Ruleset Update Summary - 2025/08/22 - v10999

Ruleset Updates
1

Summary:

32 new OPEN, 33 new PRO (32 + 1)

Added rules:

Open:

  • 2064098 - ET WEB_SPECIFIC_APPS Tenda getMasterPassengerAnalyseData time Parameter Buffer Overflow Attempt (CVE-2025-9299) (web_specific_apps.rules)
  • 2064099 - ET WEB_SPECIFIC_APPS Tenda QuickIndex PPPOEPassword Parameter Buffer Overflow Attempt (CVE-2025-9298) (web_specific_apps.rules)
  • 2064100 - ET WEB_SPECIFIC_APPS Tenda wxportalauth type Parameter Buffer Overflow Attempt (CVE-2025-9297) (web_specific_apps.rules)
  • 2064101 - ET WEB_SPECIFIC_APPS Tenda exeCommand cmdinput Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2064102 - ET INFO Comodo Itarian RMM-related Domain (api .dragonplatform .net) in DNS Lookup (info.rules)
  • 2064103 - ET INFO Comodo Itarian RMM-related Domain (cescollector .cwatchapi .com) in DNS Lookup (info.rules)
  • 2064104 - ET INFO Comodo Itarian RMM-related Domain (mdmsupport .comodo .com) in DNS Lookup (info.rules)
  • 2064105 - ET INFO Observed Comodo ITarian RMM-related Domain (api .dragonplatform .net) in TLS SNI (info.rules)
  • 2064106 - ET INFO Observed Comodo ITarian RMM-related Domain (cescollector .cwatchapi .com) in TLS SNI (info.rules)
  • 2064107 - ET INFO Observed Comodo ITarian RMM-related Domain (mdmsupport .comodo .com) in TLS SNI (info.rules)
  • 2064108 - ET WEB_SPECIFIC_APPS Tenda setcfm funcpara1 Parameter Buffer Overflow Attempt (CVE-2025-4298) (web_specific_apps.rules)
  • 2064109 - ET WEB_SPECIFIC_APPS Tenda SetNetControlList list Parameter Buffer Overflow Attempt (CVE-2025-9087, CVE-2025-29215, CVE-2025-1897) (web_specific_apps.rules)
  • 2064110 - ET WEB_SPECIFIC_APPS D-Link mng_platform.asp addr Parameter Command Injection Attempt (CVE-2025-57105) (web_specific_apps.rules)
  • 2064111 - ET WEB_SPECIFIC_APPS Tenda WifiWpsStart index Parameter Buffer Overflow Attempt (CVE-2025-45429, CVE-2024-2896, CVE-2024-2811, CVE-2024-2706) (web_specific_apps.rules)
  • 2064112 - ET WEB_SPECIFIC_APPS D-Link fileaccess.cgi pre_api_arg Parameter Command Injection Attempt (CVE-2025-55583) (web_specific_apps.rules)
  • 2064113 - ET INFO DYNAMIC_DNS Query to a *.ne-t .org domain (info.rules)
  • 2064114 - ET INFO DYNAMIC_DNS HTTP Request to a *.ne-t .org domain (info.rules)
  • 2064115 - ET INFO DYNAMIC_DNS Query to a *.gotoenail .com domain (info.rules)
  • 2064116 - ET INFO DYNAMIC_DNS HTTP Request to a *.gotoenail .com domain (info.rules)
  • 2064117 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (irsdd .com) (exploit_kit.rules)
  • 2064118 - ET EXPLOIT_KIT LandUpdate808 Domain (irsdd .com) in TLS SNI (exploit_kit.rules)
  • 2064119 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (pfanaerstill .com) (exploit_kit.rules)
  • 2064120 - ET EXPLOIT_KIT LandUpdate808 Domain (pfanaerstill .com) in TLS SNI (exploit_kit.rules)
  • 2064121 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (togomwd .top) (malware.rules)
  • 2064122 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (togomwd .top) in TLS SNI (malware.rules)
  • 2064123 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (pfanaerstill .com) (exploit_kit.rules)
  • 2064124 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (irsdd .com) (exploit_kit.rules)
