Ruleset Update Summary - 2025/08/26 - v11001

rulesbot · August 26, 2025, 9:13pm

Summary:

20 new OPEN, 35 new PRO (20 + 15)

Added rules:

Open:

2064153 - ET WEB_SPECIFIC_APPS VTENext Authentication Bypass via Reflected Cross-Site Scripting in HomeWidgetBlockList Module M1 (web_specific_apps.rules)
2064154 - ET WEB_SPECIFIC_APPS VTENext Authentication Bypass via Reflected Cross-Site Scripting in HomeWidgetBlockList Module M2 (web_specific_apps.rules)
2064155 - ET WEB_SPECIFIC_APPS VTENext Session Cookie Information Disclosure via Touch Module (web_specific_apps.rules)
2064156 - ET WEB_SPECIFIC_APPS VTENext SQL Injection via Fax Module (web_specific_apps.rules)
2064157 - ET WEB_SPECIFIC_APPS VTENext Local File Inclusion in Settings Module via fld_module Parameter (web_specific_apps.rules)
2064158 - ET WEB_SPECIFIC_APPS VTENext Local File Inclusion in Calendar Module via file Parameter (web_specific_apps.rules)
2064159 - ET WEB_SPECIFIC_APPS VTENext Local File Inclusion in Calendar Module via subfile Parameter (web_specific_apps.rules)
2064160 - ET INFO DYNAMIC_DNS Query to a *.miguelrsilva .com domain (info.rules)
2064161 - ET INFO DYNAMIC_DNS HTTP Request to a *.miguelrsilva .com domain (info.rules)
2064162 - ET INFO DYNAMIC_DNS Query to a *.kalinnikova .com domain (info.rules)
2064163 - ET INFO DYNAMIC_DNS HTTP Request to a *.kalinnikova .com domain (info.rules)
2064164 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (bernnaum .com) (exploit_kit.rules)
2064165 - ET EXPLOIT_KIT LandUpdate808 Domain (bernnaum .com) in TLS SNI (exploit_kit.rules)
2064166 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cursilibim .ru) (malware.rules)
2064167 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cursilibim .ru) in TLS SNI (malware.rules)
2064168 - ET WEB_SPECIFIC_APPS Commvault Code Injection via User description Property (web_specific_apps.rules)
2064169 - ET WEB_SPECIFIC_APPS Commvault Authenticated Remote Code Execution via QCommand Path Traversal (WT-2025-0049) (web_specific_apps.rules)
2064170 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (es .montreallimosvip .com) (malware.rules)
2064171 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (es .montreallimosvip .com) (malware.rules)
2064172 - ET WEB_SPECIFIC_APPS Commvault Hardcoded Credentials (WT-2025-0047) (web_specific_apps.rules)

Pro:

2864398 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2864399 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2864400 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2864401 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2864402 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2864403 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2864404 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2864405 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2864406 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2864407 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2864408 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2864409 - ETPRO MALWARE Observed DNS Query to SendedMessage Domain (malware.rules)
2864410 - ETPRO MALWARE Observed SendedMessage Domain in TLS SNI (malware.rules)
2864411 - ETPRO MALWARE SendedMessage CnC Activity - Stage 2 GET Request (malware.rules)
2864412 - ETPRO MALWARE SendedMessage CnC Checkin (message=sended) (malware.rules)

Modified inactive rules:

2043099 - ET MALWARE TA569 Domain in DNS Lookup (luxurycompare .com) (malware.rules)
2043158 - ET MALWARE SocGholish Domain in DNS Lookup (canonical .fmunews .com) (malware.rules)
2043159 - ET MALWARE SocGholish Domain in DNS Lookup (kinematics .starmidwest .com) (malware.rules)
2043160 - ET MALWARE SocGholish Domain in DNS Lookup (passphrase .singinganewsong .com) (malware.rules)
2043176 - ET PHISHING Office 365 Credential Harvesting Domain (rightofcourse .com) in TLS SNI (phishing.rules)
2043230 - ET MALWARE Win32/Youtube Bot - CnC Checkin (malware.rules)
2043241 - ET MALWARE DNS Query to Fake TeamViewer Domain (coldcreekranch .com) (malware.rules)
2043242 - ET MALWARE Observed DNS Query to IcedID Domain (dogotungtam .com) (malware.rules)
2043243 - ET MALWARE Observed DNS Query to IcedID Domain (acehphonnajaya .com) (malware.rules)
2043244 - ET MALWARE Observed DNS Query to IcedID Domain (baherlakerl .online) (malware.rules)
2043245 - ET MALWARE Observed DNS Query to IcedID Domain (ajerlakerl .online) (malware.rules)
2043248 - ET MALWARE Vidar Stealer IP Address in DNS Query Response (malware.rules)
2043251 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .asset .tradingvein .xyz) (malware.rules)
2043255 - ET PHISHING Observed Phishing Domain in DNS Lookup (circle-ci .com) (phishing.rules)
2043264 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043265 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043266 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043267 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043268 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043269 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043270 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043271 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043276 - ET MALWARE Observed IcedID Domain in DNS Lookup (bayernbadabum .com) (malware.rules)
2043278 - ET MALWARE Observed DNS Query to TA444/Lazarus Domain (concrecapital .com) (malware.rules)
2043290 - ET MALWARE ZeroBot/ZeroStresser Botnet Related Domain in DNS Lookup (zero .sudolite .ml) (malware.rules)
2043297 - ET MALWARE Observed DNS Query to Xworm Domain (su1d .nerdpol .ovh) (malware.rules)
2043304 - ET INFO Suspicious Large HTTP Header Key Observed - Possible Exploit Activity (info.rules)
2043307 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (magento-cdn .net) (malware.rules)
2043309 - ET MALWARE Observed DNS Query to Mirai Domain (miraistealer .xyz) (malware.rules)
2043391 - ET MALWARE IcedID CnC Domain in DNS Lookup (needzolapa .com) (malware.rules)
2043393 - ET MALWARE IcedID CnC Domain in DNS Lookup (avoymratax .com) (malware.rules)
2043396 - ET MALWARE IcedID CnC Domain in DNS Lookup (wcollopracket .com) (malware.rules)
2043399 - ET MALWARE IcedID CnC Domain in DNS Lookup (likasertik .shop) (malware.rules)
2043402 - ET MALWARE IcedID CnC Domain in DNS Lookup (trinazhkoma .club) (malware.rules)
2043403 - ET MALWARE IcedID CnC Domain in DNS Lookup (brakudafear .pics) (malware.rules)
2043405 - ET MALWARE DOUBLEBACK Related Domain in DNS Lookup (barricks .org) (malware.rules)
2043406 - ET MALWARE Observed DOUBLEBACK Related Domain (barricks .org in TLS SNI) (malware.rules)
2043422 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .betting .cockroachracing .site) (malware.rules)
2043456 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .market .dentureforfree .online) (malware.rules)
2043457 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .rendezvous .tophandsome .gay) (malware.rules)
2043458 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .signing .unitynotarypublic .com) (malware.rules)
2043783 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (sagutxustech .com) (info.rules)
2043837 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns1 .luan .contact) (info.rules)
2061305 - ET WEB_SPECIFIC_APPS Apache Pinot Authentication Bypass (CVE-2024-56325) (web_specific_apps.rules)
2853019 - ETPRO PHISHING Observed DNS Query to DomBox Phishing Domain (2023-01-06) (phishing.rules)
2853034 - ETPRO MALWARE Observed DNS Query to AsyncRAT Domain (malware.rules)
2853035 - ETPRO MALWARE Observed DNS Query to AsyncRAT Domain (malware.rules)
2853060 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (Replace) M1 (hunting.rules)
2853061 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (Replace) M2 (hunting.rules)
2853063 - ETPRO HUNTING Possible PowerShell Inbound - Char Concat Obfuscation (hunting.rules)
2853518 - ETPRO INFO Abnormally Large Remote TLS Certificate Drip Feed Inbound - Potential Exploit Activity (info.rules)
2853735 - ETPRO EXPLOIT Inbound Fragmented ICMP Flood - Possible Exploit Activity (CVE-2023-23415) (exploit.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/07/18 - v10374 Ruleset Updates	232	July 18, 2023
Ruleset Update Summary - 2024/12/17 - v10809 Ruleset Updates	105	December 17, 2024
Ruleset Update Summary - 2023/04/20 - v10303 Ruleset Updates	350	April 20, 2023
Ruleset Update Summary - 2024/09/24 - v10702 Ruleset Updates	139	September 24, 2024
Ruleset Update Summary - 2024/09/25 - v10703 Ruleset Updates	114	September 25, 2024

Ruleset Update Summary - 2025/08/26 - v11001

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics