Ruleset Update Summary - 2025/09/01 - v11005

Ruleset Updates
1

Summary:

0 new OPEN, 0 new PRO (0 + 0)

Modified inactive rules:

  • 2037789 - ET MALWARE JS.SocGholish CnC Activity (POST) (malware.rules)
  • 2037795 - ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup (crossfity .com) (malware.rules)
  • 2037797 - ET MALWARE APT29/CloakedUrsa Google Drive Authentication (POST) (malware.rules)
  • 2037798 - ET MALWARE HTML/TrojanDropper.Agent.T Payload Inbound (malware.rules)
  • 2037807 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037808 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037815 - ET MALWARE 8220 Gang Related Domain in DNS Lookup (onlypirate .top) (malware.rules)
  • 2037816 - ET MALWARE 8220 Gang Related Domain in DNS Lookup (letmaker .top) (malware.rules)
  • 2037823 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037824 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037825 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037848 - ET PHISHING [TW] EvilProxy AiTM Set-Cookie (phishing.rules)
  • 2037850 - ET PHISHING [TW] EvilProxy AiTM Cookie Value M1 (phishing.rules)
  • 2037863 - ET MALWARE Trojan.Dropper.HTML.Agent Payload (malware.rules)
  • 2037865 - ET PHISHING [TW] Robin Banks HTTP HOST M2 (phishing.rules)
  • 2037889 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (ui .0x0x0x0x0 .xyz) in DNS Lookup (malware.rules)
  • 2037890 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (rp .oiwcvbnc2e .stream) in DNS Lookup (malware.rules)
  • 2037891 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (aj .0x0x0x0x0 .best) in DNS Lookup (malware.rules)
  • 2037892 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (xs .0x0x0x0x0 .club) in DNS Lookup (malware.rules)
  • 2037893 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (qb .1c1c1c1c .best) in DNS Lookup (malware.rules)
  • 2037894 - ET MALWARE W32/CoinMinerESJ!tr CnC Domain (ox .mygoodluck .best) in DNS Lookup (malware.rules)
  • 2037909 - ET MALWARE ENV Variable Data Exfiltration Domain (ovz1 .j19544519 .pr46m .vps .myjino .ru) in DNS Lookup (malware.rules)
  • 2037910 - ET MALWARE ENV Variable Data Exfiltration Attempt (HTTP POST) (malware.rules)
  • 2037932 - ET ADWARE_PUP Observed DNS Query to Restoro PUP Domain (restoro .com) (adware_pup.rules)
  • 2037963 - ET MALWARE Patchwork APT Related Activity M3 (POST) (malware.rules)
  • 2038495 - ET PHISHING Possible Phish with cazanova= Cookie (phishing.rules)
  • 2038541 - ET MALWARE Win32/GRAT2 Client CnC Checkin (malware.rules)
  • 2038549 - ET MALWARE Win32/GRAT2 Client Data Exfil (malware.rules)
  • 2038634 - ET MOBILE_MALWARE Android.Trojan.Banker.XJ Activity (mobile_malware.rules)
  • 2038647 - ET INFO URL Shortening Service Domain in DNS Lookup (vk .cc) (info.rules)
  • 2038648 - ET INFO URL Shortening Service Domain in DNS Lookup (vk .com) (info.rules)
  • 2038649 - ET INFO Observed URL Shortening Service Domain (vk .cc in TLS SNI) (info.rules)
  • 2038650 - ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI) (info.rules)
  • 2038672 - ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M1 (exploit.rules)
  • 2038673 - ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M2 (exploit.rules)
  • 2038700 - ET ADWARE_PUP Win32/ReImageRepair.T CnC Cookie Pattern (adware_pup.rules)
  • 2038709 - ET MALWARE Observed DNS Query to TA444 Domain (wps .wpsonline .co) (malware.rules)
  • 2038710 - ET MALWARE Observed DNS Query to TA444 Domain (documentshare .info) (malware.rules)
  • 2038711 - ET MALWARE Observed DNS Query to TA444 Domain (unchained-capital .co) (malware.rules)
  • 2038712 - ET MALWARE Observed DNS Query to TA444 Domain (cloud .globiscapital .co) (malware.rules)
  • 2038713 - ET MALWARE Observed DNS Query to TA444 Domain (shconstmarket .com) (malware.rules)
  • 2038715 - ET MALWARE Observed DNS Query to TA444 Domain (edit .wpsonline .co) (malware.rules)
  • 2038716 - ET MALWARE Observed DNS Query to TA444 Domain (bankofamerica .us .org) (malware.rules)
  • 2038720 - ET MALWARE Observed DNS Query to TA444 Domain (share .anobaka .info) (malware.rules)
  • 2038721 - ET MALWARE Observed DNS Query to TA444 Domain (vote .anobaka .info) (malware.rules)
  • 2038722 - ET MALWARE Observed DNS Query to TA444 Domain (cloud .wpic .ink) (malware.rules)
  • 2038747 - ET MALWARE ErbiumStealer CnC Domain (ozaron .beget .tech) in DNS Lookup (malware.rules)
  • 2038748 - ET MALWARE Observed ErbiumStealer Domain (ozaron .beget .tech) in TLS SNI (malware.rules)
  • 2038749 - ET MALWARE ErbiumStealer CnC Domain (a0715952 .xsph .ru) in DNS Lookup (malware.rules)
  • 2038757 - ET MALWARE Observed DNS Query to EvilProxy Domain (msdnmail .net) (malware.rules)
