Ruleset Update Summary - 2025/08/15 - v10994

Ruleset Updates
1

Summary:

17 new OPEN, 22 new PRO (17 + 5)

Added rules:

Open:

  • 2064011 - ET INFO Comodo Itarian RMM-related Domain (one .comodo .com) in DNS Lookup (info.rules)
  • 2064012 - ET INFO Comodo Itarian RMM-related Domain (cmdm .comodo .com) in DNS Lookup (info.rules)
  • 2064013 - ET INFO Comodo Itarian RMM-related Domain (one-us .comodo .com) in DNS Lookup (info.rules)
  • 2064014 - ET INFO Comodo Itarian RMM-related Domain (itsm-us1 .comodo .com) in DNS Lookup (info.rules)
  • 2064015 - ET INFO Observed Comodo ITarian RMM-related Domain (one .comodo .com) in TLS SNI (info.rules)
  • 2064016 - ET INFO Observed Comodo ITarian RMM-related Domain (cmdm .comodo .com) in TLS SNI (info.rules)
  • 2064017 - ET INFO Observed Comodo ITarian RMM-related Domain (one-us .comodo .com) in TLS SNI (info.rules)
  • 2064018 - ET INFO Observed Comodo ITarian RMM-related Domain (itsm-us1 .comodo .com) in TLS SNI (info.rules)
  • 2064019 - ET INFO DYNAMIC_DNS Query to a *.luxflow .net domain (info.rules)
  • 2064020 - ET INFO DYNAMIC_DNS HTTP Request to a *.luxflow .net domain (info.rules)
  • 2064021 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (audit .fsia .net) (malware.rules)
  • 2064022 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (audit .fsia .net) (malware.rules)
  • 2064023 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (email .atmgift .com) (malware.rules)
  • 2064024 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (email .atmgift .com) (malware.rules)
  • 2064025 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (app .makemoremoneychallenge .vip) (malware.rules)
  • 2064026 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (app .makemoremoneychallenge .vip) (malware.rules)
  • 2064027 - ET EXPLOIT Fortinet FortiSIEM Unauthenticated phMonitor Command Injection (CVE-2025-25256) (exploit.rules)

Pro:

  • 2864288 - ETPRO MALWARE Observed DNS Query to TA425/Patchwork Donut Domain (malware.rules)
  • 2864289 - ETPRO MALWARE Observed DNS Query to TA425/Patchwork Donut Domain (malware.rules)
  • 2864290 - ETPRO MALWARE Observed TA425/Patchwork Donut Domain in TLS SNI (malware.rules)
  • 2864291 - ETPRO MALWARE Observed TA425/Patchwork Donut Domain in TLS SNI (malware.rules)
  • 2864292 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2049758 - ET MALWARE DNS Query to UAC-0177 Domain (certifiedauth .in) (malware.rules)
  • 2049759 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .link) (malware.rules)
  • 2049760 - ET MALWARE DNS Query to UAC-0177 Domain (connectssl .in) (malware.rules)
  • 2049761 - ET MALWARE DNS Query to UAC-0177 Domain (getssl .click) (malware.rules)
  • 2049762 - ET MALWARE DNS Query to UAC-0177 Domain (ssl3 .site) (malware.rules)
  • 2049763 - ET MALWARE DNS Query to UAC-0177 Domain (ssl3 .online) (malware.rules)
  • 2049764 - ET MALWARE DNS Query to UAC-0177 Domain (exmo .day) (malware.rules)
  • 2049765 - ET MALWARE DNS Query to UAC-0177 Domain (authcheck .in) (malware.rules)
  • 2049767 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .org) (malware.rules)
  • 2049768 - ET MALWARE Observed UAC-0177 Domain (ssl2 .in in TLS SNI) (malware.rules)
  • 2049769 - ET MALWARE Observed UAC-0177 Domain (ssl4 .site in TLS SNI) (malware.rules)
  • 2049770 - ET MALWARE Observed UAC-0177 Domain (getssl .ink in TLS SNI) (malware.rules)
  • 2049771 - ET MALWARE Observed UAC-0177 Domain (personlog .in in TLS SNI) (malware.rules)
  • 2049772 - ET MALWARE Observed UAC-0177 Domain (ssl2 .link in TLS SNI) (malware.rules)
  • 2049773 - ET MALWARE Observed UAC-0177 Domain (authssl .online in TLS SNI) (malware.rules)
  • 2049774 - ET MALWARE Observed UAC-0177 Domain (ssl1 .site in TLS SNI) (malware.rules)
  • 2049775 - ET MALWARE Observed UAC-0177 Domain (hsts .online in TLS SNI) (malware.rules)
  • 2049776 - ET MALWARE Observed UAC-0177 Domain (authssl .in in TLS SNI) (malware.rules)
  • 2049778 - ET MALWARE Observed UAC-0177 Domain (authssl .site in TLS SNI) (malware.rules)
  • 2049779 - ET MALWARE Observed UAC-0177 Domain (goaccount .link in TLS SNI) (malware.rules)
  • 2049780 - ET MALWARE Observed UAC-0177 Domain (ssl2 .site in TLS SNI) (malware.rules)
  • 2049781 - ET MALWARE Observed UAC-0177 Domain (ssl1 .online in TLS SNI) (malware.rules)
  • 2049782 - ET MALWARE Observed UAC-0177 Domain (passport2 .zip in TLS SNI) (malware.rules)