  • 2064125 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (pfanaerstill .com) (exploit_kit.rules)
  • 2064126 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (irsdd .com) (exploit_kit.rules)
  • 2064127 - ET HUNTING User-Agent Contains Custom String (Example/1.0) (hunting.rules)
  • 2064128 - ET HUNTING Microsoft Sharepoint SPXmlDataSource ASPX DataFile Fetch Inbound (CVE-2024-30043) (hunting.rules)
  • 2064129 - ET HUNTING Microsoft Sharepoint Deserialization RCE via SPThemes (CVE-2024-38018) (hunting.rules)

Pro:

  • 2864373 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2045622 - ET MALWARE SocGholish Domain in DNS Lookup (backroom .tauetaepsilon .org) (malware.rules)
  • 2045623 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (files-dwn .shop) (malware.rules)
  • 2045627 - ET MALWARE SocGholish Domain in DNS Lookup (framework .rankinfiles .com) (malware.rules)
  • 2045635 - ET MALWARE SocGholish Domain in DNS Lookup (prototype .siliconvalleyga .com) (malware.rules)
  • 2045644 - ET MALWARE DNS Query to TA444 Domain (parallaxdigital .online) (malware.rules)
  • 2045645 - ET MALWARE DNS Query to TA444 Domain (myfirmdocument .online) (malware.rules)
  • 2045646 - ET MALWARE DNS Query to TA444 Domain (morganstanleycorp .co .uk) (malware.rules)
  • 2045647 - ET MALWARE DNS Query to TA444 Domain (docs-send .online) (malware.rules)
  • 2045648 - ET MALWARE DNS Query to TA444 Domain (cyberwalletsecurity .online) (malware.rules)
  • 2045649 - ET MALWARE DNS Query to TA444 Domain (drop-box .cloud) (malware.rules)
  • 2045650 - ET MALWARE DNS Query to TA444 Domain (gunosis .global) (malware.rules)
  • 2045651 - ET MALWARE DNS Query to TA444 Domain (altair-vc .info) (malware.rules)
  • 2045652 - ET MALWARE DNS Query to TA444 Domain (cryptyk .webredirect .org) (malware.rules)
  • 2045653 - ET MALWARE DNS Query to TA444 Domain (acuitykp .co) (malware.rules)
  • 2045654 - ET MALWARE DNS Query to TA444 Domain (doc .linkpc .net) (malware.rules)
  • 2045655 - ET MALWARE DNS Query to TA444 Domain (docsend .business) (malware.rules)
  • 2045656 - ET MALWARE DNS Query to TA444 Domain (werfaultserver .com) (malware.rules)
  • 2045662 - ET MALWARE DNS Query to TA444 Domain (cryptyk .online) (malware.rules)
  • 2045663 - ET MALWARE DNS Query to TA444 Domain (forumpatners .com) (malware.rules)
  • 2045664 - ET MALWARE DNS Query to TA444 Domain (autoupdatecheck .work .gd) (malware.rules)
  • 2045665 - ET MALWARE DNS Query to TA444 Domain (docsend-host .cloud) (malware.rules)
  • 2045666 - ET MALWARE DNS Query to TA444 Domain (hyperchaincapital .online) (malware.rules)
  • 2045667 - ET MALWARE DNS Query to TA444 Domain (j-ic .co .in) (malware.rules)
  • 2045668 - ET MALWARE DNS Query to TA444 Domain (docupload .site) (malware.rules)
  • 2045675 - ET MALWARE SocGholish Domain in DNS Lookup (product .sammyhallam .com) (malware.rules)
  • 2045676 - ET MALWARE SocGholish Domain in DNS Lookup (games .iglesiaelarca .org) (malware.rules)
  • 2045677 - ET MALWARE SocGholish Domain in DNS Lookup (support .newshoop .com) (malware.rules)
  • 2045678 - ET MALWARE SocGholish Domain in DNS Lookup (achievements .ritagamer .com) (malware.rules)
