Ruleset Update Summary - 2025/09/03 - v11007

Ruleset Updates
1

Summary:

21 new OPEN, 34 new PRO (21 + 13)

Added rules:

Open:

  • 2064263 - ET INFO URL Shortener Service Domain in DNS Lookup (vroops .com) (info.rules)
  • 2064264 - ET INFO Observed URL Shortener Service Domain (vroops .com in TLS SNI) (info.rules)
  • 2064265 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (javascriptbasics .com) (malware.rules)
  • 2064266 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (es6featureshub .com) (malware.rules)
  • 2064267 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (prototypechain .com) (malware.rules)
  • 2064268 - ET MALWARE TA569 Staging Server Domain in TLS SNI (javascriptbasics .com) (malware.rules)
  • 2064269 - ET MALWARE TA569 Staging Server Domain in TLS SNI (es6featureshub .com) (malware.rules)
  • 2064270 - ET MALWARE TA569 Staging Server Domain in TLS SNI (prototypechain .com) (malware.rules)
  • 2064271 - ET MALWARE Lumma Stealer CnC Checkin (/service) (malware.rules)
  • 2064272 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (louglas .com) (exploit_kit.rules)
  • 2064273 - ET EXPLOIT_KIT LandUpdate808 Domain (louglas .com) in TLS SNI (exploit_kit.rules)
  • 2064274 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bastxtu .top) (malware.rules)
  • 2064275 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bastxtu .top) in TLS SNI (malware.rules)
  • 2064276 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (typescripttools .com) (malware.rules)
  • 2064277 - ET MALWARE TA569 Staging Server Domain in TLS SNI (typescripttools .com) (malware.rules)
  • 2064278 - ET WEB_SPECIFIC_APPS Wavlink adm.cgi Multiple Parameters Command Injection Attempt (CVE-2025-50757, 2025-50755, CVE-2024-48705) (web_specific_apps.rules)
  • 2064279 - ET WEB_SPECIFIC_APPS PLDT formPing6 pingAddr Parameter Command Injection Attempt (CVE-2025-56498) (web_specific_apps.rules)
  • 2064280 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (feedback .luxurypartybustoronto .ca) (malware.rules)
  • 2064281 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (samples .salondeguitaredemontreal .com) (malware.rules)
  • 2064282 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (feedback .luxurypartybustoronto .ca) (malware.rules)
  • 2064283 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (samples .salondeguitaredemontreal .com) (malware.rules)

Pro:

  • 2864443 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864444 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864445 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864446 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864447 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2864448 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864449 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2864450 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864451 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2864452 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864453 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864454 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2864455 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2035896 - ET MALWARE Observed SocGholish Domain in TLS SNI (malware.rules)
  • 2035899 - ET MALWARE Colibri Loader Domain in DNS Lookup (securetunnel .co) (malware.rules)
  • 2035900 - ET MALWARE Win32/Farfli.CUY Downloader (malware.rules)
  • 2035918 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (showsvc .com) (malware.rules)
  • 2035919 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (wicommerece .com) (malware.rules)
  • 2035920 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (upservicemc .com) (malware.rules)
  • 2035921 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (netpixelds .com) (malware.rules)
  • 2035922 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (allmyad .com) (malware.rules)
  • 2035923 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (ananoka .com) (malware.rules)
  • 2035924 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (gvgnci .com) (malware.rules)
  • 2035925 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (msfbckupsc .com) (malware.rules)
  • 2035926 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (polanicia .com) (malware.rules)
  • 2035927 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (informaxima .org) (malware.rules)
  • 2035928 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (worldchangeos .com) (malware.rules)
  • 2035930 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (jmarrycs .com) (malware.rules)
  • 2035931 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (am-reader .com) (malware.rules)
  • 2035932 - ET USER_AGENTS Observed Malicious User-Agent (FastInvoice) (user_agents.rules)
  • 2035944 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain (malware.rules)
  • 2035945 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain (malware.rules)
  • 2036210 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2036211 - ET MALWARE Malicious VBS Sending System Information (POST) (malware.rules)
  • 2036213 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
  • 2036219 - ET INFO WebSocket Session Initiation Request (info.rules)
  • 2036222 - ET HUNTING Potential Forced OGNL Evaluation - HTTP URI (hunting.rules)
  • 2036223 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Header (hunting.rules)
  • 2036224 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Body (hunting.rules)
  • 2036228 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2036237 - ET USER_AGENTS Observed Bumblebee Loader User-Agent (bumblebee) (user_agents.rules)
  • 2036257 - ET MALWARE Suspected TA404 APT Related Activity M1 (malware.rules)
  • 2036268 - ET HUNTING Request To Suspicious Filename via Powershell (payload) (hunting.rules)
  • 2036278 - ET MALWARE DPRK APT Related Domain in DNS Lookup (beastmodser .club) (malware.rules)
  • 2036291 - ET MALWARE Win32/Shuckworm CnC Exfil M1 (malware.rules)
  • 2036292 - ET MALWARE Win32/Shuckworm CnC Exfil M2 (malware.rules)
  • 2036293 - ET MALWARE Win32/Pterodo CnC VNC Connect Request (malware.rules)
  • 2036294 - ET MALWARE Win32/ChromeBack Extention Payload Fetch (malware.rules)
  • 2036295 - ET MALWARE Win32/ChromeBack CnC Checkin (malware.rules)
  • 2036296 - ET MALWARE Win32/ChromeBack Browser Hijacker Query Redirection (malware.rules)
  • 2036297 - ET MALWARE Win32/ChromeBack Browser Hijacker Sync (malware.rules)
  • 2036309 - ET MALWARE BlackTech FlagPro Dropper Activity (GET) (malware.rules)
  • 2036317 - ET MALWARE Zingo/GinzoStealer Data Command List Fetch (malware.rules)
  • 2036354 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (StatusTime) (malware.rules)
  • 2036355 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Comands) (malware.rules)
  • 2036356 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Checkupdate) (malware.rules)
  • 2036357 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin M1 (malware.rules)
  • 2036358 - ET PHISHING IRS Credential Phish Domain in DNS Lookup (supportmicrohere .com) (phishing.rules)
  • 2036364 - ET MALWARE Innostealer Domain in DNS Lookup (windows-11info .com) (malware.rules)
  • 2036366 - ET MALWARE Innostealer Domain (windows11-upgrade .com) in TLS SNI (malware.rules)
  • 2036367 - ET MALWARE Innostealer Domain (windows-11info .com) in TLS SNI (malware.rules)
  • 2036374 - ET MALWARE Innostealer Domain in DNS Lookup windows-server031 .com) (malware.rules)
  • 2036375 - ET MALWARE Innostealer Domain (windows-server031 .com) in TLS SNI (malware.rules)
  • 2036378 - ET EXPLOIT WSO2 Server RCE (CVE-2022-29464) (exploit.rules)
  • 2036379 - ET PHISHING Successful Microsoft Account Credential Phish 2022-04-26 (phishing.rules)
  • 2036389 - ET INFO Commonly Abused SSL/TLS Certificate Observed (mylnavyfederal .com) (info.rules)
  • 2036390 - ET MALWARE DPRK APT Related Maldoc Activity (POST) (malware.rules)
  • 2036392 - ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed JWT Bypass (CVE-2022-21449) (exploit.rules)
  • 2036425 - ET MOBILE_MALWARE Android/FakeWallet.D Activity (GET) (mobile_malware.rules)
  • 2036455 - ET MALWARE TeamTNT Related Domain in DNS Lookup (chimaera .cc) (malware.rules)
  • 2036468 - ET MALWARE PoshC2 Downloader Activity (GET) (malware.rules)
  • 2036470 - ET INFO DYNAMIC_DNS Query to 4nmn .com Domain (info.rules)
  • 2036590 - ET MALWARE Win32/Throwback CnC Activity (POST) (malware.rules)
  • 2036611 - ET MALWARE Win32/NetDooka Framework RAT CnC Activity (malware.rules)
  • 2036623 - ET MALWARE Observed PowerShell/CustomRAT Domain (kleinm .de) in TLS SNI (malware.rules)
  • 2036625 - ET MALWARE Credit Card Scraper Domain in DNS Lookup (authorizen .net) (malware.rules)
  • 2036999 - ET MALWARE Maldoc Retrieving Payload 2022-06-15 (malware.rules)
  • 2851439 - ETPRO INFO Successful Instagram Login via AJAX Request (info.rules)
  • 2851526 - ETPRO MOBILE_MALWARE Observed Android/Spy.Agent.BWC Domain in TLS SNI (mobile_malware.rules)
  • 2851530 - ETPRO MALWARE Maldoc Sending System Information (GET) (malware.rules)
  • 2851531 - ETPRO MALWARE MS Office Macro Qbot Download URI Apr 26 2022 (malware.rules)
  • 2851535 - ETPRO MALWARE Win32/Ursnif CnC Payload Request (malware.rules)
  • 2851550 - ETPRO MALWARE Win32/MetaStealer Fake Avast AV Update (GET) (malware.rules)
  • 2851572 - ETPRO MALWARE MalDoc Retrieving Qbot Payload 2022-05-03 (malware.rules)
  • 2851574 - ETPRO MALWARE Observed Qbot Domain (multiconstruction .net in TLS SNI) (malware.rules)
  • 2851575 - ETPRO MALWARE Observed Qbot Domain (psmyanmar .com in TLS SNI) (malware.rules)
  • 2851576 - ETPRO MALWARE Observed Qbot Domain (fastesol .com in TLS SNI) (malware.rules)
  • 2851593 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M3 (malware.rules)
  • 2851638 - ETPRO MALWARE PoshC2 CnC Response (200) M1 (malware.rules)
  • 2851639 - ETPRO MALWARE PoshC2 CnC Response (200) M2 (malware.rules)
  • 2851640 - ETPRO MALWARE PoshC2 CnC Response (200) M3 (malware.rules)
  • 2851641 - ETPRO MALWARE PoshC2 CnC Response (200) M4 (malware.rules)
  • 2851670 - ETPRO PHISHING Lastpass Credential Phishing Attempt (phishing.rules)
  • 2851671 - ETPRO PHISHING DNS Query to Lastpass Phishing domain (lastpass .colleqeinvest .org) (phishing.rules)
  • 2851672 - ETPRO PHISHING Observed Lastpass Phishing Domain (lastpass .colleqeinvest .org) in TLS SNI (phishing.rules)
  • 2851707 - ETPRO MALWARE Observed Malicious Word Document Template Download Domain (truecolor8 .xyz) in TLS SNI (malware.rules)