Ruleset Update Summary - 2025/09/04 - v11008

Ruleset Updates
1

Summary:

62 new OPEN, 72 new PRO (62 + 10)

Thanks @sekoia_io, @Mandiant

Added rules:

Open:

  • 2064284 - ET MALWARE AsyncRAT CnC Domain in DNS Lookup (wuwu6 .cfd) (malware.rules)
  • 2064285 - ET MALWARE Observed AsyncRAT CnC Domain (wuwu6 .cfd in TLS SNI) (malware.rules)
  • 2064286 - ET INFO Observed RMM Domain in DNS Lookup (* .gotohttp .com) (info.rules)
  • 2064287 - ET INFO Observed RMM Domain in TLS SNI (* .gotohttp .com) (info.rules)
  • 2064288 - ET MALWARE Quad7 Botnet UPDTAE Backdoor CnC Checkin (malware.rules)
  • 2064289 - ET HUNTING Suspicious User-Agent String Observed (IOT) (hunting.rules)
  • 2064290 - ET PHISHING Observed DNS Query to OAuth Stealer Domain (kafkashaliyikama .com) (phishing.rules)
  • 2064291 - ET PHISHING Observed OAuth Stealer Domain (kafkashaliyikama .com in TLS SNI) (phishing.rules)
  • 2064292 - ET MALWARE Quad7 Botnet - Outbound rlogin Telnet Prompt from Compromised Endpoint (malware.rules)
  • 2064293 - ET MALWARE Quad7 Botnet - Outbound alogin Telnet Prompt from Compromised Endpoint (malware.rules)
  • 2064294 - ET MALWARE Quad7 Botnet - Outbound zylogin Telnet Prompt from Compromised Endpoint (malware.rules)
  • 2064295 - ET HUNTING Suspicious User-Agent String Observed Inbound (Salesforce-CLI/1.0) (hunting.rules)
  • 2064296 - ET HUNTING Suspicious User-Agent String Observed Inbound (Salesforce-Multi-Org-Fetcher/1.0) (hunting.rules)
  • 2064297 - ET INFO DYNAMIC_DNS Query to a *.avtoservis-hladin .si domain (info.rules)
  • 2064298 - ET INFO DYNAMIC_DNS HTTP Request to a *.avtoservis-hladin .si domain (info.rules)
  • 2064299 - ET INFO DYNAMIC_DNS Query to a *.mygadgets .com .ar domain (info.rules)
  • 2064300 - ET INFO DYNAMIC_DNS HTTP Request to a *.mygadgets .com .ar domain (info.rules)
  • 2064301 - ET INFO DYNAMIC_DNS Query to a *.vomytdaug .com domain (info.rules)
  • 2064302 - ET INFO DYNAMIC_DNS HTTP Request to a *.vomytdaug .com domain (info.rules)
  • 2064303 - ET INFO DYNAMIC_DNS Query to a *.thesqueakandoilchart .com domain (info.rules)
  • 2064304 - ET INFO DYNAMIC_DNS HTTP Request to a *.thesqueakandoilchart .com domain (info.rules)
  • 2064305 - ET INFO DYNAMIC_DNS Query to a *.thesqueakandoilformula .com domain (info.rules)
  • 2064306 - ET INFO DYNAMIC_DNS HTTP Request to a *.thesqueakandoilformula .com domain (info.rules)
  • 2064307 - ET INFO DYNAMIC_DNS Query to a *.petterisaak .com domain (info.rules)
  • 2064308 - ET INFO DYNAMIC_DNS HTTP Request to a *.petterisaak .com domain (info.rules)
  • 2064309 - ET INFO DYNAMIC_DNS Query to a *.betertech .com .ar domain (info.rules)
  • 2064310 - ET INFO DYNAMIC_DNS HTTP Request to a *.betertech .com .ar domain (info.rules)
  • 2064311 - ET INFO DYNAMIC_DNS Query to a *.hameau .cl domain (info.rules)
  • 2064312 - ET INFO DYNAMIC_DNS HTTP Request to a *.hameau .cl domain (info.rules)
  • 2064313 - ET INFO DYNAMIC_DNS Query to a *.thesqueakandoilmanual .com domain (info.rules)
