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (scshemevalleywelferw .site) (malware.rules)
- 2050855 - ET MALWARE Observed Lumma Stealer Related Domain (scshemevalleywelferw .site in TLS SNI) (malware.rules)
- 2050868 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fossillandscapefewkew .site) (malware.rules)
- 2050869 - ET MALWARE Observed Lumma Stealer Related Domain (fossillandscapefewkew .site in TLS SNI) (malware.rules)
- 2050870 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (townsfolkhiwoeko .fun) (malware.rules)
- 2050871 - ET MALWARE Observed Lumma Stealer Related Domain (townsfolkhiwoeko .fun in TLS SNI) (malware.rules)
- 2050872 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (colonmoonmushroo .mom) (malware.rules)
- 2050873 - ET MALWARE Observed Lumma Stealer Related Domain (colonmoonmushroo .mom in TLS SNI) (malware.rules)
- 2050878 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cattilecodereowop .pw) (malware.rules)
- 2050879 - ET MALWARE Observed Lumma Stealer Related Domain (cattilecodereowop .pw in TLS SNI) (malware.rules)
- 2050880 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (thinrecordsunrjisow .pw) (malware.rules)
- 2050881 - ET MALWARE Observed Lumma Stealer Related Domain (thinrecordsunrjisow .pw in TLS SNI) (malware.rules)
- 2050899 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .funr) (malware.rules)
- 2050901 - ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funr in TLS SNI) (malware.rules)
- 2050946 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jimissupercool .com) (exploit_kit.rules)
- 2050947 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (myclubpicks .com) (exploit_kit.rules)
- 2050948 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jimissupercool .com) (exploit_kit.rules)
- 2050949 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (myclubpicks .com) (exploit_kit.rules)
- 2050950 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .members .openarmscv .com) (malware.rules)
- 2050951 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .members .openarmscv .com) (malware.rules)
- 2050962 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .funy) (malware.rules)
- 2050963 - ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funy in TLS SNI) (malware.rules)
- 2050964 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (greenbowelsustainny .fun) (malware.rules)
- 2050965 - ET MALWARE Observed Lumma Stealer Related Domain (greenbowelsustainny .fun in TLS SNI) (malware.rules)
- 2050966 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .funl) (malware.rules)
- 2050967 - ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funl in TLS SNI) (malware.rules)
- 2050968 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fikkeropendorwiw .pw) (malware.rules)
- 2050969 - ET MALWARE Observed Lumma Stealer Related Domain (fikkeropendorwiw .pw in TLS SNI) (malware.rules)
- 2050970 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (numberlesswortheiwol .shop) (malware.rules)
- 2050971 - ET MALWARE Observed Lumma Stealer Related Domain (numberlesswortheiwol .shop in TLS SNI) (malware.rules)
- 2050972 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (superiorhardwaerw .pw) (malware.rules)
- 2050973 - ET MALWARE Observed Lumma Stealer Related Domain (superiorhardwaerw .pw in TLS SNI) (malware.rules)
- 2050974 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pwl) (malware.rules)
- 2050976 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pwl in TLS SNI) (malware.rules)
- 2050980 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (s14-nextjs .net) (exploit_kit.rules)
- 2050981 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (donnows .com) (exploit_kit.rules)
- 2050982 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (s14-nextjs .net) (exploit_kit.rules)
- 2050983 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (donnows .com) (exploit_kit.rules)
- 2050984 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (posiit .com) (exploit_kit.rules)
- 2050985 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (posiit .com) (exploit_kit.rules)
- 2050986 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (freegeneratorai .com) (exploit_kit.rules)
- 2050987 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (freegeneratorai .com) (exploit_kit.rules)
- 2051025 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ads-quantum .com) (exploit_kit.rules)
- 2051026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ads-quantum .com) (exploit_kit.rules)
- 2051077 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (funcallback .com) (exploit_kit.rules)
- 2051092 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (varinspector .com) (exploit_kit.rules)
- 2051098 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aljannatquranteach .com) (exploit_kit.rules)
- 2051101 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bigcuda .com) (exploit_kit.rules)
- 2051108 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bbsupplyandsalon .com) (exploit_kit.rules)
- 2856268 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2856288 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2856306 - ETPRO MALWARE Suspected Domestic Kitten APT CnC Domain in DNS Lookup (malware.rules)
- 2856316 - ETPRO MALWARE Observed DNS Query to Sliver Related Domain (malware.rules)
- 2856317 - ETPRO MALWARE Observed Sliver Related Domain in TLS SNI (malware.rules)
- 2856348 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2856349 - ETPRO EXPLOIT_KIT ZPHP Lure Request M5 (exploit_kit.rules)
- 2856377 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
Disabled and modified rules:
- 2859977 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)
- 2860110 - ETPRO PHISHING Observed TA453 Domain in TLS SNI (phishing.rules)