Ruleset Update Summary - 2025/08/26 - v11001

Summary:

20 new OPEN, 35 new PRO (20 + 15)


Added rules:

Open:

  • 2064153 - ET WEB_SPECIFIC_APPS VTENext Authentication Bypass via Reflected Cross-Site Scripting in HomeWidgetBlockList Module M1 (web_specific_apps.rules)
  • 2064154 - ET WEB_SPECIFIC_APPS VTENext Authentication Bypass via Reflected Cross-Site Scripting in HomeWidgetBlockList Module M2 (web_specific_apps.rules)
  • 2064155 - ET WEB_SPECIFIC_APPS VTENext Session Cookie Information Disclosure via Touch Module (web_specific_apps.rules)
  • 2064156 - ET WEB_SPECIFIC_APPS VTENext SQL Injection via Fax Module (web_specific_apps.rules)
  • 2064157 - ET WEB_SPECIFIC_APPS VTENext Local File Inclusion in Settings Module via fld_module Parameter (web_specific_apps.rules)
  • 2064158 - ET WEB_SPECIFIC_APPS VTENext Local File Inclusion in Calendar Module via file Parameter (web_specific_apps.rules)
  • 2064159 - ET WEB_SPECIFIC_APPS VTENext Local File Inclusion in Calendar Module via subfile Parameter (web_specific_apps.rules)
  • 2064160 - ET INFO DYNAMIC_DNS Query to a *.miguelrsilva .com domain (info.rules)
  • 2064161 - ET INFO DYNAMIC_DNS HTTP Request to a *.miguelrsilva .com domain (info.rules)
  • 2064162 - ET INFO DYNAMIC_DNS Query to a *.kalinnikova .com domain (info.rules)
  • 2064163 - ET INFO DYNAMIC_DNS HTTP Request to a *.kalinnikova .com domain (info.rules)
  • 2064164 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (bernnaum .com) (exploit_kit.rules)
  • 2064165 - ET EXPLOIT_KIT LandUpdate808 Domain (bernnaum .com) in TLS SNI (exploit_kit.rules)
  • 2064166 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cursilibim .ru) (malware.rules)
  • 2064167 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cursilibim .ru) in TLS SNI (malware.rules)
  • 2064168 - ET WEB_SPECIFIC_APPS Commvault Code Injection via User description Property (web_specific_apps.rules)
  • 2064169 - ET WEB_SPECIFIC_APPS Commvault Authenticated Remote Code Execution via QCommand Path Traversal (WT-2025-0049) (web_specific_apps.rules)
  • 2064170 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (es .montreallimosvip .com) (malware.rules)
  • 2064171 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (es .montreallimosvip .com) (malware.rules)
  • 2064172 - ET WEB_SPECIFIC_APPS Commvault Hardcoded Credentials (WT-2025-0047) (web_specific_apps.rules)

Pro:

  • 2864398 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864399 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864400 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864401 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864402 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864403 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864404 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864405 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864406 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864407 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864408 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864409 - ETPRO MALWARE Observed DNS Query to SendedMessage Domain (malware.rules)
  • 2864410 - ETPRO MALWARE Observed SendedMessage Domain in TLS SNI (malware.rules)
  • 2864411 - ETPRO MALWARE SendedMessage CnC Activity - Stage 2 GET Request (malware.rules)
  • 2864412 - ETPRO MALWARE SendedMessage CnC Checkin (message=sended) (malware.rules)

Modified inactive rules:

