Ruleset Update Summary - 2025/09/02 - v11006

Ruleset Updates
1

Summary:

27 new OPEN, 38 new PRO (27 + 11)

Added rules:

Open:

  • 2064211 - ET MALWARE GET Request to steamcommunity .com With Minimal Headers - Common With InfoStealers (malware.rules)
  • 2064237 - ET MALWARE Lumma Stealer CnC Checkin (/info) (malware.rules)
  • 2064238 - ET MALWARE Lumma Stealer CnC Server Response (malware.rules)
  • 2064239 - ET INFO DYNAMIC_DNS Query to a *.australianhuntermag .com domain (info.rules)
  • 2064240 - ET INFO DYNAMIC_DNS HTTP Request to a *.australianhuntermag .com domain (info.rules)
  • 2064241 - ET MALWARE Lumma Stealer CnC Checkin (/update) (malware.rules)
  • 2064242 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (tmello .com) (exploit_kit.rules)
  • 2064243 - ET EXPLOIT_KIT LandUpdate808 Domain (tmello .com) in TLS SNI (exploit_kit.rules)
  • 2064244 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vcsinfo .com) (exploit_kit.rules)
  • 2064245 - ET EXPLOIT_KIT LandUpdate808 Domain (vcsinfo .com) in TLS SNI (exploit_kit.rules)
  • 2064246 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (backab .ru) (malware.rules)
  • 2064247 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (backab .ru) in TLS SNI (malware.rules)
  • 2064248 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (complve .top) (malware.rules)
  • 2064249 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (complve .top) in TLS SNI (malware.rules)
  • 2064250 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eigwos .ru) (malware.rules)
  • 2064251 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eigwos .ru) in TLS SNI (malware.rules)
  • 2064252 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (epitherd .ru) (malware.rules)
  • 2064253 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (epitherd .ru) in TLS SNI (malware.rules)
  • 2064254 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kimmenkiz .ru) (malware.rules)
  • 2064255 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (kimmenkiz .ru) in TLS SNI (malware.rules)
  • 2064256 - ET ATTACK_RESPONSE Lumma Stealer Payload Inbound (attack_response.rules)
  • 2064257 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oneflof .ru) (malware.rules)
  • 2064258 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oneflof .ru) in TLS SNI (malware.rules)
  • 2064259 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washerv .ru) (malware.rules)
  • 2064260 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (washerv .ru) in TLS SNI (malware.rules)
  • 2064261 - ET MALWARE Lumma Stealer CnC Checkin (GET) (malware.rules)
  • 2064262 - ET MALWARE Lumma Stealer CnC Checkin (/ycl) (malware.rules)

Pro:

  • 2864432 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864433 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864434 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864435 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864436 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864437 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864438 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864439 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864440 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2864441 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2864442 - ETPRO MALWARE UNK_SteadySplit CnC Activity (GET) (malware.rules)

Modified inactive rules:

  • 2036670 - ET MALWARE Python CTX Library Backdoor Domain in DNS Lookup (anti-theft-web .herokuapp .com) (malware.rules)
  • 2036671 - ET MALWARE Observed Python CTX Library Backdoor Domain (anti-theft-web .herokuapp .com) in TLS SNI (malware.rules)
  • 2036681 - ET MALWARE Downloader/Win.MalXll.R466354 Payload Request (malware.rules)
  • 2036687 - ET MALWARE SocGholish Related Domain in DNS Lookup (irsbusinessaudit .net) (malware.rules)
  • 2036688 - ET MALWARE SocGholish Related Domain in DNS Lookup (irsgetwell .net) (malware.rules)
  • 2036751 - ET MALWARE Suspected BPFDoor UDP Magic Packet (Inbound) (malware.rules)
  • 2036752 - ET MALWARE Suspected BPFDoor TCP Magic Packet (Inbound) (malware.rules)
  • 2036753 - ET MALWARE Suspected BPFDoor ICMP Magic Packet (Inbound) (malware.rules)
  • 2036826 - ET MALWARE Polonium CreepyDrive Implant Request (malware.rules)
  • 2036827 - ET MALWARE Polonium CreepyDrive Upload Request (malware.rules)
  • 2036829 - ET MALWARE Polonium CreepyDrive Client CnC Response (malware.rules)
  • 2036877 - ET WEB_CLIENT [TW] WEBDAV UA (web_client.rules)
  • 2036878 - ET WEB_CLIENT [TW] CAB From Possible WebDAV Share Possible DiagCab Abuse Attempt (web_client.rules)
  • 2036879 - ET WEB_CLIENT [TW] CAB From Possible WebDAV Share Possible DiagCab Abuse Attempt (web_client.rules)
  • 2036881 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
  • 2036934 - ET MALWARE Win32/RecordBreaker CnC Checkin M1 (malware.rules)
  • 2036960 - ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (kealkun .16mb .com) (malware.rules)
  • 2036961 - ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (ping .otwalkun .16mb .com) (malware.rules)
  • 2036966 - ET MALWARE Aoqin Dragon APT Related Activity (GET) (malware.rules)
  • 2036973 - ET MALWARE Aoqin Dragon APT Related Activity (GET) (malware.rules)
  • 2036976 - ET INFO AmanVPN Checkin (info.rules)
  • 2036977 - ET INFO AmanVPN Heartbeat (info.rules)
  • 2036978 - ET INFO AmanVPN Heartbeat Response (info.rules)
  • 2036982 - ET MALWARE Loxes/Mongall Related CnC Beacon M3 (GET) (malware.rules)
  • 2036983 - ET MALWARE MalDoc Retrieving Qbot Payload 2022-06-14 (malware.rules)
  • 2036986 - ET MALWARE Observed DNS Query to Maldoc Domain (sportpony .ch) (malware.rules)
  • 2036987 - ET MALWARE Observed DNS Query to Maldoc Domain (spprospekt .com .br) (malware.rules)
  • 2036988 - ET MALWARE Observed DNS Query to Maldoc Domain (procoach .jp) (malware.rules)
  • 2036989 - ET MALWARE Observed DNS Query to Maldoc Domain (suidi .com) (malware.rules)
  • 2036990 - ET MALWARE Observed DNS Query to Maldoc Domain (regenerationcongo .com) (malware.rules)
  • 2036991 - ET PHISHING Generic Phishing DNS Lookup (aberto .click2eat .co .il) (phishing.rules)
  • 2036992 - ET PHISHING Generic Phishing DNS Lookup (xn–sapeaunoticias-kjb .com .br) (phishing.rules)
  • 2037000 - ET MALWARE Maldoc Retrieving Payload 2022-06-15 (malware.rules)
  • 2037001 - ET MALWARE Maldoc Retrieving Payload 2022-06-15 (malware.rules)
  • 2037026 - ET MALWARE Win32.Banker Trojan CnC Checkin (malware.rules)
  • 2037082 - ET MALWARE Possible Follina Payload Delivery Page (malware.rules)
  • 2037083 - ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) (exploit.rules)
  • 2037100 - ET PHISHING Observed DNS Query to Nedbank Phishing Domain (phishing.rules)
  • 2037119 - ET MALWARE ToddyCat Ninja Backdoor CnC Domain in DNS Lookup (eohsdnsaaojrhnqo .windowshost .us) (malware.rules)
  • 2037122 - ET PHISHING Observed DNS Query to OWA Phishing Domain (phishing.rules)
  • 2037125 - ET PHISHING Observed DNS Query to ING Group Phishing Domain (phishing.rules)
  • 2037126 - ET MALWARE DonotGroup Maldoc Activity (GET) (malware.rules)
  • 2037130 - ET MALWARE Observed DNS Query to DarkCrystal Rat Domain (datagroup .ddns .net) (2022-06-27) (malware.rules)
  • 2037134 - ET PHISHING Observed DNS Query to American Express Phishing Domain (phishing.rules)
  • 2037137 - ET USER_AGENTS Suspicious User-Agent (Windows Explorer) (user_agents.rules)
  • 2037147 - ET PHISHING Successful ANZ Internet Banking Phish 2022-06-23 (phishing.rules)
  • 2037163 - ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (mesharepoint .com) (info.rules)
  • 2037210 - ET PHISHING Observed DNS Query to Alibaba Phishing Domain (krikam .net) (phishing.rules)
  • 2037211 - ET PHISHING Malicious SSL Certificate detected (Alibaba Phishing) (phishing.rules)
  • 2037212 - ET PHISHING Observed DNS Query to ING Bank Phishing Domain (servesrs -kontendiba .cyou) (phishing.rules)
  • 2037214 - ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart Payload CnC) (malware.rules)
  • 2037215 - ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart Payload CnC) (malware.rules)
  • 2037242 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037243 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037244 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037245 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037247 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037248 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037256 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037257 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037258 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037259 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037260 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037721 - ET MALWARE Bitter APT Domain in DNS Lookup (huandocimama .com) (malware.rules)
  • 2037732 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037733 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037746 - ET MALWARE MSIL/PSW.Discord.AIY CnC Exfil (malware.rules)
  • 2037747 - ET USER_AGENTS Suspicious User-Agent (kath) (user_agents.rules)
  • 2037752 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037766 - ET MALWARE Win32/H0lyGh0st Ransomware CnC Activity (GET Public Key) (malware.rules)
  • 2037767 - ET MALWARE Win32/H0lyGh0st Ransomware Exfil Activity (POST) (malware.rules)
  • 2037768 - ET MALWARE Win32/H0lyGh0st Ransomware CnC Response (malware.rules)
  • 2037774 - ET MALWARE Win32/H0lyGh0st CnC Activity (malware.rules)
  • 2037778 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037779 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037796 - ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup (techspaceinfo .com) (malware.rules)
  • 2037817 - ET MALWARE 8220 Gang Related Domain in DNS Lookup (oracleservice .top) (malware.rules)
  • 2037842 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (zuyonijobo .com) (malware.rules)
  • 2037843 - ET MALWARE Observed Cobalt Strike Domain (zuyonijobo .com) in TLS SNI (malware.rules)
  • 2037864 - ET PHISHING [TW] Robin Banks HTTP HOST M1 (phishing.rules)
  • 2037908 - ET MALWARE Possible T-RAT Encrypted Zip Request M2 (malware.rules)
  • 2851705 - ETPRO MALWARE Possible MalDoc Retrieving Payload 2022-05-25 (malware.rules)
  • 2851706 - ETPRO MALWARE Malicious Word Document Template Download Domain in DNS Lookup (truecolor8 .xyz) (malware.rules)
  • 2851711 - ETPRO MALWARE Win32/Kryptik.HPRB Payload Request (GET) (malware.rules)
  • 2851728 - ETPRO ATTACK_RESPONSE Invoke-Obfuscation Concatenate String (DownloadString) (attack_response.rules)
  • 2851731 - ETPRO PHISHING DNS Query to Phishing Domain (inspiring-moser 172-93-188-73 .plesk .page) (phishing.rules)
  • 2851734 - ETPRO ATTACK_RESPONSE PowerShell Uint16 Encoding Obfuscation Inbound (attack_response.rules)
  • 2851735 - ETPRO MALWARE Njrat Payload Request (PE.txt) (malware.rules)
  • 2851740 - ETPRO MALWARE Powershell Pak-Loader Download (malware.rules)
  • 2851774 - ETPRO MALWARE Observed Snip3 Domain in DNS Lookup (malware.rules)
  • 2851775 - ETPRO MALWARE Observed Snip3 Domain in DNS Lookup (malware.rules)
  • 2851801 - ETPRO MALWARE PowerShell Script Fingerprinting Host System CnC Exfil (malware.rules)
  • 2851839 - ETPRO MALWARE Possible MalDoc Retrieving Payload (2022-06-28) (malware.rules)
  • 2851840 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain (phishing.rules)
  • 2851842 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain (phishing.rules)
  • 2851847 - ETPRO MALWARE Unknown MalDoc CnC Activity (2022-06-29) (malware.rules)
  • 2851851 - ETPRO MALWARE Observed DNS Query to TA402 Domain (malware.rules)
  • 2851852 - ETPRO MALWARE Observed TA402 Domain in TLS SNI (malware.rules)
  • 2851879 - ETPRO MALWARE LNK/TrojanDownloader.Agent.AS CnC Activity M1 (malware.rules)
  • 2851880 - ETPRO MALWARE LNK/TrojanDownloader.Agent.AS CnC Activity M2 (malware.rules)
  • 2851881 - ETPRO MALWARE LNK/TrojanDownloader.Agent.ASS CnC Activity M3 (malware.rules)
  • 2851929 - ETPRO MALWARE Unknown.BatScript CnC Activity M1 (malware.rules)
  • 2851930 - ETPRO MALWARE Unknown.BatScript Host Profile Exfil (malware.rules)
  • 2851932 - ETPRO MALWARE MSIL/Kryptik.AFSX CnC Checkin (malware.rules)
  • 2852169 - ETPRO EXPLOIT Possible Microsoft Windows Server HTTP.sys DOS Inbound (CVE-2022-35748) (exploit.rules)

Removed rules:

  • 2064211 - ET HUNTING GET Request to steamcommunity .com With Minimal Headers - Common With InfoStealers (hunting.rules)