Ruleset Update Summary - 2025/09/10 - v11012

Ruleset Updates
1

Summary:

21 new OPEN, 40 new PRO (21 + 19)

Thanks @malware_traffic

Added rules:

Open:

  • 2064520 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (chat .pgcountyliving .com) (malware.rules)
  • 2064521 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (chat .pgcountyliving .com) (malware.rules)
  • 2064522 - ET INFO DYNAMIC_DNS Query to a *.xenor .ro domain (info.rules)
  • 2064523 - ET INFO DYNAMIC_DNS HTTP Request to a *.xenor .ro domain (info.rules)
  • 2064524 - ET INFO DYNAMIC_DNS Query to a *.certified .cl domain (info.rules)
  • 2064525 - ET INFO DYNAMIC_DNS HTTP Request to a *.certified .cl domain (info.rules)
  • 2064526 - ET INFO DYNAMIC_DNS Query to a *.abbotsfordhallforhire .org .au domain (info.rules)
  • 2064527 - ET INFO DYNAMIC_DNS HTTP Request to a *.abbotsfordhallforhire .org .au domain (info.rules)
  • 2064528 - ET INFO DYNAMIC_DNS Query to a *.xeonxu .info domain (info.rules)
  • 2064529 - ET INFO DYNAMIC_DNS HTTP Request to a *.xeonxu .info domain (info.rules)
  • 2064530 - ET INFO DYNAMIC_DNS Query to a *.dadyal .pk domain (info.rules)
  • 2064531 - ET INFO DYNAMIC_DNS HTTP Request to a *.dadyal .pk domain (info.rules)
  • 2064532 - ET INFO DYNAMIC_DNS Query to a *.sch-design .com .ar domain (info.rules)
  • 2064533 - ET INFO DYNAMIC_DNS HTTP Request to a *.sch-design .com .ar domain (info.rules)
  • 2064534 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (rfwklaw .com) (exploit_kit.rules)
  • 2064535 - ET EXPLOIT_KIT LandUpdate808 Domain (rfwklaw .com) in TLS SNI (exploit_kit.rules)
  • 2064536 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (consnbx .su) (malware.rules)
  • 2064537 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (consnbx .su) in TLS SNI (malware.rules)
  • 2064538 - ET MALWARE Lumma Stealer Victim Profile Exfil (malware.rules)
  • 2064539 - ET MALWARE TinyNuke Checkin via Telegram (malware.rules)
  • 2064540 - ET MALWARE TinyNuke Exfil User Profile via Telegram (malware.rules)

Pro:

  • 2864541 - ETPRO MALWARE Observed DNS Query to TA425/DonutLoader Domain (malware.rules)
  • 2864542 - ETPRO MALWARE Observed DNS Query to TA425/DonutLoader Domain (malware.rules)
  • 2864543 - ETPRO MALWARE Observed DNS Query to TA425/DonutLoader Domain (malware.rules)
  • 2864544 - ETPRO MALWARE Observed DNS Query to TA425/DonutLoader Domain (malware.rules)
  • 2864545 - ETPRO MALWARE Observed TA425/DonutLoader Domain in TLS SNI (malware.rules)
  • 2864546 - ETPRO MALWARE Observed TA425/DonutLoader Domain in TLS SNI (malware.rules)
  • 2864547 - ETPRO MALWARE Observed TA425/DonutLoader Domain in TLS SNI (malware.rules)
  • 2864548 - ETPRO MALWARE Observed TA425/DonutLoader Domain in TLS SNI (malware.rules)
  • 2864549 - ETPRO MALWARE Observed TA425/DonutLoader URI Pattern (malware.rules)
  • 2864550 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864551 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864552 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864553 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864554 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864555 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864556 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864557 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864558 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864559 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2033182 - ET MALWARE ChaChi RAT Client CnC (POST) (malware.rules)
  • 2033183 - ET MALWARE ChaChi RAT Server Response (malware.rules)
  • 2033184 - ET MALWARE ChaChi RAT Client CnC (POST) (malware.rules)
  • 2033185 - ET HUNTING Suspected DNS CnC via TXT queries (hunting.rules)
  • 2033198 - ET MALWARE APT-C-23 Activity (GET) (malware.rules)
  • 2033243 - ET MALWARE Mirai pTea Variant - Attack Command Inbound (malware.rules)
  • 2033247 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M1 (policy.rules)
  • 2033274 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M2 (policy.rules)
  • 2033275 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M3 (policy.rules)
  • 2033276 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M4 (policy.rules)
  • 2033364 - ET MALWARE Suspected DonotGroup Dropper Telegram API Activity (malware.rules)
  • 2048337 - ET EXPLOIT_KIT ScamClub Domain in DNS Lookup (Namecheap Inc .) (exploit_kit.rules)
  • 2849002 - ETPRO MALWARE Unk Rootkit Receiving IP Redirect Config (malware.rules)
  • 2849201 - ETPRO ADWARE_PUP SafeCleaner Activity (POST) (adware_pup.rules)
  • 2849254 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2849303 - ETPRO POLICY [MS-SRVS] DCERPC Bind_ack (flowbit set) (policy.rules)
  • 2849304 - ETPRO POLICY [MS-SRVS] Microsoft Server Service Remote Protocol Activity - NetShareEnumAll (policy.rules)
  • 2849335 - ETPRO POLICY [MS-RPRN/SPOOLSS] DCERPC Bind_ack (flowbit set) (policy.rules)
  • 2849390 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M3 (policy.rules)
  • 2849392 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M5 (policy.rules)
  • 2849396 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M4 (policy.rules)
  • 2849397 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M5 (policy.rules)