  • 2043099 - ET MALWARE TA569 Domain in DNS Lookup (luxurycompare .com) (malware.rules)
  • 2043158 - ET MALWARE SocGholish Domain in DNS Lookup (canonical .fmunews .com) (malware.rules)
  • 2043159 - ET MALWARE SocGholish Domain in DNS Lookup (kinematics .starmidwest .com) (malware.rules)
  • 2043160 - ET MALWARE SocGholish Domain in DNS Lookup (passphrase .singinganewsong .com) (malware.rules)
  • 2043176 - ET PHISHING Office 365 Credential Harvesting Domain (rightofcourse .com) in TLS SNI (phishing.rules)
  • 2043230 - ET MALWARE Win32/Youtube Bot - CnC Checkin (malware.rules)
  • 2043241 - ET MALWARE DNS Query to Fake TeamViewer Domain (coldcreekranch .com) (malware.rules)
  • 2043242 - ET MALWARE Observed DNS Query to IcedID Domain (dogotungtam .com) (malware.rules)
  • 2043243 - ET MALWARE Observed DNS Query to IcedID Domain (acehphonnajaya .com) (malware.rules)
  • 2043244 - ET MALWARE Observed DNS Query to IcedID Domain (baherlakerl .online) (malware.rules)
  • 2043245 - ET MALWARE Observed DNS Query to IcedID Domain (ajerlakerl .online) (malware.rules)
  • 2043248 - ET MALWARE Vidar Stealer IP Address in DNS Query Response (malware.rules)
  • 2043251 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .asset .tradingvein .xyz) (malware.rules)
  • 2043255 - ET PHISHING Observed Phishing Domain in DNS Lookup (circle-ci .com) (phishing.rules)
  • 2043264 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043265 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043266 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043267 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043268 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043269 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043270 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043271 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043276 - ET MALWARE Observed IcedID Domain in DNS Lookup (bayernbadabum .com) (malware.rules)
  • 2043278 - ET MALWARE Observed DNS Query to TA444/Lazarus Domain (concrecapital .com) (malware.rules)
  • 2043290 - ET MALWARE ZeroBot/ZeroStresser Botnet Related Domain in DNS Lookup (zero .sudolite .ml) (malware.rules)
  • 2043297 - ET MALWARE Observed DNS Query to Xworm Domain (su1d .nerdpol .ovh) (malware.rules)
  • 2043304 - ET INFO Suspicious Large HTTP Header Key Observed - Possible Exploit Activity (info.rules)
  • 2043307 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (magento-cdn .net) (malware.rules)
  • 2043309 - ET MALWARE Observed DNS Query to Mirai Domain (miraistealer .xyz) (malware.rules)
  • 2043391 - ET MALWARE IcedID CnC Domain in DNS Lookup (needzolapa .com) (malware.rules)
  • 2043393 - ET MALWARE IcedID CnC Domain in DNS Lookup (avoymratax .com) (malware.rules)
  • 2043396 - ET MALWARE IcedID CnC Domain in DNS Lookup (wcollopracket .com) (malware.rules)
  • 2043399 - ET MALWARE IcedID CnC Domain in DNS Lookup (likasertik .shop) (malware.rules)
  • 2043402 - ET MALWARE IcedID CnC Domain in DNS Lookup (trinazhkoma .club) (malware.rules)
  • 2043403 - ET MALWARE IcedID CnC Domain in DNS Lookup (brakudafear .pics) (malware.rules)
  • 2043405 - ET MALWARE DOUBLEBACK Related Domain in DNS Lookup (barricks .org) (malware.rules)
  • 2043406 - ET MALWARE Observed DOUBLEBACK Related Domain (barricks .org in TLS SNI) (malware.rules)
  • 2043422 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .betting .cockroachracing .site) (malware.rules)
  • 2043456 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .market .dentureforfree .online) (malware.rules)
  • 2043457 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .rendezvous .tophandsome .gay) (malware.rules)
  • 2043458 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .signing .unitynotarypublic .com) (malware.rules)
  • 2043783 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (sagutxustech .com) (info.rules)
  • 2043837 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns1 .luan .contact) (info.rules)
  • 2061305 - ET WEB_SPECIFIC_APPS Apache Pinot Authentication Bypass (CVE-2024-56325) (web_specific_apps.rules)
  • 2853019 - ETPRO PHISHING Observed DNS Query to DomBox Phishing Domain (2023-01-06) (phishing.rules)
  • 2853034 - ETPRO MALWARE Observed DNS Query to AsyncRAT Domain (malware.rules)
  • 2853035 - ETPRO MALWARE Observed DNS Query to AsyncRAT Domain (malware.rules)
  • 2853060 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (Replace) M1 (hunting.rules)
  • 2853061 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (Replace) M2 (hunting.rules)
  • 2853063 - ETPRO HUNTING Possible PowerShell Inbound - Char Concat Obfuscation (hunting.rules)
  • 2853518 - ETPRO INFO Abnormally Large Remote TLS Certificate Drip Feed Inbound - Potential Exploit Activity (info.rules)
  • 2853735 - ETPRO EXPLOIT Inbound Fragmented ICMP Flood - Possible Exploit Activity (CVE-2023-23415) (exploit.rules)