Ruleset Update Summary - 2025/08/28 - v11003

Ruleset Updates
1

Summary:

21 new OPEN, 28 new PRO (21 + 7)

Thanks @IBMSecurity

Added rules:

Open:

  • 2064191 - ET INFO Observed DNS Query to File Sharing Domain (scalingo .io) (info.rules)
  • 2064192 - ET INFO Observed File Sharing Domain (scalingo .io in TLS SNI) (info.rules)
  • 2064193 - ET INFO DYNAMIC_DNS Query to a *.conyser .cl domain (info.rules)
  • 2064194 - ET INFO DYNAMIC_DNS HTTP Request to a *.conyser .cl domain (info.rules)
  • 2064195 - ET INFO DYNAMIC_DNS Query to a *.paulinhoimoveis .com domain (info.rules)
  • 2064196 - ET INFO DYNAMIC_DNS HTTP Request to a *.paulinhoimoveis .com domain (info.rules)
  • 2064197 - ET MALWARE CastleLoader Bot Download (GET) (malware.rules)
  • 2064198 - ET INFO BusyBox Banner Observed (info.rules)
  • 2064199 - ET WEB_SPECIFIC_APPS D-Link service.cgi EVENT Parameter Command Injection Attempt (CVE-2018-25115) (web_specific_apps.rules)
  • 2064200 - ET WEB_SPECIFIC_APPS Wangshen authManageSet.cgi type Parameter Information Leak Attempt (CVE-2023-7308) (web_specific_apps.rules)
  • 2064201 - ET WEB_SPECIFIC_APPS Linksys linsetIpv6 tunrd_Prefix Parameter Buffer Overflow Attempt (CVE-2025-9481) (web_specific_apps.rules)
  • 2064202 - ET WEB_SPECIFIC_APPS Linksys portRangeForwardAdd Multiple Parameters Buffer Overflow Attempt (CVE-2025-9482) (web_specific_apps.rules)
  • 2064203 - ET WEB_SPECIFIC_APPS Tenda Auth Password Parameter Buffer Overflow Attempt (CVE-2025-57217) (web_specific_apps.rules)
  • 2064204 - ET WEB_SPECIFIC_APPS Tenda WifiBasicSet security_5g Parameter Buffer Overflow Attempt (CVE-2025-57218) (web_specific_apps.rules)
  • 2064205 - ET MALWARE CastleLoader User-Agent Observed (GoogBot) (malware.rules)
  • 2064206 - ET WEB_SPECIFIC_APPS Linksys ssid1MACFilter apselect_0 Parameter Command Injection Attempt (CVE-2025-5447) (web_specific_apps.rules)
  • 2064207 - ET MALWARE CastleBot CnC Checkin - Task Complete (malware.rules)
  • 2064208 - ET MALWARE CastleBot CnC Exfil (POST) (malware.rules)
  • 2064209 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (files .taxibleapp .com) (malware.rules)
  • 2064210 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (files .taxibleapp .com) (malware.rules)
  • 2064211 - ET HUNTING GET Request to steamcommunity .com With Minimal Headers - Common With InfoStealers (hunting.rules)

Pro:

