Ruleset Update Summary - 2025/09/05 - v11009

Ruleset Updates
1

Summary:

57 new OPEN, 58 new PRO (57 + 1)

Thanks @ESET

Added rules:

Open:

  • 2064346 - ET INFO DYNAMIC_DNS Query to a *.mmsalles .com .br domain (info.rules)
  • 2064347 - ET INFO DYNAMIC_DNS HTTP Request to a *.mmsalles .com .br domain (info.rules)
  • 2064348 - ET INFO DYNAMIC_DNS Query to a *.glenalmond .com .au domain (info.rules)
  • 2064349 - ET INFO DYNAMIC_DNS HTTP Request to a *.glenalmond .com .au domain (info.rules)
  • 2064350 - ET INFO DYNAMIC_DNS Query to a *.briantorreyscott .com domain (info.rules)
  • 2064351 - ET INFO DYNAMIC_DNS HTTP Request to a *.briantorreyscott .com domain (info.rules)
  • 2064352 - ET INFO DYNAMIC_DNS Query to a *.qualitynet .com .br domain (info.rules)
  • 2064353 - ET INFO DYNAMIC_DNS HTTP Request to a *.qualitynet .com .br domain (info.rules)
  • 2064354 - ET INFO DYNAMIC_DNS Query to a *.docucax .com .ar domain (info.rules)
  • 2064355 - ET INFO DYNAMIC_DNS HTTP Request to a *.docucax .com .ar domain (info.rules)
  • 2064356 - ET INFO DYNAMIC_DNS Query to a *.itlogistics .com .ar domain (info.rules)
  • 2064357 - ET INFO DYNAMIC_DNS HTTP Request to a *.itlogistics .com .ar domain (info.rules)
  • 2064358 - ET INFO DYNAMIC_DNS Query to a *.truck-occasion .ch domain (info.rules)
  • 2064359 - ET INFO DYNAMIC_DNS HTTP Request to a *.truck-occasion .ch domain (info.rules)
  • 2064360 - ET INFO DYNAMIC_DNS Query to a *.zonagolpeada .com .ar domain (info.rules)
  • 2064361 - ET INFO DYNAMIC_DNS HTTP Request to a *.zonagolpeada .com .ar domain (info.rules)
  • 2064362 - ET INFO DYNAMIC_DNS Query to a *.xmpc .com .ar domain (info.rules)
  • 2064363 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (email .directoryindustry .com) (malware.rules)
  • 2064364 - ET INFO DYNAMIC_DNS HTTP Request to a *.xmpc .com .ar domain (info.rules)
  • 2064365 - ET INFO DYNAMIC_DNS Query to a *.vacantcranium .net domain (info.rules)
  • 2064366 - ET INFO DYNAMIC_DNS HTTP Request to a *.vacantcranium .net domain (info.rules)
  • 2064367 - ET INFO DYNAMIC_DNS Query to a *.toconline .ch domain (info.rules)
  • 2064368 - ET INFO DYNAMIC_DNS HTTP Request to a *.toconline .ch domain (info.rules)
  • 2064369 - ET INFO DYNAMIC_DNS Query to a *.rufinocabrera .cl domain (info.rules)
  • 2064370 - ET INFO DYNAMIC_DNS HTTP Request to a *.rufinocabrera .cl domain (info.rules)
  • 2064371 - ET INFO DYNAMIC_DNS Query to a *.vvvrm .net domain (info.rules)
  • 2064372 - ET INFO DYNAMIC_DNS HTTP Request to a *.vvvrm .net domain (info.rules)
  • 2064373 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (choutek .com) (exploit_kit.rules)
  • 2064374 - ET EXPLOIT_KIT LandUpdate808 Domain (choutek .com) in TLS SNI (exploit_kit.rules)
  • 2064375 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (digitbasket .com) (malware.rules)
  • 2064376 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (digitbasket .com) in TLS SNI (malware.rules)
  • 2064377 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (iaed .link) (malware.rules)
  • 2064378 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (iaed .link) in TLS SNI (malware.rules)
  • 2064379 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lzh .fr) (malware.rules)
  • 2064380 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lzh .fr) in TLS SNI (malware.rules)
  • 2064381 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (marvelvod .com) (malware.rules)
  • 2064382 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marvelvod .com) in TLS SNI (malware.rules)
  • 2064383 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (phoenix-brands .dev) (malware.rules)
  • 2064384 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (phoenix-brands .dev) in TLS SNI (malware.rules)
  • 2064385 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pyscalp .com) (malware.rules)
  • 2064386 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pyscalp .com) in TLS SNI (malware.rules)
  • 2064387 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (streamin .style) (malware.rules)
  • 2064388 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (streamin .style) in TLS SNI (malware.rules)
  • 2064389 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (voando26 .com) (malware.rules)
  • 2064390 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (voando26 .com) in TLS SNI (malware.rules)
  • 2064391 - ET MALWARE GhostRedirector Rungan Backdoor Access M1 (malware.rules)
  • 2064392 - ET MALWARE GhostRedirector Rungan Backdoor Access M2 (malware.rules)
  • 2064393 - ET MALWARE GhostRedirector Rungan Backdoor Access M3 (malware.rules)
  • 2064394 - ET MALWARE GhostRedirector Rungan Backdoor Access M4 (malware.rules)
  • 2064395 - ET MALWARE GhostRedirector CnC Domain in DNS Lookup (868id .com) (malware.rules)
  • 2064396 - ET MALWARE GhostRedirector CnC Domain in DNS Lookup (822th .com) (malware.rules)
  • 2064397 - ET MALWARE GhostRedirector CnC Domain in DNS Lookup (cs01 .shop) (malware.rules)
  • 2064398 - ET MALWARE GhostRedirector CnC Domain in DNS Lookup (881vn .com) (malware.rules)
  • 2064399 - ET MALWARE Observed GhostRedirector Domain (868id .com) in TLS SNI (malware.rules)
  • 2064400 - ET MALWARE Observed GhostRedirector Domain (822th .com) in TLS SNI (malware.rules)
  • 2064401 - ET MALWARE Observed GhostRedirector Domain (cs01 .shop) in TLS SNI (malware.rules)
  • 2064402 - ET MALWARE Observed GhostRedirector Domain (881vn .com) in TLS SNI (malware.rules)

Pro:

  • 2864479 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2035031 - ET MALWARE StrifeWater Rat CnC Activity (malware.rules)
  • 2035034 - ET PHISHING DAWN Comment in Phish Landing Page 2022-02-01 (phishing.rules)
  • 2035040 - ET MALWARE StrifeWater RAT CnC Activity M2 (malware.rules)
  • 2035041 - ET MALWARE Win32/Variant.Zusy.402698 Checkin (malware.rules)
  • 2035043 - ET MALWARE Likely Geodo/Emotet Downloading PE (malware.rules)
  • 2035050 - ET MALWARE W32/Emotet.v4 Checkin 3 (malware.rules)
  • 2035064 - ET MALWARE Office Macro Emotet Download URI Nov 24 2021 (malware.rules)
  • 2035065 - ET MALWARE W32/Emotet.v4 Checkin Fake 404 Payload Response (malware.rules)
  • 2035097 - ET ADWARE_PUP Win32/GameHack.ADW CnC Activity (adware_pup.rules)
  • 2035098 - ET MALWARE Win32/Trojan.Agent.FSTT CnC Activity (malware.rules)
  • 2035099 - ET MALWARE Win32/Pteranodon CnC Exfil (POST) (malware.rules)
  • 2035117 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035131 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035132 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035139 - ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) (info.rules)
  • 2035166 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035167 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035168 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035169 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035170 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035175 - ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com) (malware.rules)
  • 2035184 - ET MALWARE Go/Anubis Registration Activity (malware.rules)
  • 2035185 - ET MALWARE Go/Anubis CnC Activity (POST) (malware.rules)
  • 2035188 - ET MALWARE Win32/Spy.Socelars.S CnC Activity M4 (GET) (malware.rules)
  • 2035190 - ET INFO Observed Let’s Encrypt Certificate from Active Intermediate, R3 (info.rules)
  • 2035191 - ET INFO Observed Let’s Encrypt Certificate from Active Intermediate, E1 (info.rules)
  • 2035192 - ET INFO Observed Let’s Encrypt Certificate from Backup Intermediate, R4 (info.rules)
  • 2035193 - ET INFO Observed Let’s Encrypt Certificate from Backup Intermediate, E2 (info.rules)
  • 2035197 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035198 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035199 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035200 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035207 - ET MALWARE MSIL/GenKryptik.FQRH Download Request (malware.rules)
  • 2035210 - ET MALWARE MosesStaff APT Related Activity (POST) (malware.rules)
  • 2035211 - ET MALWARE Win32/QuasarRAT CnC Traffic (malware.rules)
  • 2035221 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035222 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035253 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035254 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035255 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035256 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035257 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035265 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035266 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035267 - ET MALWARE Gamaredon Maldoc Activity (GET) (malware.rules)
  • 2035291 - ET MALWARE Malicious Downloader Activity (GET) (malware.rules)
  • 2035292 - ET MALWARE Suspected PlugX Checkin Activity (GET) (malware.rules)
  • 2035293 - ET MALWARE PlugX Activity (POST) (malware.rules)
  • 2035304 - ET INFO Observed URL Shortening Service Domain (0sh .org in TLS SNI) (info.rules)
  • 2035305 - ET INFO Observed URL Shortening Service Domain (prourl .in in TLS SNI) (info.rules)
  • 2035308 - ET MALWARE Suspected PlugX Checkin Activity (udp) (malware.rules)
  • 2035346 - ET PHISHING Suspected TA445 Spearphishing Related Domain (bigmir .space in TLS SNI) (phishing.rules)
  • 2035347 - ET PHISHING Suspected TA445 Spearphishing Related Domain (mod-mil .site in TLS SNI) (phishing.rules)
  • 2035348 - ET PHISHING Suspected TA445 Spearphishing Related Domain (mirrohost .space in TLS SNI) (phishing.rules)
  • 2035360 - ET MALWARE SunSeed Lua Downloader Activity (GET) (malware.rules)
  • 2035361 - ET MALWARE SunSeed Downloader Retrieving Binary (set) (malware.rules)
  • 2035362 - ET MALWARE SunSeed Download Retrieving Binary (malware.rules)
  • 2035364 - ET MALWARE MuddyWater APT Related Telegram Activity (malware.rules)
  • 2035368 - ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin (malware.rules)
  • 2035374 - ET MALWARE Kimsuky APT BabyShark/SHARPEXT Related Domain in DNS Lookup (worldinfocontact .club) (malware.rules)
  • 2035375 - ET MALWARE Suspected Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035396 - ET HUNTING Multiple User-Agent Components in a single UA (hunting.rules)
  • 2035400 - ET MALWARE JS/Skimmer Inbound (Likely MageCart) M2 (malware.rules)
  • 2035404 - ET MALWARE TA445/Ghostwrite APT Related Domain in DNS Lookup (xbeta .online) (malware.rules)
  • 2035405 - ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08 (phishing.rules)
  • 2035406 - ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08 (phishing.rules)
  • 2035407 - ET MALWARE TA450 Nagual/STARWHALE Beacon Activity (POST) (malware.rules)
  • 2035408 - ET MALWARE TA450 Nagual/STARWHALE GoLang Beacon Activity (POST) (malware.rules)
  • 2035421 - ET MALWARE Win32/ArmyOfUkraine Bot Activity (malware.rules)
  • 2035425 - ET MALWARE MuddyWater APT Related Activity (POST) (malware.rules)
  • 2035426 - ET MALWARE MuddyWater APT Related Activity (GET) (malware.rules)
  • 2035449 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035567 - ET MALWARE ConPtyShell Server Close Shell (malware.rules)
  • 2035604 - ET MALWARE Observed DNS Query to Win32/TrojanDownloader.Agent.GEM Domain (malware.rules)
  • 2036365 - ET MALWARE Innostealer Domain in DNS Lookup (windows11-infoserver .com) (malware.rules)
  • 2851042 - ETPRO MALWARE Trojan:Win32/Sabsik Payload Request M2 (malware.rules)
  • 2851043 - ETPRO MALWARE Trojan:Win32/Sabsik Payload Request M1 (malware.rules)
  • 2851096 - ETPRO PHISHING Successful ALPHA Credential Phish M1 2022-02-10 (phishing.rules)
  • 2851113 - ETPRO MALWARE Win32/Induc.A CnC Activity (GET) (malware.rules)
  • 2851114 - ETPRO MALWARE Win32/OnlyLogger Connectivity Check M2 (malware.rules)
  • 2851131 - ETPRO MALWARE FinderBot Checkin/Requesting Payload M2 (malware.rules)
  • 2851152 - ETPRO MALWARE Koadic CnC Activity (POST) (malware.rules)
  • 2851180 - ETPRO MALWARE Trojan:Win32/Sabsik Payload Request M2 (malware.rules)
  • 2851205 - ETPRO MALWARE Win32/LokiBot Payload Download Request M1 (malware.rules)
  • 2851206 - ETPRO MALWARE Win32/LokiBot Payload Download Request M2 (malware.rules)
  • 2851217 - ETPRO MALWARE Win32/PennyWise Stealer Exfil Via Telegram (malware.rules)
  • 2851232 - ETPRO MALWARE Browser Data Exfil Via Telegram (malware.rules)
  • 2851233 - ETPRO MALWARE YouTube Profile Exfil Via Telegram (malware.rules)
  • 2851234 - ETPRO MALWARE Crypto Wallet Exfil Via Telegram (malware.rules)
  • 2851244 - ETPRO MALWARE Win32/Packed.BlackMoon.A Arguments Fetch (malware.rules)
  • 2851293 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Fake MalwareBytes AV) (malware.rules)
  • 2851580 - ETPRO MALWARE Win32/Trojan.Agent.FRPG Exfil Activity (POST) (malware.rules)