  • 2049783 - ET MALWARE Observed UAC-0177 Domain (certifiedauth .in in TLS SNI) (malware.rules)
  • 2049784 - ET MALWARE Observed UAC-0177 Domain (authssl .link in TLS SNI) (malware.rules)
  • 2049785 - ET MALWARE Observed UAC-0177 Domain (connectssl .in in TLS SNI) (malware.rules)
  • 2049787 - ET MALWARE Observed UAC-0177 Domain (ssl3 .site in TLS SNI) (malware.rules)
  • 2049788 - ET MALWARE Observed UAC-0177 Domain (ssl3 .online in TLS SNI) (malware.rules)
  • 2049789 - ET MALWARE Observed UAC-0177 Domain (exmo .day in TLS SNI) (malware.rules)
  • 2049791 - ET MALWARE Observed UAC-0177 Domain (ssl4 .online in TLS SNI) (malware.rules)
  • 2049792 - ET MALWARE Observed UAC-0177 Domain (authssl .org in TLS SNI) (malware.rules)
  • 2049807 - ET MALWARE Brute Ratel Framework Related Domain in DNS Lookup (azureclouder .com) (malware.rules)
  • 2049808 - ET MALWARE Observed Brute Ratel Framework Related Domain (azureclouder .com in TLS SNI) (malware.rules)
  • 2049810 - ET INFO DNS Query to Vultr Cloud file sharing domain (vultrobjects .com) (info.rules)
  • 2049822 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (biggerfun .org) (exploit_kit.rules)
  • 2049823 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (froggysnow .org) (exploit_kit.rules)
  • 2049824 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (confirmapply .org) (exploit_kit.rules)
  • 2049825 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (biggerfun .org) (exploit_kit.rules)
  • 2049826 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (froggysnow .org) (exploit_kit.rules)
  • 2049827 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (confirmapply .org) (exploit_kit.rules)
  • 2049838 - ET MALWARE Observed Lumma Stealer Related Domain (agedelayglacierwe .pw in TLS SNI) (malware.rules)
  • 2049839 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (agedelayglacierwe .pw) (malware.rules)
  • 2049842 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (chincenterblandwka .pw) (malware.rules)
  • 2049844 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (neighborhoodfeelsa .fun) (malware.rules)
  • 2049846 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .places .creeksidehuntingpreserve .com) (malware.rules)
  • 2049847 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .places .creeksidehuntingpreserve .com) (malware.rules)
  • 2049848 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (proexbit .com) (exploit_kit.rules)
  • 2049849 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onlinesavingsjournal .com) (exploit_kit.rules)
  • 2049850 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (proximaideia .com) (exploit_kit.rules)
  • 2049852 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (polatliems .com) (exploit_kit.rules)
  • 2049853 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (proexbit .com) (exploit_kit.rules)
  • 2049854 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onlinesavingsjournal .com) (exploit_kit.rules)
  • 2049855 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (proximaideia .com) (exploit_kit.rules)
  • 2049856 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (realestateagentnorfolkvirginia .com) (exploit_kit.rules)
  • 2049857 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (polatliems .com) (exploit_kit.rules)
  • 2049870 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ratingsentry .com) (exploit_kit.rules)
  • 2049871 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ratingsentry .com) (exploit_kit.rules)
  • 2049877 - ET MALWARE Observed Lumma Stealer Related Domain (carstirgapcheatdeposwte .pw in TLS SNI) (malware.rules)
  • 2049878 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pw) (malware.rules)
  • 2049881 - ET MALWARE Observed Lumma Stealer Related Domain (opposesicknessopw .pw in TLS SNI) (malware.rules)
  • 2049889 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jennifergalvin .com) (exploit_kit.rules)
  • 2049891 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jesusanaya .com) (exploit_kit.rules)
  • 2049892 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (plannedtomatoes .com) (exploit_kit.rules)
  • 2049893 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jennifergalvin .com) (exploit_kit.rules)
  • 2049894 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kineticwing .com) (exploit_kit.rules)