  • 2045679 - ET MALWARE SocGholish Domain in DNS Lookup (books .friendsofthefolsomlibrary .org) (malware.rules)
  • 2045680 - ET MALWARE TA444 Related Domain in DNS Lookup (cryptofundsresearch .com) (malware.rules)
  • 2045681 - ET MALWARE TA444 Related Domain in DNS Lookup (jobdescription .us .com) (malware.rules)
  • 2045682 - ET MALWARE TA444 Related Domain in DNS Lookup (cryptyk .info) (malware.rules)
  • 2045683 - ET MALWARE TA444 Related Domain in DNS Lookup (doc-send .online) (malware.rules)
  • 2045684 - ET MALWARE TA444 Related Domain in DNS Lookup (bdcc .bio) (malware.rules)
  • 2045685 - ET MALWARE TA444 Related Domain in DNS Lookup (contractresearch .blog) (malware.rules)
  • 2045686 - ET MALWARE TA444 Related Domain in DNS Lookup (espcapital .co .in) (malware.rules)
  • 2045687 - ET MALWARE TA444 Related Domain in DNS Lookup (shared-document .cloud) (malware.rules)
  • 2045688 - ET MALWARE TA444 Related Domain in DNS Lookup (javarepo .net) (malware.rules)
  • 2045689 - ET MALWARE TA444 Related Domain in DNS Lookup (contract-research .blog) (malware.rules)
  • 2045690 - ET MALWARE TA444 Related Domain in DNS Lookup (gumi-cryptos .loan) (malware.rules)
  • 2045691 - ET MALWARE TA444 Related Domain in DNS Lookup (doc-send .com) (malware.rules)
  • 2045692 - ET MALWARE TA444 Related Domain in DNS Lookup (smart-contracts .blog) (malware.rules)
  • 2045693 - ET MALWARE TA444 Related Domain in DNS Lookup (verifydocument .online) (malware.rules)
  • 2045695 - ET MALWARE DNS Query to SmokeLoader Domain (potunulit .org) (malware.rules)
  • 2045696 - ET MALWARE DNS Query to Glupteba Domain (geofaps .com) (malware.rules)
  • 2045697 - ET MALWARE DNS Query to Glupteba Domain (twopixis .com) (malware.rules)
  • 2045698 - ET MALWARE DNS Query to Glupteba Domain (cdneurops .health) (malware.rules)
  • 2045700 - ET ADWARE_PUP DNS Query to Neoreklami (service-domain .xyz) (adware_pup.rules)
  • 2045701 - ET ADWARE_PUP DNS Query to Neoreklami (check-data .xyz) (adware_pup.rules)
  • 2045702 - ET ADWARE_PUP DNS Query to Neoreklami (vadimmqz .beget .tech) (adware_pup.rules)
  • 2045726 - ET MALWARE DNS Query to Gamaredon Domain (kahotepa .ru) (malware.rules)
  • 2045727 - ET MALWARE DNS Query to Gamaredon Domain (kaziyapa .ru) (malware.rules)
  • 2045728 - ET MALWARE DNS Query to Gamaredon Domain (OpenAsTextStream .zuberipa .ru) (malware.rules)
  • 2045729 - ET MALWARE DNS Query to Gamaredon Domain (80delay .dzhabaripa .ru) (malware.rules)
  • 2045730 - ET MALWARE DNS Query to Gamaredon Domain (71delay .dzhahipa .ru) (malware.rules)
  • 2045731 - ET MALWARE DNS Query to Gamaredon Domain (zaherpa .ru) (malware.rules)
  • 2045732 - ET MALWARE DNS Query to Gamaredon Domain (goruspa .ru) (malware.rules)
  • 2045733 - ET MALWARE DNS Query to Gamaredon Domain (iknatonpa .ru) (malware.rules)
  • 2045734 - ET MALWARE DNS Query to Gamaredon Domain (dzhahipa .ru) (malware.rules)
  • 2045735 - ET MALWARE DNS Query to Gamaredon Domain (dzhabaripa .ru) (malware.rules)
  • 2045736 - ET MALWARE DNS Query to Gamaredon Domain (zuberipa .ru) (malware.rules)
  • 2045771 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .accounting .bridgemastersllc .com) (malware.rules)
  • 2045772 - ET MALWARE DonotGroup Related Domain in DNS Lookup (lovebirdsshop .club) (malware.rules)