  • 2864415 - ETPRO PHISHING Outsider Phish Kit Landing Page M1 2025-08-25 (phishing.rules)
  • 2864416 - ETPRO PHISHING Outsider Phish Kit Landing Page M2 2025-08-25 (phishing.rules)
  • 2864417 - ETPRO PHISHING Outsider Phish Kit Landing Page M3 2025-08-25 (phishing.rules)
  • 2864418 - ETPRO PHISHING Outsider Phish Kit User Profiling M1 2025-08-25 (phishing.rules)
  • 2864419 - ETPRO PHISHING Outsider Phish Kit Landing Page M4 2025-08-25 (phishing.rules)
  • 2864420 - ETPRO PHISHING Outsider Phish Kit User Profiling M2 2025-08-25 (phishing.rules)
  • 2864421 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2039430 - ET PHISHING Observed DNS Query to Phishing Domain (ficosha .com) (phishing.rules)
  • 2039442 - ET MALWARE SocGholish Domain in DNS Lookup (consultant .meredithklemmblog .com) (malware.rules)
  • 2039443 - ET MALWARE SocGholish Domain in DNS Lookup (malware.rules)
  • 2039444 - ET MALWARE SocGholish CnC Domain in DNS Lookup (malware.rules)
  • 2039476 - ET MALWARE Suspected POLONIUM CnC Domain (consulting-ukraine .tk) in DNS Lookup (malware.rules)
  • 2039477 - ET MALWARE Suspected POLONIUM CnC Domain (ukrsupport .info) in DNS Lookup (malware.rules)
  • 2039484 - ET MALWARE SocGholish CnC Domain in DNS Lookup (discover .jsfconnections .com) (malware.rules)
  • 2039488 - ET INFO Faelix DNS Over HTTPS Certificate Inbound (info.rules)
  • 2039510 - ET MALWARE SocGholish Domain in DNS Lookup (chess .north-atlantic .com) (malware.rules)
  • 2039597 - ET MALWARE SocGholish CnC Domain in DNS Lookup (portraits .studio-94-photography .com) (malware.rules)
  • 2039603 - ET MALWARE JS/AlterSave Skimmer Payload Inbound M1 (malware.rules)
  • 2039606 - ET MALWARE Malicious Doc CnC Domain (e-demarches .kodeo .ch) in DNS Lookup (malware.rules)
  • 2039617 - ET MALWARE SocGholish Domain in DNS Lookup (squad .incumetrics .com) (malware.rules)
  • 2039620 - ET MALWARE SocGholish Domain in DNS Lookup (myfood .silverspringfoodproject .org) (malware.rules)
  • 2039622 - ET MALWARE Python Library Backdoor Domain (wasp .plague .fun) in DNS Lookup (malware.rules)
  • 2039623 - ET MALWARE SocGholish Domain in DNS Lookup (podcasts .momsgrabcoffee .com) (malware.rules)
  • 2039625 - ET MALWARE Observed DNS Query to Ursnif Domain (lionnik .xyz) (malware.rules)
  • 2039627 - ET MALWARE Observed DNS Query to Ursnif Domain (astope .xyz) (malware.rules)
  • 2039628 - ET MALWARE Observed DNS Query to Ursnif Domain (mamount .cyou) (malware.rules)
  • 2039629 - ET MALWARE Observed DNS Query to Ursnif Domain (pinki .cyou) (malware.rules)
  • 2039630 - ET MALWARE Observed DNS Query to Ursnif Domain (daydayvin .xyz) (malware.rules)
  • 2039631 - ET MALWARE Observed DNS Query to Ursnif Domain (kidup .xyz) (malware.rules)
  • 2039632 - ET MALWARE Observed DNS Query to Ursnif Domain (damnater .com) (malware.rules)
  • 2039633 - ET MALWARE Observed DNS Query to Ursnif Domain (minotos .xyz) (malware.rules)
  • 2039634 - ET MALWARE Observed DNS Query to Ursnif Domain (isteros .com) (malware.rules)
  • 2039635 - ET MALWARE Observed DNS Query to Ursnif Domain (dodstep .cyou) (malware.rules)
  • 2039636 - ET MALWARE Observed DNS Query to Ursnif Domain (logotep .xyz) (malware.rules)
  • 2039637 - ET MALWARE Observed DNS Query to Ursnif Domain (higmon .cyou) (malware.rules)
  • 2039638 - ET MALWARE Observed DNS Query to Ursnif Domain (gigiman .xyz) (malware.rules)
  • 2039639 - ET MALWARE Observed DNS Query to Ursnif Domain (fineg .xyz) (malware.rules)
  • 2039640 - ET MALWARE Observed DNS Query to Ursnif Domain (pipap .xyz) (malware.rules)