  • 2049895 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jesusanaya .com) (exploit_kit.rules)
  • 2049896 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (plannedtomatoes .com) (exploit_kit.rules)
  • 2049917 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (playerweighmailydailew .pw) (malware.rules)
  • 2049918 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (latetemporarynuance .pw) (malware.rules)
  • 2049919 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (blastechohackopeower .pw) (malware.rules)
  • 2049920 - ET MALWARE Observed Lumma Stealer Related Domain (latetemporarynuance .pw in TLS SNI) (malware.rules)
  • 2049921 - ET MALWARE Observed Lumma Stealer Related Domain (playerweighmailydailew .pw in TLS SNI) (malware.rules)
  • 2049922 - ET MALWARE Observed Lumma Stealer Related Domain (blastechohackopeower .pw in TLS SNI) (malware.rules)
  • 2049933 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (nowordshere .org) (exploit_kit.rules)
  • 2049934 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (nowordshere .org) (exploit_kit.rules)
  • 2049935 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (arkadyevna .com) (exploit_kit.rules)
  • 2049936 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (choosetotruck .com) (exploit_kit.rules)
  • 2049937 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (boxtechcompany .com) (exploit_kit.rules)
  • 2049938 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (arkadyevna .com) (exploit_kit.rules)
  • 2049939 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (choosetotruck .com) (exploit_kit.rules)
  • 2049940 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (boxtechcompany .com) (exploit_kit.rules)
  • 2049941 - ET MALWARE SocGholish Domain in DNS Lookup (retraining .allstardriving .org) (malware.rules)
  • 2049942 - ET MALWARE SocGholish Domain in TLS SNI (retraining .allstardriving .org) (malware.rules)
  • 2049943 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (cloudwebhub .pro) (exploit_kit.rules)
  • 2049944 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (cloudwebhub .pro) (exploit_kit.rules)
  • 2049945 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (electricnico .com) (exploit_kit.rules)
  • 2049946 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (electricnico .com) (exploit_kit.rules)
  • 2049949 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (evokenumberpottruckere .fun) (malware.rules)
  • 2049950 - ET MALWARE Observed Lumma Stealer Related Domain (evokenumberpottruckere .fun in TLS SNI) (malware.rules)
  • 2049951 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (goddirtybrilliancece .fun) (malware.rules)
  • 2049952 - ET MALWARE Observed Lumma Stealer Related Domain (goddirtybrilliancece .fun in TLS SNI) (malware.rules)
  • 2049953 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (maskmusicalproplemanw .pw) (malware.rules)
  • 2049954 - ET MALWARE Observed Lumma Stealer Related Domain (maskmusicalproplemanw .pw in TLS SNI) (malware.rules)
  • 2049955 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ar .kostin .p-e .kr) (malware.rules)
  • 2049956 - ET MALWARE Test CnC Domain in DNS Lookup (test .com) (malware.rules)
  • 2049957 - ET MALWARE X CnC Domain in DNS Lookup (test .com) (malware.rules)
  • 2049960 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lazittarl .com) (exploit_kit.rules)
  • 2049961 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lazittarl .com) (exploit_kit.rules)
  • 2049965 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (ranchguarrelguidewa .pw) (malware.rules)
  • 2049966 - ET MALWARE Observed Lumma Stealer Related Domain (ranchguarrelguidewa .pw in TLS SNI) (malware.rules)
  • 2050015 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (codecruncher .pro) (exploit_kit.rules)
  • 2050016 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (codecruncher .pro) (exploit_kit.rules)
  • 2050019 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mariateresacalderon .com) (exploit_kit.rules)
  • 2050020 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mariateresacalderon .com) (exploit_kit.rules)
  • 2050022 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pwc) (malware.rules)
  • 2050023 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pwc in TLS SNI) (malware.rules)