  • 2064314 - ET INFO DYNAMIC_DNS HTTP Request to a *.thesqueakandoilmanual .com domain (info.rules)
  • 2064315 - ET INFO DYNAMIC_DNS Query to a *.dstand .com .au domain (info.rules)
  • 2064316 - ET INFO DYNAMIC_DNS HTTP Request to a *.dstand .com .au domain (info.rules)
  • 2064317 - ET INFO DYNAMIC_DNS Query to a *.dicosmo .com .au domain (info.rules)
  • 2064318 - ET INFO DYNAMIC_DNS HTTP Request to a *.dicosmo .com .au domain (info.rules)
  • 2064319 - ET INFO DYNAMIC_DNS Query to a *.dsn-hkpr .ca domain (info.rules)
  • 2064320 - ET INFO DYNAMIC_DNS HTTP Request to a *.dsn-hkpr .ca domain (info.rules)
  • 2064321 - ET INFO DYNAMIC_DNS Query to a *.sismonda .com .ar domain (info.rules)
  • 2064322 - ET INFO DYNAMIC_DNS HTTP Request to a *.sismonda .com .ar domain (info.rules)
  • 2064323 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (custpub .com) (exploit_kit.rules)
  • 2064324 - ET EXPLOIT_KIT LandUpdate808 Domain (custpub .com) in TLS SNI (exploit_kit.rules)
  • 2064325 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (limcuz .ru) (malware.rules)
  • 2064326 - ET INFO Python aiohttp User-Agent Observed Inbound (info.rules)
  • 2064327 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (limcuz .ru) in TLS SNI (malware.rules)
  • 2064328 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pristid .bet) (malware.rules)
  • 2064329 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pristid .bet) in TLS SNI (malware.rules)
  • 2064330 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pterobm .top) (malware.rules)
  • 2064331 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pterobm .top) in TLS SNI (malware.rules)
  • 2064332 - ET INFO Observed DNS Query to Web Hosting Domain (atwebpages .com) (info.rules)
  • 2064333 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .indianadforum .com) (malware.rules)
  • 2064334 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .indianadforum .com) (malware.rules)
  • 2064335 - ET INFO Observed Web Hosting Domain (atwebpages .com in TLS SNI) (info.rules)
  • 2064336 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (saewh .com) (exploit_kit.rules)
  • 2064337 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (saewh .com) (exploit_kit.rules)
  • 2064338 - ET INFO Observed RMM Domain in DNS Lookup (* .itsm-us1.comodo .com) (info.rules)
  • 2064339 - ET INFO Observed RMM Domain in TLS SNI (* .itsm-us1.comodo .com) (info.rules)
  • 2064340 - ET INFO Observed RMM Domain in DNS Lookup (mdmsupport .comodo .com) (info.rules)
  • 2064341 - ET INFO Observed RMM Domain in DNS Lookup (servicedesk .itarian .com) (info.rules)
  • 2064342 - ET INFO Observed RMM Domain in DNS Lookup (remoteaccess .itarian .com) (info.rules)
  • 2064343 - ET INFO Observed RMM Domain in TLS SNI (mdmsupport .comodo .com) (info.rules)
  • 2064344 - ET INFO Observed RMM Domain in TLS SNI (servicedesk .itarian .com) (info.rules)
  • 2064345 - ET INFO Observed RMM Domain in TLS SNI (remoteaccess .itarian .com) (info.rules)