  • 2039641 - ET MALWARE Observed DNS Query to Ursnif Domain (prises .cyou) (malware.rules)
  • 2039642 - ET MALWARE Observed DNS Query to Ursnif Domain (binchfog .xyz) (malware.rules)
  • 2039643 - ET MALWARE Observed DNS Query to Ursnif Domain (gigeram .com) (malware.rules)
  • 2039644 - ET MALWARE Observed DNS Query to Ursnif Domain (mainwog .xyz) (malware.rules)
  • 2039645 - ET MALWARE Observed DNS Query to Ursnif Domain (gigimas .xyz) (malware.rules)
  • 2039646 - ET MALWARE Observed DNS Query to Ursnif Domain (tornton .xyz) (malware.rules)
  • 2039647 - ET MALWARE Observed DNS Query to Ursnif Domain (dodsman .com) (malware.rules)
  • 2039648 - ET MALWARE Observed DNS Query to Ursnif Domain (rorfog .com) (malware.rules)
  • 2039649 - ET MALWARE Observed DNS Query to Ursnif Domain (reaso .xyz) (malware.rules)
  • 2039650 - ET MALWARE Observed DNS Query to Ursnif Domain (giantos .xyz) (malware.rules)
  • 2039651 - ET MALWARE Observed Ursnif Domain in TLS SNI (lionnik .xyz) (malware.rules)
  • 2039652 - ET MALWARE Observed Ursnif Domain in TLS SNI (fishenddog .xyz) (malware.rules)
  • 2039653 - ET MALWARE Observed Ursnif Domain in TLS SNI (astope .xyz) (malware.rules)
  • 2039654 - ET MALWARE Observed Ursnif Domain in TLS SNI (mamount .cyou) (malware.rules)
  • 2039655 - ET MALWARE Observed Ursnif Domain in TLS SNI (pinki .cyou) (malware.rules)
  • 2039656 - ET MALWARE Observed Ursnif Domain in TLS SNI (daydayvin .xyz) (malware.rules)
  • 2039657 - ET MALWARE Observed Ursnif Domain in TLS SNI (kidup .xyz) (malware.rules)
  • 2039658 - ET MALWARE Observed Ursnif Domain in TLS SNI (damnater .com) (malware.rules)
  • 2039659 - ET MALWARE Observed Ursnif Domain in TLS SNI (minotos .xyz) (malware.rules)
  • 2039660 - ET MALWARE Observed Ursnif Domain in TLS SNI (isteros .com) (malware.rules)
  • 2039661 - ET MALWARE Observed Ursnif Domain in TLS SNI (dodstep .cyou) (malware.rules)
  • 2039662 - ET MALWARE Observed Ursnif Domain in TLS SNI (logotep .xyz) (malware.rules)
  • 2039663 - ET MALWARE Observed Ursnif Domain in TLS SNI (higmon .cyou) (malware.rules)
  • 2039664 - ET MALWARE Observed Ursnif Domain in TLS SNI (vavilgo .xyz) (malware.rules)
  • 2039665 - ET MALWARE Observed Ursnif Domain in TLS SNI (gigiman .xyz) (malware.rules)
  • 2039666 - ET MALWARE Observed Ursnif Domain in TLS SNI (fineg .xyz) (malware.rules)
  • 2039667 - ET MALWARE Observed Ursnif Domain in TLS SNI (pipap .xyz) (malware.rules)
  • 2039668 - ET MALWARE Observed Ursnif Domain in TLS SNI (prises .cyou) (malware.rules)
  • 2039669 - ET MALWARE Observed Ursnif Domain in TLS SNI (binchfog .xyz) (malware.rules)
  • 2039670 - ET MALWARE Observed Ursnif Domain in TLS SNI (gigeram .com) (malware.rules)
  • 2039671 - ET MALWARE Observed Ursnif Domain in TLS SNI (mainwog .xyz) (malware.rules)
  • 2039672 - ET MALWARE Observed Ursnif Domain in TLS SNI (gigimas .xyz) (malware.rules)
  • 2039673 - ET MALWARE Observed Ursnif Domain in TLS SNI (fingerpin .cyou) (malware.rules)
  • 2039674 - ET MALWARE Observed Ursnif Domain in TLS SNI (tornton .xyz) (malware.rules)
  • 2039675 - ET MALWARE Observed Ursnif Domain in TLS SNI (dodsman .com) (malware.rules)
  • 2039676 - ET MALWARE Observed Ursnif Domain in TLS SNI (rorfog .com) (malware.rules)
  • 2039677 - ET MALWARE Observed Ursnif Domain in TLS SNI (reaso .xyz) (malware.rules)
  • 2039678 - ET MALWARE Observed Ursnif Domain in TLS SNI (giantos .xyz) (malware.rules)