  • 2050024 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pwc) (malware.rules)
  • 2050025 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pwc in TLS SNI) (malware.rules)
  • 2050026 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (copyexpertisesausewaverw .site) (malware.rules)
  • 2050027 - ET MALWARE Observed Lumma Stealer Related Domain (copyexpertisesausewaverw .site in TLS SNI) (malware.rules)
  • 2050031 - ET INFO Observed DNS Over HTTPS Domain (ns .sblnetwork .co .id in TLS SNI) (info.rules)
  • 2050032 - ET INFO Observed DNS Over HTTPS Domain (clearweb .woodbridge .club in TLS SNI) (info.rules)
  • 2050033 - ET INFO Observed DNS Over HTTPS Domain (local .sufly .top in TLS SNI) (info.rules)
  • 2050034 - ET INFO Observed DNS Over HTTPS Domain (ns .lov .host in TLS SNI) (info.rules)
  • 2050035 - ET INFO Observed DNS Over HTTPS Domain (surt .ovh in TLS SNI) (info.rules)
  • 2050036 - ET INFO Observed DNS Over HTTPS Domain (ad .257053 .xyz in TLS SNI) (info.rules)
  • 2050037 - ET INFO Observed DNS Over HTTPS Domain (v2 .xx3210766 .live in TLS SNI) (info.rules)
  • 2050038 - ET INFO Observed DNS Over HTTPS Domain (shijiu .asia in TLS SNI) (info.rules)
  • 2050039 - ET INFO Observed DNS Over HTTPS Domain (dns .sbstructure .ir in TLS SNI) (info.rules)
  • 2050041 - ET INFO Observed DNS Over HTTPS Domain (dns .albony .xyz in TLS SNI) (info.rules)
  • 2050042 - ET INFO Observed DNS Over HTTPS Domain (d2 .shabi .icu in TLS SNI) (info.rules)
  • 2050043 - ET INFO Observed DNS Over HTTPS Domain (free .sootoon .xyz in TLS SNI) (info.rules)
  • 2050044 - ET INFO Observed DNS Over HTTPS Domain (dns .trifanov-online .ru in TLS SNI) (info.rules)
  • 2050045 - ET INFO Observed DNS Over HTTPS Domain (res .zijji .com in TLS SNI) (info.rules)
  • 2050046 - ET INFO Observed DNS Over HTTPS Domain (dns .888654 .xyz in TLS SNI) (info.rules)
  • 2050047 - ET INFO Observed DNS Over HTTPS Domain (dns .sainternet .xyz in TLS SNI) (info.rules)
  • 2050048 - ET INFO Observed DNS Over HTTPS Domain (vanced .sytes .net in TLS SNI) (info.rules)
  • 2050050 - ET INFO Observed DNS Over HTTPS Domain (ymjx .shimmerl .top in TLS SNI) (info.rules)
  • 2050071 - ET MALWARE SocGholish Domain in DNS Lookup (surprise .refillpantrysd .com) (malware.rules)
  • 2050072 - ET MALWARE SocGholish Domain in TLS SNI (surprise .refillpantrysd .com) (malware.rules)
  • 2050076 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (contextsuffreintymore .fun) (malware.rules)
  • 2050077 - ET MALWARE Observed Lumma Stealer Related Domain (contextsuffreintymore .fun in TLS SNI) (malware.rules)
  • 2050083 - ET MALWARE BackConnect CnC Activity (Bot Reconnect) M1 (malware.rules)
  • 2050094 - ET MALWARE BackConnect CnC Activity (Bot Reconnect) M2 (malware.rules)
  • 2050098 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (debasesingle .life) (exploit_kit.rules)
  • 2050099 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (frenchpies .org) (exploit_kit.rules)
  • 2050100 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (debasesingle .life) (exploit_kit.rules)
  • 2050101 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (frenchpies .org) (exploit_kit.rules)
  • 2050102 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (scorelineupdate .com) (exploit_kit.rules)
  • 2050103 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (phinetik .com) (exploit_kit.rules)
  • 2050104 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (scorelineupdate .com) (exploit_kit.rules)
  • 2050105 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (phinetik .com) (exploit_kit.rules)
  • 2050111 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive (malware.rules)
  • 2050125 - ET INFO DNS Query to Online Application Hosting Domain (supabase .co) (info.rules)
  • 2050134 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (specialcraftbox .com) (exploit_kit.rules)
  • 2050135 - ET EXPLOIT_KIT Balada Domain in TLS SNI (specialcraftbox .com) (exploit_kit.rules)
  • 2050136 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (colorschemeas .com) (exploit_kit.rules)
  • 2050137 - ET EXPLOIT_KIT Balada Domain in TLS SNI (colorschemeas .com) (exploit_kit.rules)
  • 2050143 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (groannysoapblockedstiw .site) (malware.rules)
  • 2050145 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (weedpairfolkloredheryw .site) (malware.rules)