  • 2045773 - ET MALWARE DonotGroup Maldoc Activity (GET) (malware.rules)
  • 2045778 - ET MALWARE DonotGroup Maldoc Activity (GET) (malware.rules)
  • 2045780 - ET INFO Observed DNS Query to .win TLD (info.rules)
  • 2045795 - ET MALWARE SparkRAT Related Domain in DNS Lookup (gwekekccef .webull .day) (malware.rules)
  • 2045796 - ET MALWARE TA427 Related Domain in DNS Lookup (com-people .click) (malware.rules)
  • 2045797 - ET MALWARE TA427 Related Domain in DNS Lookup (com-price .space) (malware.rules)
  • 2045798 - ET MALWARE TA427 Related Domain in DNS Lookup (com-www .click) (malware.rules)
  • 2045799 - ET MALWARE TA427 Related Domain in DNS Lookup (com-def .asia) (malware.rules)
  • 2045800 - ET MALWARE TA427 Related Domain in DNS Lookup (com-otp .click) (malware.rules)
  • 2045801 - ET MALWARE TA427 Related Domain in DNS Lookup (de-file .online) (malware.rules)
  • 2045802 - ET MALWARE TA427 Related Domain in DNS Lookup (kr-me .click) (malware.rules)
  • 2045803 - ET MALWARE TA427 Related Domain in DNS Lookup (com-port .space) (malware.rules)
  • 2045804 - ET MALWARE TA427 Related Domain in DNS Lookup (cf-health .click) (malware.rules)
  • 2045805 - ET MALWARE TA427 Related Domain in DNS Lookup (kr-angry .click) (malware.rules)
  • 2045810 - ET MALWARE SocGholish Domain in DNS Lookup (vip .dueprocess .us) (malware.rules)
  • 2045811 - ET MALWARE SocGholish Domain in DNS Lookup (tube .saltminecomics .com) (malware.rules)
  • 2045812 - ET MALWARE SocGholish Domain in DNS Lookup (broadcast .ninemuses .io) (malware.rules)
  • 2045813 - ET MALWARE SocGholish Domain in DNS Lookup (commercial .tedgorka .com) (malware.rules)
  • 2045814 - ET MALWARE SocGholish Domain in DNS Lookup (forum .leewhitman-raymond .com) (malware.rules)
  • 2045815 - ET MALWARE SocGholish Domain in DNS Lookup (teaching .eduvisuo .com) (malware.rules)
  • 2045816 - ET MALWARE SocGholish Domain in DNS Lookup (round .macayafoundation .org) (malware.rules)
  • 2045818 - ET MALWARE SocGholish Domain in DNS Lookup (friends .foflib .org) (malware.rules)
  • 2045819 - ET MALWARE SocGholish Domain in DNS Lookup (training .defcon1 .us) (malware.rules)
  • 2045820 - ET MALWARE SocGholish Domain in DNS Lookup (assist .cabinetelcea .com) (malware.rules)
  • 2045843 - ET MALWARE SocGholish Domain in DNS Lookup (booty .midatlanticlaw .org) (malware.rules)
  • 2045844 - ET MALWARE SocGholish Domain in DNS Lookup (internal .metro1properties .us) (malware.rules)
  • 2045849 - ET MALWARE DNS Query to Cobalt Strike Domain (iconnectgs .com) (malware.rules)
  • 2045850 - ET MALWARE DNS Query to Cobalt Strike Domain (aicsoftware .com) (malware.rules)
  • 2045851 - ET MALWARE DNS Query to IcedID Domain (kicknocisd .com) (malware.rules)
  • 2045852 - ET MALWARE DNS Query to IcedID Domain (guaracheza .pics) (malware.rules)
  • 2045853 - ET MALWARE DNS Query to IcedID Domain (curabiebarristie .com) (malware.rules)
  • 2045854 - ET MALWARE DNS Query to IcedID Domain (simipimi .com) (malware.rules)
  • 2045855 - ET MALWARE DNS Query to IcedID Domain (belliecow .wiki) (malware.rules)
  • 2045856 - ET MALWARE DNS Query to IcedID Domain (stayersa .art) (malware.rules)
  • 2045861 - ET MALWARE SocGholish Domain in DNS Lookup (initiatives .ayitiexpo .com) (malware.rules)