  • 2039688 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039689 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039690 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039691 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039692 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039693 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039694 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039695 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039696 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039697 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039698 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039699 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039700 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039701 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039702 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039703 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039704 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039705 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039706 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039707 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039708 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039709 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039710 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039711 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039712 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039713 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039714 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2039738 - ET MALWARE ROMCOM RAT CnC Domain (you-supported .com) in DNS Lookup (malware.rules)
  • 2039741 - ET MALWARE Kutaki Stealer CnC Domain (terebinnahicc .club) in DNS Lookup (malware.rules)
  • 2039742 - ET MALWARE Kutaki Stealer CnC Domain (treysbeatend .com) in DNS Lookup (malware.rules)
  • 2039744 - ET MALWARE ChromeLoader CnC Domain (istakechau .autos) in DNS Lookup (malware.rules)
  • 2039745 - ET MALWARE ChromeLoader CnC Domain (imenttogethe .xyz) in DNS Lookup (malware.rules)
  • 2039750 - ET MALWARE APT36/TransparentTribe CnC Domain (richa-sharma .ddns .net) in DNS Lookup (malware.rules)
  • 2039751 - ET MALWARE SocGholish Domain in DNS Lookup (course .netpickstrading .com) (malware.rules)
  • 2039752 - ET MALWARE SocGholish CnC Domain in DNS Lookup (campaign .tworiversboat .com) (malware.rules)
  • 2039753 - ET INFO Observed File Sharing Service (docdroid .net) in DNS Lookup (info.rules)
  • 2039757 - ET MALWARE SocGholish Domain in DNS Lookup (automatic .tworiversboats .com) (malware.rules)
  • 2039758 - ET MALWARE JS/Cloud9 Domain (download .loginserv .net) in DNS Lookup (malware.rules)
  • 2039759 - ET MALWARE JS/Cloud9 Domain (cloud-miner .de) in DNS Lookup (malware.rules)
  • 2039760 - ET MALWARE JS/Cloud9 Domain (zmsp .top) in DNS Lookup (malware.rules)
  • 2039761 - ET MALWARE JS/Cloud9 Domain (download .agency) in DNS Lookup (malware.rules)
  • 2039766 - ET MALWARE SocGholish CnC Domain in DNS Lookup (rate .coinangel .online) (malware.rules)
  • 2039767 - ET MALWARE APT41 CnC Domain (www .affice366 .com) in DNS Lookup (malware.rules)
  • 2039768 - ET MALWARE APT41 CnC Domain (c .ymvh8w5 .xyz) in DNS Lookup (malware.rules)
  • 2039769 - ET MALWARE APT41 CnC Domain (www .vietsovspeedtest .com) in DNS Lookup (malware.rules)
  • 2039770 - ET MALWARE IceXLoader CnC Domain (stealthelite .one) in DNS Lookup (malware.rules)
  • 2039771 - ET MALWARE IceXLoader CnC Domain (www .filifilm .com .br) in DNS Lookup (malware.rules)
  • 2039773 - ET MALWARE CloudAtlas Related Domain in DNS Lookup (protocol-list .com) (malware.rules)