  • 2050146 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (copyrightspareddcitwew .site) (malware.rules)
  • 2050147 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (qualifiedbehaviorrykej .site) (malware.rules)
  • 2050148 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (combinethemepiggerygoj .site) (malware.rules)
  • 2050149 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lendremindcenterpassew .site) (malware.rules)
  • 2050150 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (expenditureddisumilarwo .site) (malware.rules)
  • 2050151 - ET MALWARE Observed Lumma Stealer Related Domain (groannysoapblockedstiw .site in TLS SNI) (malware.rules)
  • 2050152 - ET MALWARE Observed Lumma Stealer Related Domain (worrystitchsounddywuwp .site in TLS SNI) (malware.rules)
  • 2050153 - ET MALWARE Observed Lumma Stealer Related Domain (paperambiguonusphoterew .site in TLS SNI) (malware.rules)
  • 2050154 - ET MALWARE Observed Lumma Stealer Related Domain (weedpairfolkloredheryw .site in TLS SNI) (malware.rules)
  • 2050156 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (paperambiguonusphoterew .site) (malware.rules)
  • 2050157 - ET MALWARE Observed Lumma Stealer Related Domain (expenditureddisumilarwo .site in TLS SNI) (malware.rules)
  • 2050158 - ET MALWARE Observed Lumma Stealer Related Domain (combinethemepiggerygoj .site in TLS SNI) (malware.rules)
  • 2050159 - ET MALWARE Observed Lumma Stealer Related Domain (qualifiedbehaviorrykej .site in TLS SNI) (malware.rules)
  • 2050160 - ET MALWARE Observed Lumma Stealer Related Domain (lendremindcenterpassew .site in TLS SNI) (malware.rules)
  • 2050161 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (accouncementdivecane .site) (malware.rules)
  • 2050162 - ET MALWARE Observed Lumma Stealer Related Domain (accouncementdivecane .site in TLS SNI) (malware.rules)
  • 2050163 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fleetconsciousnessjuiw .site) (malware.rules)
  • 2050164 - ET MALWARE Observed Lumma Stealer Related Domain (fleetconsciousnessjuiw .site in TLS SNI) (malware.rules)
  • 2050165 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (carpetcupboardtejjerew .site) (malware.rules)
  • 2050166 - ET MALWARE Observed Lumma Stealer Related Domain (carpetcupboardtejjerew .site in TLS SNI) (malware.rules)
  • 2050167 - ET INFO Observed DNS Over HTTPS Domain (fwgw .orangepipc .mywire .org in TLS SNI) (info.rules)
  • 2050168 - ET INFO Observed DNS Over HTTPS Domain (dns .ours .luxe in TLS SNI) (info.rules)
  • 2050169 - ET INFO Observed DNS Over HTTPS Domain (dns .mestdag .fr in TLS SNI) (info.rules)
  • 2050170 - ET INFO Observed DNS Over HTTPS Domain (dns2 .nhgnet .de in TLS SNI) (info.rules)
  • 2050173 - ET INFO Observed DNS Over HTTPS Domain (inde .ragnvindr .org in TLS SNI) (info.rules)
  • 2050176 - ET INFO Observed DNS Over HTTPS Domain (addns1 .m-it .ro in TLS SNI) (info.rules)
  • 2050177 - ET INFO Observed DNS Over HTTPS Domain (lv .long-nguyen .info in TLS SNI) (info.rules)
  • 2050178 - ET INFO Observed DNS Over HTTPS Domain (nilanjan .me in TLS SNI) (info.rules)
  • 2050179 - ET INFO Observed DNS Over HTTPS Domain (adguard .oms-ctr .ru in TLS SNI) (info.rules)
  • 2050180 - ET INFO Observed DNS Over HTTPS Domain (doh .niyaru .online in TLS SNI) (info.rules)
  • 2050181 - ET INFO Observed DNS Over HTTPS Domain (dns .netraptor .com .au in TLS SNI) (info.rules)
  • 2050182 - ET INFO Observed DNS Over HTTPS Domain (doh .mn-bonn .de in TLS SNI) (info.rules)
  • 2050183 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (beatifulllhistory .com) (exploit_kit.rules)
  • 2050184 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (bestselllerservice .com) (exploit_kit.rules)
  • 2050185 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (clickandanalytics .com) (exploit_kit.rules)
  • 2050186 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (listwithstats .com) (exploit_kit.rules)
  • 2050187 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (dataofpages .com) (exploit_kit.rules)
  • 2050188 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (decentralappps .com) (exploit_kit.rules)
  • 2050189 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (getmygateway .com) (exploit_kit.rules)
  • 2050190 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (getsmallcount .com) (exploit_kit.rules)