  • 2038758 - ET MALWARE Observed DNS Query to EvilProxy Domain (evilproxy .pro) (malware.rules)
  • 2038759 - ET MALWARE Observed DNS Query to EvilProxy Domain (rproxy .io) (malware.rules)
  • 2038760 - ET MALWARE Observed DNS Query to EvilProxy Domain (pua75npooc4ekrkkppdglaleftn5mi2hxsunz5uuup6uxqmen4deepyd .onion) (malware.rules)
  • 2038761 - ET MALWARE Observed DNS Query to EvilProxy Domain (top-cyber .club) (malware.rules)
  • 2038772 - ET MALWARE Chinese Based APT Related Malware Sending System Information (POST) (malware.rules)
  • 2038781 - ET EXPLOIT D-Link Remote Code Execution Attempt (CVE-2022-26258) (exploit.rules)
  • 2038782 - ET EXPLOIT D-Link Remote Code Execution Attempt (CVE-2022-28958) (exploit.rules)
  • 2038795 - ET MALWARE MSIL/TrojanDownloader.Agent.ITY Screenshot Upload Attempt (malware.rules)
  • 2038823 - ET MALWARE Observed DNS Query to Reverse Shell Payload Domain (opentunnel .quest) (malware.rules)
  • 2038824 - ET MALWARE Observed Malicious Powershell Payload Delivery Domain (onerecovery .click) in TLS SNI (malware.rules)
  • 2038825 - ET MALWARE Observed Reverse Shell Payload Delivery Domain (opentunnel .quest) in TLS SNI (malware.rules)
  • 2038826 - ET ADWARE_PUP Observed DNS Query to PUP Domain (superdiag .xyz) (adware_pup.rules)
  • 2038831 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (appledocs .ru) (malware.rules)
  • 2038832 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (gurumades .ru) (malware.rules)
  • 2038833 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (kinksdoc .ru) (malware.rules)
  • 2038834 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (superdocs .ru) (malware.rules)
  • 2038835 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (cosmodron .com) (malware.rules)
  • 2038836 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (gismolow .com) (malware.rules)
  • 2038837 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (melindas .ru) (malware.rules)
  • 2038838 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (adobefile .ru) (malware.rules)
  • 2038839 - ET MALWARE Observed DNS Query to Default Brute Ratel C2 Domain (evasionlabs .com) (malware.rules)
  • 2038841 - ET MALWARE Brute Ratel CnC Activity (xml-c2) M1 (malware.rules)
  • 2038842 - ET MALWARE Brute Ratel CnC Activity (xml-c2) M2 (malware.rules)
  • 2038843 - ET MALWARE Brute Ratel CnC Activity (json-c2) M1 (malware.rules)
  • 2038844 - ET MALWARE Brute Ratel CnC Activity (json-c2) M2 (malware.rules)
  • 2038860 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) (malware.rules)
  • 2038861 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (mamsolutions .us) (current_events.rules)
  • 2038862 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (minielectronic .in) (current_events.rules)
  • 2038863 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (newsforward .quest) (current_events.rules)
  • 2038864 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (polussuo .com) (current_events.rules)
  • 2038865 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (mamsolution .us) (current_events.rules)
  • 2038866 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (antivirusphonenumber .org) (current_events.rules)
  • 2038867 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (a-techsolutions .us) (current_events.rules)
  • 2038868 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (puppyandcats .online) (current_events.rules)
  • 2038869 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (newsagent .quest) (current_events.rules)
  • 2038870 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (humaantouch .com) (current_events.rules)
  • 2038871 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (mvpconsultant .us) (current_events.rules)
  • 2038872 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (comsecurityessentials .support) (current_events.rules)
  • 2038873 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (everyavenuetravel .site) (current_events.rules)
  • 2038874 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (hardwarecloseout .com) (current_events.rules)
  • 2038875 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (netsecurity-essential .com) (current_events.rules)
  • 2038876 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (weeklylive .info) (current_events.rules)
  • 2038877 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (foddylearn .com) (current_events.rules)
  • 2038878 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (decfurnish .com) (current_events.rules)
  • 2038879 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (glamorousfeeds .com) (current_events.rules)
  • 2038880 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (issat .us) (current_events.rules)
  • 2038881 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (trendingonfeed .com) (current_events.rules)
  • 2038882 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (aksconsulting .us) (current_events.rules)
  • 2038883 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (feedsonbudget .com) (current_events.rules)
  • 2038884 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (tissatweb .us) (current_events.rules)
  • 2038885 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (viralonspot .com) (current_events.rules)
  • 2038886 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (furnitureshopone .us) (current_events.rules)
  • 2038887 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (printertechnicahelp .com) (current_events.rules)
  • 2038888 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (mainlytrendy .com) (current_events.rules)
  • 2038889 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (globalnews .cloud) (current_events.rules)
  • 2038890 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (thespeedoflite .com) (current_events.rules)
  • 2038891 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (quickbooktechnicalsupport .org) (current_events.rules)
  • 2038892 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (financialtrending .com) (current_events.rules)
  • 2038893 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (tissat .us) (current_events.rules)
  • 2038914 - ET MALWARE DonotGroup Related Domain in DNS Lookup (furnish .spacequery .live) (malware.rules)
  • 2038920 - ET MALWARE Observed DNS Query to TA444 Domain (share .anobaka .info) (malware.rules)
  • 2038948 - ET MALWARE SocGholish Domain in DNS Lookup (casting .faeryfox .com) (malware.rules)
  • 2038949 - ET MALWARE SocGholish Domain in DNS Lookup (predator .foxscalesjewelry .com) (malware.rules)
  • 2038950 - ET MALWARE SocGholish Domain in DNS Lookup (amplifier .myjesusloves .me) (malware.rules)
  • 2038951 - ET MALWARE SocGholish Domain in DNS Lookup (loans .mistakenumberone .com) (malware.rules)
  • 2038952 - ET MALWARE SocGholish Domain in DNS Lookup (restructuring .breatheinnew .life) (malware.rules)
  • 2038953 - ET MALWARE SocGholish Domain in DNS Lookup (prompt .zonashoppers .academy) (malware.rules)
  • 2038954 - ET MALWARE SocGholish Domain in DNS Lookup (hair .2topost .com) (malware.rules)
  • 2038955 - ET MALWARE SocGholish Domain in DNS Lookup (custom .usmuchmedia .com) (malware.rules)
  • 2038956 - ET MALWARE SocGholish CnC Domain in DNS Lookup (moments .abledity .com) (malware.rules)
  • 2038957 - ET MALWARE SocGholish Domain in DNS Lookup (notes .fumcpittsburg .org) (malware.rules)
  • 2038972 - ET MALWARE SocGholish Domain in DNS Lookup (tutorials .girandolashutkindconstruction .com) (malware.rules)
  • 2039029 - ET MALWARE TA569 Fake Captcha Download (malware.rules)
  • 2039036 - ET MALWARE SocGholish Domain in DNS Lookup (auction .wonderwomanquilts .com) (malware.rules)
  • 2039071 - ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (market .contradecapital .com) (malware.rules)
  • 2039072 - ET MALWARE Observed Lazarus Domain (market .contradecapital .com in TLS SNI) (malware.rules)
  • 2039078 - ET MALWARE SocGholish Domain in DNS Lookup (premiere .4tosocialbeginners .com) (malware.rules)
  • 2039102 - ET MALWARE TA569 Fake Browser Update Domain in DNS Lookup (profi-stom .com) (malware.rules)
  • 2039139 - ET MALWARE SocGholish Domain in DNS Lookup (ecar .allsunstates .com) (malware.rules)
  • 2039140 - ET MALWARE SocGholish CnC Domain in DNS Lookup (houses .in-vermont .com) (malware.rules)
  • 2039243 - ET MALWARE Observed DNS Query to Budminer Domain (Kmember .wikaba .com) (malware.rules)
  • 2039252 - ET MALWARE Observed DNS Query to Budminer Domain (soft .update .cloudns .info) (malware.rules)
  • 2039270 - ET MALWARE Observed DNS Query to Budminer Domain (nscnet .tk) (malware.rules)
  • 2039292 - ET MALWARE Observed DNS Query to Budminer Domain (twmis .twgogo .org) (malware.rules)
  • 2851931 - ETPRO MALWARE Unknown.BatScript CnC Activity M2 (malware.rules)
  • 2851979 - ETPRO MALWARE VBA/TrojanDownloader.Agent.SME CnC Activity (malware.rules)
  • 2851982 - ETPRO MALWARE LimeRat Domain in DNS Lookup (one-drive .sly .io) (malware.rules)
  • 2852063 - ETPRO MALWARE Win32/Trojan-Dropper.MSIL.Sysn.gen CnC Exfil (malware.rules)
  • 2852362 - ETPRO MALWARE Script/Unknown CnC Activity (malware.rules)
  • 2852363 - ETPRO MALWARE Observed DNS Query to Suspicious Domain (threatactor .lol) (malware.rules)
  • 2852364 - ETPRO MALWARE Observed DNS Query to Suspicious Domain (apt29 .lol) (malware.rules)
  • 2852385 - ETPRO MALWARE Win32/Delf.NBX CnC Response (malware.rules)