  • 2039780 - ET MALWARE SocGholish Domain in DNS Lookup (community .backpacktrader .com) (malware.rules)
  • 2039781 - ET MALWARE TA569 Domain in DNS Lookup (friscomusicgroup .com) (malware.rules)
  • 2039787 - ET MOBILE_MALWARE Android/RatMilad CnC Domain (api .numrent .shop) in DNS Lookup (mobile_malware.rules)
  • 2039788 - ET MALWARE SocGholish Domain in DNS Lookup (casting .austinonline .shop) (malware.rules)
  • 2039789 - ET MALWARE SocGholish Domain in DNS Lookup (collapse .tradingiswar .com) (malware.rules)
  • 2039790 - ET MALWARE SocGholish Domain in DNS Lookup (founder .carflower .pics) (malware.rules)
  • 2039791 - ET MALWARE SocGholish Domain in DNS Lookup (travel .dianatokaji .com) (malware.rules)
  • 2039792 - ET MALWARE SocGholish CnC Domain in DNS Lookup (diary .lojjh .com) (malware.rules)
  • 2039798 - ET MALWARE SocGholish Domain in DNS Lookup (factors .djbel .com) (malware.rules)
  • 2039802 - ET MALWARE Kimsuky CnC Domain (jojoa .mypressonline .com) Observed in DNS Query (malware.rules)
  • 2039803 - ET MALWARE Kimsuky CnC Domain (okihs .mypressonline .com) Observed in DNS Query (malware.rules)
  • 2039806 - ET MALWARE Maldoc Related Domain in DNS Lookup (malware.rules)
  • 2039829 - ET MOBILE_MALWARE Android/ShartBot CNC Domain (cdopea .store) in DNS Lookup (mobile_malware.rules)
  • 2039831 - ET MALWARE SocGholish Domain in DNS Lookup (montage .travelguidediva .com) (malware.rules)
  • 2041133 - ET MALWARE Octopus Energy Themed Trojan CnC Domain (docusign-octopus-energy .com) in DNS Lookup (malware.rules)
  • 2041661 - ET MALWARE Observed DNS Query to AppleJeus Domain (rebelthumb .net) (malware.rules)
  • 2041663 - ET MALWARE Observed DNS Query to AppleJeus Domain (bloxholder .com) (malware.rules)
  • 2041671 - ET MALWARE Observed DNS Query to XWORM RAT Domain (esteticamarbai .es) (malware.rules)
  • 2041716 - ET PHISHING Observed Phish Domain in DNS Lookup (snocprojectuae .com) 2022-12-05 (phishing.rules)
  • 2041732 - ET PHISHING Observed Phish Domain in DNS Lookup (consultant-ae-enoc .com) 2022-12-05 (phishing.rules)
  • 2041739 - ET PHISHING Observed Phish Domain in DNS Lookup (contractors-adnoc .com) 2022-12-05 (phishing.rules)
  • 2041758 - ET PHISHING Observed Phish Domain in DNS Lookup (biddings-enoc .com) 2022-12-05 (phishing.rules)
  • 2041761 - ET PHISHING Observed Phish Domain in DNS Lookup (arabianmigration .com) 2022-12-05 (phishing.rules)
  • 2041765 - ET PHISHING Observed Phish Domain in DNS Lookup (harvesttravelagency .com) 2022-12-05 (phishing.rules)
  • 2041770 - ET PHISHING Observed Phish Domain in DNS Lookup (ahaliahospitalae .com) 2022-12-05 (phishing.rules)
  • 2852660 - ETPRO MALWARE TA4563 Domain in DNS Lookup (malware.rules)
  • 2852661 - ETPRO MALWARE TA4563 Domain in DNS Lookup (malware.rules)
  • 2852662 - ETPRO MALWARE TA4563 Domain in DNS Lookup (malware.rules)
  • 2852663 - ETPRO MALWARE Suspected TA463 Domain in DNS Lookup (malware.rules)
  • 2852664 - ETPRO MALWARE Suspected TA463 Domain in DNS Lookup (malware.rules)
  • 2852665 - ETPRO MALWARE Suspected TA463 Domain in DNS Lookup (malware.rules)
  • 2852769 - ETPRO PHISHING Microsoft OneDrive Phishing Domain (mycourier .email) in DNS Lookup (phishing.rules)
  • 2852770 - ETPRO PHISHING Observed Microsoft OneDrive Phishing Domain (mycourier .email) in TLS SNI (phishing.rules)
  • 2852832 - ETPRO MALWARE Phishing Domain in DNS Lookup (malware.rules)
  • 2853062 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (StringChar) M1 (hunting.rules)