  • 2050191 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (greenfastline .com) (exploit_kit.rules)
  • 2050192 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (gybritanalytsesystem .com) (exploit_kit.rules)
  • 2050193 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (lineferaline .com) (exploit_kit.rules)
  • 2050194 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (linestoget .com) (exploit_kit.rules)
  • 2050195 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (playerofsunshine .com) (exploit_kit.rules)
  • 2050196 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (promsmotion .com) (exploit_kit.rules)
  • 2050197 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (selectchoise .com) (exploit_kit.rules)
  • 2050198 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (selectofmychoices .com) (exploit_kit.rules)
  • 2050199 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (specialnewspaper .com) (exploit_kit.rules)
  • 2050200 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (specialtaskevents .com) (exploit_kit.rules)
  • 2050201 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (startperfectsolutions .com) (exploit_kit.rules)
  • 2050202 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (statisticplatform .com) (exploit_kit.rules)
  • 2050203 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (statisticscripts .com) (exploit_kit.rules)
  • 2050204 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (statisticsplatform .com) (exploit_kit.rules)
  • 2050205 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (stratosbody .com) (exploit_kit.rules)
  • 2050206 - ET EXPLOIT_KIT Balada Domain in TLS SNI (beatifulllhistory .com) (exploit_kit.rules)
  • 2050207 - ET EXPLOIT_KIT Balada Domain in TLS SNI (bestselllerservice .com) (exploit_kit.rules)
  • 2050208 - ET EXPLOIT_KIT Balada Domain in TLS SNI (clickandanalytics .com) (exploit_kit.rules)
  • 2050209 - ET EXPLOIT_KIT Balada Domain in TLS SNI (compage .listwithstats .com) (exploit_kit.rules)
  • 2050210 - ET EXPLOIT_KIT Balada Domain in TLS SNI (dataofpages .com) (exploit_kit.rules)
  • 2050211 - ET EXPLOIT_KIT Balada Domain in TLS SNI (decentralappps .com) (exploit_kit.rules)
  • 2050212 - ET EXPLOIT_KIT Balada Domain in TLS SNI (getmygateway .com) (exploit_kit.rules)
  • 2050213 - ET EXPLOIT_KIT Balada Domain in TLS SNI (getsmallcount .com) (exploit_kit.rules)
  • 2050214 - ET EXPLOIT_KIT Balada Domain in TLS SNI (greenfastline .com) (exploit_kit.rules)
  • 2050215 - ET EXPLOIT_KIT Balada Domain in TLS SNI (gybritanalytsesystem .com) (exploit_kit.rules)
  • 2050216 - ET EXPLOIT_KIT Balada Domain in TLS SNI (lineferaline .com) (exploit_kit.rules)
  • 2050217 - ET EXPLOIT_KIT Balada Domain in TLS SNI (linestoget .com) (exploit_kit.rules)
  • 2050218 - ET EXPLOIT_KIT Balada Domain in TLS SNI (playerofsunshine .com) (exploit_kit.rules)
  • 2050219 - ET EXPLOIT_KIT Balada Domain in TLS SNI (promsmotion .com) (exploit_kit.rules)
  • 2050220 - ET EXPLOIT_KIT Balada Domain in TLS SNI (selectchoise .com) (exploit_kit.rules)
  • 2050221 - ET EXPLOIT_KIT Balada Domain in TLS SNI (selectofmychoices .com) (exploit_kit.rules)
  • 2050222 - ET EXPLOIT_KIT Balada Domain in TLS SNI (specialnewspaper .com) (exploit_kit.rules)
  • 2050223 - ET EXPLOIT_KIT Balada Domain in TLS SNI (specialtaskevents .com) (exploit_kit.rules)
  • 2050224 - ET EXPLOIT_KIT Balada Domain in TLS SNI (startperfectsolutions .com) (exploit_kit.rules)
  • 2050225 - ET EXPLOIT_KIT Balada Domain in TLS SNI (statisticplatform .com) (exploit_kit.rules)
  • 2050226 - ET EXPLOIT_KIT Balada Domain in TLS SNI (statisticscripts .com) (exploit_kit.rules)
  • 2050227 - ET EXPLOIT_KIT Balada Domain in TLS SNI (statisticsplatform .com) (exploit_kit.rules)
  • 2050228 - ET EXPLOIT_KIT Balada Domain in TLS SNI (stratosbody .com) (exploit_kit.rules)
  • 2050250 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (searchgear .pro) (exploit_kit.rules)
  • 2050251 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (searchgear .pro) (exploit_kit.rules)
  • 2050252 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (stablelightway .com) (exploit_kit.rules)
  • 2050253 - ET EXPLOIT_KIT Balada Domain in TLS SNI (stablelightway .com) (exploit_kit.rules)
  • 2050254 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (benddiscoleideasbridrew .site) (malware.rules)