Pro:

  • 2864463 - ETPRO MALWARE TA406 Victim Checkin (GET) (malware.rules)
  • 2864464 - ETPRO ATTACK_RESPONSE chemical/x-mopac-input MIME Type Contains PowerShell (attack_response.rules)
  • 2864465 - ETPRO ATTACK_RESPONSE Observed TA406 Exfiltration Payload Inbound (attack_response.rules)
  • 2864466 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864467 - ETPRO MALWARE Observed DNS Query to TA406 Domain (malware.rules)
  • 2864468 - ETPRO MALWARE Observed TA406 Domain in TLS SNI (malware.rules)
  • 2864469 - ETPRO MALWARE TA406 Payload Request (GET) (malware.rules)
  • 2864470 - ETPRO ATTACK_RESPONSE Observed TA406 Task Scheduler Payload Inbound (attack_response.rules)
  • 2864471 - ETPRO ATTACK_RESPONSE Observed TA406 Payload Downloader Script Inbound (attack_response.rules)
  • 2864472 - ETPRO MALWARE TA406 CnC Exfiltration (POST) (malware.rules)

Modified inactive rules:

  • 2035459 - ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M1 (malware.rules)
  • 2035460 - ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M2 (malware.rules)
  • 2035471 - ET MALWARE Win32/44Caliber Stealer Discord Activity (POST) (malware.rules)
  • 2035473 - ET MALWARE Win32/PlugX Related Activity (malware.rules)
  • 2035477 - ET MALWARE rat-test CnC Response (malware.rules)
  • 2035517 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035521 - ET PHISHING Successful TA422 Credential Phish 2022-03-17 M2 (phishing.rules)
  • 2035522 - ET PHISHING Possible Successful TA422 Credential Phish 2022-03-17 (phishing.rules)
  • 2035536 - ET MALWARE Backdoor/Win.Gh0stRAT CnC Exfil (malware.rules)
  • 2035551 - ET MALWARE Suspected Mustang Panda APT Related Activity (GET) (malware.rules)
  • 2035552 - ET MALWARE Mustang Panda APT Related Activity (GET) (malware.rules)
  • 2035560 - ET MALWARE Win32/Pterodo Activity (POST) (malware.rules)
  • 2035565 - ET MALWARE ConPtyShell Client Response (malware.rules)
  • 2035566 - ET MALWARE ConPtyShell Server Command (whoami) (malware.rules)
  • 2035598 - ET MALWARE Win32/CrimsonRAT Variant Sending Command (inbound) (malware.rules)
  • 2035599 - ET MALWARE Win32/CrimsonRAT Variant Sending Command M2 (inbound) (malware.rules)
  • 2035600 - ET MALWARE Win32/CrimsonRAT Variant Sending System Information (outbound) (malware.rules)
  • 2035603 - ET MALWARE GhostWriter APT Related Cobalt Strike Activity (GET) (malware.rules)
  • 2035605 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command Fetch (malware.rules)
  • 2035606 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain Fetch (malware.rules)
  • 2035607 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) (malware.rules)
  • 2035612 - ET WEB_SERVER Webserver Resolving Known Webshell CnC Domain (anonymousfox) (web_server.rules)
  • 2035614 - ET MALWARE Win32/SodaMaster domain observed in DNS query (www. rare-coisns. com) (malware.rules)
  • 2035618 - ET PHISHING Generic Phishing Domain in DNS Lookup (info-getting-eu. com) (phishing.rules)
  • 2035624 - ET MALWARE TransparentTribe APT Related Activity (POST) (malware.rules)
  • 2035625 - ET MALWARE TransparentTribe APT Related Backdoor Activity (malware.rules)
  • 2035647 - ET PHISHING Generic Phish Landing Page 2022-03-29 (phishing.rules)
  • 2035654 - ET INFO Abused Hosting Domain in DNS Lookup (digital-ministry .ru) (info.rules)
  • 2035660 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (gaymers .ax) (malware.rules)
  • 2035662 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (jonathanhardwick .me) (malware.rules)
  • 2035666 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (verble .software) (malware.rules)
  • 2035682 - ET MALWARE MustangPanda APT Dropper Activity (POST) (malware.rules)
  • 2035689 - ET MALWARE Win32/PlugX/Talisman Activity (POST) (malware.rules)