  • 2045862 - ET MALWARE SocGholish Domain in DNS Lookup (reporting .theamericasfashionfest .com) (malware.rules)
  • 2045863 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .offer .rpacxtaxappeal .com) (malware.rules)
  • 2045870 - ET MALWARE SocGholish Domain in DNS Lookup (strategy .transversalgroup .co) (malware.rules)
  • 2045875 - ET MALWARE SocGholish Domain in DNS Lookup (enterprise .alliantlaw .us) (malware.rules)
  • 2045876 - ET MALWARE SocGholish Domain in DNS Lookup (sapphire .abogados .services) (malware.rules)
  • 2045877 - ET MALWARE SocGholish Domain in DNS Lookup (exclusive .transversalbranding .com) (malware.rules)
  • 2045878 - ET MALWARE SocGholish Domain in DNS Lookup (archives .finanpress .com) (malware.rules)
  • 2045970 - ET MALWARE SocGholish Domain in DNS Lookup (deploy .vanquicktech .com) (malware.rules)
  • 2045971 - ET MALWARE SocGholish Domain in DNS Lookup (practices .bodyandsoulmassage .com) (malware.rules)
  • 2045973 - ET WEB_CLIENT Suspected Credit Card Stealer Related Domain Domain in DNS Lookup (byvlsa .com) (web_client.rules)
  • 2045978 - ET MALWARE SocGholish Domain in DNS Lookup (background .bodyguardchicago .com) (malware.rules)
  • 2045979 - ET MALWARE SocGholish Domain in DNS Lookup (hardware .deltavis .com) (malware.rules)
  • 2045980 - ET MALWARE SocGholish Domain in DNS Lookup (masterclass .teamupnetwork .org) (malware.rules)
  • 2046067 - ET MALWARE SocGholish Domain in DNS Lookup (failure .mathgeniusa .com) (malware.rules)
  • 2046068 - ET MALWARE SocGholish Domain in DNS Lookup (static .laytonroadconstruction .com) (malware.rules)
  • 2046069 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .nodes .gammalambdalambda .org) (malware.rules)
  • 2046098 - ET MALWARE SocGholish Domain in DNS Lookup (stockroom .baybeboutiquellc .com) (malware.rules)
  • 2046099 - ET MALWARE SocGholish Domain in DNS Lookup (collaboration .porchlightcs .org) (malware.rules)
  • 2046100 - ET MALWARE SocGholish Domain in DNS Lookup (prepare .dawarel3mda .com) (malware.rules)
  • 2046101 - ET MALWARE SocGholish Domain in DNS Lookup (dashboard .smartmetereducationnetwork .com) (malware.rules)
  • 2046102 - ET MALWARE SocGholish Domain in DNS Lookup (reception .q-dent .com) (malware.rules)
  • 2046130 - ET MALWARE SocGholish Domain in DNS Lookup (templates .jdlaytongrademaker .com) (malware.rules)
  • 2046174 - ET MALWARE SocGholish Domain in DNS Lookup (roadmap .jufp .com) (malware.rules)
  • 2854535 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854537 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854547 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854555 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854557 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854570 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854571 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854584 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854587 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854602 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854610 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2855032 - ETPRO PHISHING Phishing Domain in DNS Lookup (phishing.rules)