  • 2050255 - ET MALWARE Observed Lumma Stealer Related Domain (benddiscoleideasbridrew .site in TLS SNI) (malware.rules)
  • 2050256 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lastbishopmultiplyeow .site) (malware.rules)
  • 2050257 - ET MALWARE Observed Lumma Stealer Related Domain (lastbishopmultiplyeow .site in TLS SNI) (malware.rules)
  • 2050258 - ET INFO Observed DNS Over HTTPS Domain (agh-yz .russel053 .com in TLS SNI) (info.rules)
  • 2050259 - ET INFO Observed DNS Over HTTPS Domain (dns .lgprk .com in TLS SNI) (info.rules)
  • 2050261 - ET INFO Observed DNS Over HTTPS Domain (dns .mikrotikrumahan .my .id in TLS SNI) (info.rules)
  • 2050262 - ET INFO Observed DNS Over HTTPS Domain (5g .o0o .re in TLS SNI) (info.rules)
  • 2050263 - ET INFO Observed DNS Over HTTPS Domain (query .mobyds .com in TLS SNI) (info.rules)
  • 2050264 - ET INFO Observed DNS Over HTTPS Domain (dns .sac .rebl .eu .org in TLS SNI) (info.rules)
  • 2050265 - ET INFO Observed DNS Over HTTPS Domain (dns .lvolland .fr in TLS SNI) (info.rules)
  • 2050266 - ET INFO Observed DNS Over HTTPS Domain (ns .ral9005 .org in TLS SNI) (info.rules)
  • 2050267 - ET INFO Observed DNS Over HTTPS Domain (ns .mtsoln .com in TLS SNI) (info.rules)
  • 2050268 - ET INFO Observed DNS Over HTTPS Domain (adblock .leenit .kr in TLS SNI) (info.rules)
  • 2050269 - ET INFO Observed DNS Over HTTPS Domain (home .wriedts .de in TLS SNI) (info.rules)
  • 2050270 - ET INFO Observed DNS Over HTTPS Domain (dns1 .lothuscorp .com .br in TLS SNI) (info.rules)
  • 2050271 - ET INFO Observed DNS Over HTTPS Domain (adguard .marto .si in TLS SNI) (info.rules)
  • 2050272 - ET INFO Observed DNS Over HTTPS Domain (id .local .v .ua in TLS SNI) (info.rules)
  • 2050274 - ET INFO Observed DNS Over HTTPS Domain (netcup .mismat .ch in TLS SNI) (info.rules)
  • 2050275 - ET INFO Observed DNS Over HTTPS Domain (adguard .mattiafenzi .uk in TLS SNI) (info.rules)
  • 2050276 - ET INFO Observed DNS Over HTTPS Domain (locaweb .moleniuk .com in TLS SNI) (info.rules)
  • 2050277 - ET INFO Observed DNS Over HTTPS Domain (emby .rasp .tv in TLS SNI) (info.rules)
  • 2050286 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (flyspecialline .com) (exploit_kit.rules)
  • 2050287 - ET EXPLOIT_KIT Balada Domain in TLS SNI (flyspecialline .com) (exploit_kit.rules)
  • 2050288 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (app .documentoffice .club) (malware.rules)
  • 2050289 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo .live) (malware.rules)
  • 2050290 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo .pro) (malware.rules)
  • 2050291 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefiturl .pro) (malware.rules)
  • 2050292 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (careagency .online) (malware.rules)
  • 2050293 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (cra-receivenow .online) (malware.rules)
  • 2050294 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (crareceive .site) (malware.rules)
  • 2050295 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .co) (malware.rules)
  • 2050296 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .lat) (malware.rules)
  • 2050297 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (direct .traderfree .online) (malware.rules)
  • 2050298 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (forex .traderfree .online) (malware.rules)
  • 2050299 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate .online) (malware.rules)
  • 2050300 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate .site) (malware.rules)
  • 2050301 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (gstcreceive .online) (malware.rules)
  • 2050302 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (instantreceive .org) (malware.rules)
  • 2050303 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (nav .offlinedocument .site) (malware.rules)
  • 2050304 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receive .bio) (malware.rules)
  • 2050305 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receiveinstant .online) (malware.rules)
  • 2050307 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy .online) (malware.rules)
  • 2050319 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .co) (malware.rules)
  • 2050320 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .lat) (malware.rules)