  • 2035692 - ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M1 (malware.rules)
  • 2035693 - ET MALWARE Win32/Killav.CM CnC Response (malware.rules)
  • 2035694 - ET MALWARE Win32/Killav.CM Checkin M2 (malware.rules)
  • 2035696 - ET MALWARE Win32/WindowsDefender Bypass Download Request (malware.rules)
  • 2035704 - ET MALWARE Deep Panda Domain in DNS Lookup (vpn2 .smi1egate .com) (malware.rules)
  • 2035705 - ET MALWARE Deep Panda Domain in DNS Lookup (svn1 .smi1egate .com) (malware.rules)
  • 2035706 - ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft .com) (malware.rules)
  • 2035708 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (win .mirtonewbacker .com) (malware.rules)
  • 2035710 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (umpulumpu .ru) (malware.rules)
  • 2035712 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (greenblguard .shop) (malware.rules)
  • 2035714 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at) (malware.rules)
  • 2035715 - ET MALWARE Observed BlackGuard_v2 Domain (onetwostep .at) in TLS SNI (malware.rules)
  • 2035721 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035722 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035723 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035724 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035725 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035726 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035727 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035728 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035729 - ET MALWARE Win32/POWERPLANT CnC Exfil (Query) (malware.rules)
  • 2035730 - ET MALWARE Win32/POWERPLANT CnC Exfil (INIT) (malware.rules)
  • 2035731 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
  • 2035732 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
  • 2035733 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
  • 2035734 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
  • 2035735 - ET MALWARE Win32/LOADOUT CnC Activity (malware.rules)
  • 2035754 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) (malware.rules)
  • 2035755 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) (malware.rules)
  • 2035756 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) (malware.rules)
  • 2035758 - ET INFO Observed Proxy Domain (proxynet .io in TLS SNI) (info.rules)
  • 2035768 - ET HUNTING Kaspov Related Hex In HTTP Accept Header (hunting.rules)
  • 2035771 - ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com) (malware.rules)
  • 2035773 - ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar .com) (malware.rules)
  • 2035774 - ET MALWARE Pegasus Domain in DNS Lookup (akhbar-islamyah .com) (malware.rules)
  • 2035775 - ET MALWARE Pegasus Domain in DNS Lookup (akhbarnew .com) (malware.rules)
  • 2035776 - ET MALWARE Pegasus Domain in DNS Lookup (al-nusr .net) (malware.rules)
  • 2035777 - ET MALWARE Pegasus Domain in DNS Lookup (al-taleanews .net) (malware.rules)
  • 2035778 - ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline .net) (malware.rules)
  • 2035779 - ET MALWARE Pegasus Domain in DNS Lookup (al7erak247 .com) (malware.rules)
  • 2035781 - ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com) (malware.rules)
  • 2035782 - ET MALWARE Pegasus Domain in DNS Lookup (arabia-islamion .com) (malware.rules)
  • 2035803 - ET MALWARE Observed DNS Query to TA455 Domain (careers-finder .com) (malware.rules)
  • 2035805 - ET MALWARE Observed DNS Query to TA455 Domain (supportskype .com) (malware.rules)
  • 2035807 - ET MALWARE Observed DNS Query to TA455 Domain (cortanaupdate .co) (malware.rules)
  • 2035808 - ET MALWARE Observed DNS Query to TA455 Domain (cortanaservice .com) (malware.rules)
  • 2035809 - ET MALWARE Observed DNS Query to TA455 Domain (cloudgoogle .co) (malware.rules)
  • 2035810 - ET MALWARE Observed DNS Query to TA455 Domain (onedrivelive .me) (malware.rules)
  • 2035811 - ET MALWARE Observed DNS Query to TA455 Domain (edge-cloudservices .com) (malware.rules)
  • 2035812 - ET MALWARE Observed DNS Query to TA455 Domain (online-audible .com) (malware.rules)
  • 2035813 - ET MALWARE Observed DNS Query to TA455 Domain (updatedefender .net) (malware.rules)
  • 2035814 - ET MALWARE Observed DNS Query to TA455 Domain (sparrowsgroup .org) (malware.rules)
  • 2035815 - ET MALWARE Observed DNS Query to TA455 Domain (helpdesk-product .com) (malware.rules)
  • 2035816 - ET MALWARE Observed DNS Query to TA455 Domain (defenderupdate .ddns .net) (malware.rules)
  • 2035817 - ET MALWARE Observed DNS Query to TA455 Domain (enerflex .ddns .net) (malware.rules)
  • 2035819 - ET MALWARE Observed DNS Query to TA455 Domain (khaleejtimes .co) (malware.rules)
  • 2035820 - ET MALWARE Observed DNS Query to TA455 Domain (microsoftdefender .info) (malware.rules)
  • 2035821 - ET MALWARE Observed DNS Query to TA455 Domain (outlookde .live) (malware.rules)
  • 2035822 - ET MALWARE Observed DNS Query to TA455 Domain (lukoil .in) (malware.rules)
  • 2035824 - ET MALWARE Observed DNS Query to TA455 Domain (online-chess .live) (malware.rules)
  • 2035825 - ET MALWARE Observed DNS Query to TA455 Domain (exprogroup .org) (malware.rules)
  • 2035826 - ET MALWARE Observed DNS Query to TA455 Domain (saipem .org) (malware.rules)
  • 2035827 - ET MALWARE Observed DNS Query to TA455 Domain (mastergatevpn .com) (malware.rules)
  • 2035828 - ET MALWARE Observed DNS Query to TA455 Domain (sauditourismguide .com) (malware.rules)
  • 2035829 - ET MALWARE Observed DNS Query to TA455 Domain (listen-books .com) (malware.rules)
  • 2035830 - ET MALWARE Observed DNS Query to TA455 Domain (updateservices .co) (malware.rules)
  • 2035831 - ET MALWARE Observed DNS Query to TA455 Domain (microsoftcdn .co) (malware.rules)
  • 2035832 - ET MALWARE Observed DNS Query to TA455 Domain (office-shop .me) (malware.rules)
  • 2035833 - ET MALWARE Observed DNS Query to TA455 Domain (sharepointnotify .com) (malware.rules)
  • 2035834 - ET MALWARE Observed DNS Query to TA455 Domain (globaltalent .in) (malware.rules)
  • 2035835 - ET MALWARE Observed DNS Query to TA455 Domain (savemoneytrick .com) (malware.rules)
  • 2035836 - ET MALWARE Observed DNS Query to TA455 Domain (microsoftedgesh .info) (malware.rules)
  • 2035837 - ET MALWARE Observed DNS Query to TA455 Domain (outlookdelivery .com) (malware.rules)
  • 2035838 - ET MALWARE Observed DNS Query to TA455 Domain (remgrogroup .com) (malware.rules)
  • 2035839 - ET MALWARE Observed DNS Query to TA455 Domain (onedriveupdate .net) (malware.rules)
  • 2035840 - ET MALWARE Observed DNS Query to TA455 Domain (getadobe .ddns .net) (malware.rules)
  • 2035841 - ET MALWARE Observed DNS Query to TA455 Domain (googleservices .co) (malware.rules)
  • 2035842 - ET MALWARE Observed DNS Query to TA455 Domain (librarycollection .org) (malware.rules)
  • 2035843 - ET MALWARE Observed DNS Query to TA455 Domain (freechess .live) (malware.rules)
  • 2035844 - ET MALWARE Observed DNS Query to TA455 Domain (elecresearch .org) (malware.rules)
  • 2035845 - ET MALWARE Observed DNS Query to TA455 Domain (applytalents .com) (malware.rules)
  • 2035846 - ET MALWARE Observed DNS Query to TA455 Domain (updateddns .ddns .net) (malware.rules)
  • 2035847 - ET MALWARE Observed DNS Query to TA455 Domain (mideasthiring .com) (malware.rules)
  • 2035848 - ET MALWARE Observed DNS Query to TA455 Domain (appslocallogin .online) (malware.rules)
  • 2035849 - ET MALWARE Observed DNS Query to TA455 Domain (apply-jobs .com) (malware.rules)
  • 2035850 - ET MALWARE Observed DNS Query to TA455 Domain (funnychess .online) (malware.rules)
  • 2035851 - ET MALWARE Observed DNS Query to TA455 Domain (talent-recruitment .org) (malware.rules)
  • 2035853 - ET MALWARE Observed DNS Query to TA455 Domain (updatedns .ddns .net) (malware.rules)
  • 2035854 - ET MALWARE Observed DNS Query to TA455 Domain (thefreemovies .net) (malware.rules)
  • 2035855 - ET MALWARE Observed DNS Query to TA455 Domain (talktalky .azurewebsites .net) (malware.rules)
  • 2035856 - ET MALWARE Observed DNS Query to TA455 Domain (etisalatonline .com) (malware.rules)
  • 2035877 - ET MALWARE Observed DNS Query to Winnti Domain (malware.rules)
  • 2035878 - ET MALWARE Observed DNS Query to Winnti Domain (malware.rules)
  • 2035889 - ET INFO Observed Commonly Abused Domain in DNS Lookup (blogattach .naver .com) (info.rules)
  • 2035890 - ET INFO Observed Commonly Abused Domain (blogattach .naver .com in TLS SNI) (info.rules)
  • 2035917 - ET MALWARE TransparentTribe APT Related Activity (POST) (malware.rules)
  • 2035929 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (liongracem .com) (malware.rules)
  • 2035937 - ET PHISHING Sparkasse Credential Phish Landing Page M3 2022-04-13 (phishing.rules)
  • 2035942 - ET MALWARE Observed DNS Query to Fodcha Bot Domain (malware.rules)
  • 2035943 - ET MALWARE Observed DNS Query to Fodcha Bot Domain (malware.rules)
  • 2036258 - ET MALWARE Suspected TA404 APT Related Activity M2 (malware.rules)
  • 2036368 - ET MALWARE Innostealer Domain (windows11-infoserver .com) in TLS SNI (malware.rules)
  • 2036622 - ET MALWARE Powershell/CustomRAT CnC Domain in DNS Lookup (kleinm .de) (malware.rules)
  • 2851279 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload Request (power.txt) (malware.rules)
  • 2851280 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload Request (kill.txt) (malware.rules)
  • 2851281 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload Request (uninstall.txt) (malware.rules)
  • 2851282 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload Request (download.txt) (malware.rules)
  • 2851285 - ETPRO MALWARE jpg Image Request (set) (malware.rules)
  • 2851286 - ETPRO MALWARE Malicious Script Retrieved via Image Request (malware.rules)
  • 2851289 - ETPRO MALWARE MSIL/TrojanDropper.Agent.FKR CnC Exfil (malware.rules)
  • 2851290 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Get Commands) (malware.rules)
  • 2851291 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Fake Avast Antivirus) (malware.rules)
  • 2851292 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Fake AVG AntiVirus) (malware.rules)
  • 2851294 - ETPRO MALWARE Win32/AsyncRAT Successful Payload Download (malware.rules)
  • 2851305 - ETPRO HUNTING Suspicious User-Agent - No space after Mozilla version (hunting.rules)
  • 2851313 - ETPRO MALWARE VBS/TrojanDownloader.Agent.WVY Obfuscated ShellExecute Command (SilentlyContinue) (malware.rules)
  • 2851319 - ETPRO MALWARE Win32/Orion Grabber/Stealer Related Domain in DNS Lookup (malware.rules)
  • 2851337 - ETPRO MALWARE User32.dll Download via Powershell (malware.rules)
  • 2851364 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)
  • 2851396 - ETPRO MALWARE Suspicious Domain (records .hibiscus .live) in TLS SNI (malware.rules)
  • 2851397 - ETPRO MALWARE Suspicious Domain (backup .latestsyn .xyz) in TLS SNI (malware.rules)
  • 2851398 - ETPRO MALWARE Observed DNS Query to Likely Kaspov Domain (malware.rules)
  • 2851399 - ETPRO MALWARE Observed DNS Query to Likely Kaspov Domain (malware.rules)
  • 2851423 - ETPRO MALWARE Trojan.Win32.Scar.DSUU CnC Exfil (malware.rules)
  • 2851440 - ETPRO PHISHING Possible Instagram Phish Traffic (phishing.rules)