  • 2050321 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (direct .traderfree .online) (malware.rules)
  • 2050323 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate .online) (malware.rules)
  • 2050342 - ET MALWARE Observed Lumma Stealer Related Domain (demonstratorleasheropw .site in TLS SNI) (malware.rules)
  • 2050343 - ET INFO Observed DNS Over HTTPS Domain (adguard-home .server-on .net in TLS SNI) (info.rules)
  • 2050345 - ET INFO Observed DNS Over HTTPS Domain (dns .skrzypiec .pl in TLS SNI) (info.rules)
  • 2050348 - ET INFO Observed DNS Over HTTPS Domain (privatnas .servebeer .com in TLS SNI) (info.rules)
  • 2050349 - ET INFO Observed DNS Over HTTPS Domain (h .gjrick .tw in TLS SNI) (info.rules)
  • 2050364 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (womanflirting .life) (exploit_kit.rules)
  • 2050375 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (webdatatrace .com) (exploit_kit.rules)
  • 2050377 - ET INFO Observed DNS Over HTTPS Domain (adguard .sparshbajaj .me in TLS SNI) (info.rules)
  • 2050379 - ET INFO Observed DNS Over HTTPS Domain (dns .scuola .org in TLS SNI) (info.rules)
  • 2050383 - ET INFO Observed DNS Over HTTPS Domain (www .inpssh .online in TLS SNI) (info.rules)
  • 2050401 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (carvewomanflavourwop .site) (malware.rules)
  • 2050410 - ET MALWARE Observed Lumma Stealer Related Domain (communicationinchoicer .site in TLS SNI) (malware.rules)
  • 2050413 - ET MALWARE Observed Lumma Stealer Related Domain (vesselspeedcrosswakew .site in TLS SNI) (malware.rules)
  • 2050476 - ET INFO Observed DNS Over HTTPS Domain (admin .homedns .uk in TLS SNI) (info.rules)
  • 2050504 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (lightsteper .com) (exploit_kit.rules)
  • 2050530 - ET INFO Observed DNS Over HTTPS Domain (dns .furrydns .de in TLS SNI) (info.rules)
  • 2050610 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (info.rules)
  • 2050624 - ET INFO Observed DNS Over HTTPS Domain (socolov .home .ro in TLS SNI) (info.rules)
  • 2050796 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (casinovipclubs .com) (exploit_kit.rules)
  • 2856079 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856099 - ETPRO EXPLOIT_KIT ZPHP Lure Request M4 (exploit_kit.rules)
  • 2856100 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856123 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
  • 2856124 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
  • 2856125 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
  • 2856126 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
  • 2856127 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
  • 2856128 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
  • 2856129 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
  • 2856130 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
  • 2856131 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
  • 2856132 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
  • 2856133 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
  • 2856134 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
  • 2856155 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856168 - ETPRO PHISHING Suspected TA453 Domain in TLS SNI (phishing.rules)
  • 2856175 - ETPRO MALWARE Suspected FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
  • 2856176 - ETPRO MALWARE Observed Suspected FIN7/Carbanak Related Domain in TLS SNI (malware.rules)
  • 2856216 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2063971 - ET INFO DYNAMIC_DNS Query to a *.mikealesso .com domain (info.rules)
  • 2063972 - ET INFO DYNAMIC_DNS HTTP Request to a *.mikealesso .com domain (info.rules)
  • 2063973 - ET INFO DYNAMIC_DNS Query to a *.giftofappetite .com domain (info.rules)
  • 2063974 - ET INFO DYNAMIC_DNS HTTP Request to a *.giftofappetite .com domain (info.rules)
  • 2864237 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864238 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864239 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864240 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864241 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864242 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864243 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864244 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)