Ruleset Update Summary - 2025/09/11 - v11013

Ruleset Updates
1

Summary:

37 new OPEN, 37 new PRO (37 + 0)

Thanks @malwrhunterteam

Added rules:

Open:

  • 2064541 - ET WEB_SPECIFIC_APPS D-Link yyxz.asp id Parameter Buffer Overflow Attempt (CVE-2025-9938) (web_specific_apps.rules)
  • 2064542 - ET HUNTING Possible schtasks create command in HTTP Body Response (hunting.rules)
  • 2064543 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (www .tagtech .in) (malware.rules)
  • 2064544 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (www .tagtech .in) (malware.rules)
  • 2064545 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (mtmra .com) (exploit_kit.rules)
  • 2064546 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (mtmra .com) (exploit_kit.rules)
  • 2064547 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (realty .yourpgcountyliving .com) (malware.rules)
  • 2064548 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (realty .yourpgcountyliving .com) (malware.rules)
  • 2064549 - ET INFO DYNAMIC_DNS Query to a *.mjfuentes .com domain (info.rules)
  • 2064550 - ET INFO DYNAMIC_DNS HTTP Request to a *.mjfuentes .com domain (info.rules)
  • 2064551 - ET INFO DYNAMIC_DNS Query to a *.shitstudent .com domain (info.rules)
  • 2064552 - ET INFO DYNAMIC_DNS HTTP Request to a *.shitstudent .com domain (info.rules)
  • 2064553 - ET INFO DYNAMIC_DNS Query to a *.douchisushi .com domain (info.rules)
  • 2064554 - ET INFO DYNAMIC_DNS HTTP Request to a *.douchisushi .com domain (info.rules)
  • 2064555 - ET INFO DYNAMIC_DNS Query to a *.viar3d .com domain (info.rules)
  • 2064556 - ET INFO DYNAMIC_DNS HTTP Request to a *.viar3d .com domain (info.rules)
  • 2064557 - ET INFO DYNAMIC_DNS Query to a *.fassen-shoes .com domain (info.rules)
  • 2064558 - ET INFO DYNAMIC_DNS HTTP Request to a *.fassen-shoes .com domain (info.rules)
  • 2064559 - ET INFO DYNAMIC_DNS Query to a *.digitalforest .my domain (info.rules)
  • 2064560 - ET INFO DYNAMIC_DNS HTTP Request to a *.digitalforest .my domain (info.rules)
  • 2064561 - ET INFO DYNAMIC_DNS Query to a *.cristianvaldes .com domain (info.rules)
  • 2064562 - ET INFO DYNAMIC_DNS HTTP Request to a *.cristianvaldes .com domain (info.rules)
  • 2064563 - ET INFO DYNAMIC_DNS Query to a *.knr .cl domain (info.rules)
  • 2064564 - ET INFO DYNAMIC_DNS HTTP Request to a *.knr .cl domain (info.rules)
  • 2064565 - ET INFO DYNAMIC_DNS Query to a *.mindboggle .us domain (info.rules)
  • 2064566 - ET INFO DYNAMIC_DNS HTTP Request to a *.mindboggle .us domain (info.rules)
  • 2064567 - ET INFO DYNAMIC_DNS Query to a *.wspaperbag .com domain (info.rules)
  • 2064568 - ET INFO DYNAMIC_DNS HTTP Request to a *.wspaperbag .com domain (info.rules)
  • 2064569 - ET INFO DYNAMIC_DNS Query to a *.rigaprecast .com domain (info.rules)
  • 2064570 - ET INFO DYNAMIC_DNS HTTP Request to a *.rigaprecast .com domain (info.rules)
  • 2064571 - ET INFO Observed TelegramNotify User-Agent Outbound (info.rules)
  • 2064572 - ET MALWARE Observed Compromised Domain Delivering PhantomStealer (patrickhicks .org) (malware.rules)
  • 2064573 - ET MALWARE Observed Compromised PhantomStealer Delivery Domain (patrickhicks .org in TLS SNI) (malware.rules)
  • 2064574 - ET INFO Observed DNS Query to Online Email Hosting Provider (mail .privateemail .com) (info.rules)
  • 2064575 - ET INFO Observed Online Email Hosting Provider Domain (mail .privateemail .com in TLS SNI) (info.rules)
  • 2064576 - ET INFO Observed DNS Query to Online PDF Viewer Domain (postoffice .adobe .com) (info.rules)
  • 2064577 - ET INFO Observed Online PDF Viewer Domain (postoffice .adobe .com in TLS SNI) (info.rules)

Modified inactive rules:

  • 2032942 - ET MALWARE Suspected SombRAT DNS Activity (TXT) (malware.rules)
  • 2032947 - ET MALWARE Ares Activity (POST) (malware.rules)
  • 2033021 - ET MALWARE Lemon_Duck Powershell CnC Activity M15 (malware.rules)
  • 2033022 - ET MALWARE Suspected Gootkit Activity (malware.rules)
  • 2033033 - ET MALWARE BazaLoader CnC Activity (malware.rules)
  • 2033044 - ET MALWARE Malicious Second Stage Payload Inbound 2021-02-19 (malware.rules)
  • 2033109 - ET MALWARE ELF/Facefish Empty Payload (set) (malware.rules)
  • 2033110 - ET MALWARE ELF/Facefish Server Response (201) (malware.rules)
  • 2033111 - ET MALWARE ELF/Facefish Client Response (202) (malware.rules)
  • 2033112 - ET MALWARE ELF/Facefish Session Closing (400) (malware.rules)
  • 2033140 - ET MALWARE Observed APT41 Malicious SSL Cert (ColunmTK Campaign) (malware.rules)
  • 2036509 - ET MALWARE Kimsuky APT PebbleDash Related Activity (GET) (malware.rules)
  • 2848460 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2848808 - ETPRO MALWARE ZiggyStealer CnC Activity (malware.rules)
  • 2848862 - ETPRO POLICY Outbound H.323 Q.931 INFORMATION Packet On High Port (policy.rules)
  • 2848863 - ETPRO POLICY Outbound H.323 Q.931 RELEASE COMPLETE Packet On High Port (policy.rules)
  • 2848864 - ETPRO POLICY Outbound H.323 Q.931 SETUP Packet On High Port (policy.rules)
  • 2848865 - ETPRO POLICY Outbound H.323 Q.931 CALL PROCEEDING Packet On High Port (policy.rules)
  • 2848866 - ETPRO POLICY Outbound H.323 Q.931 CONNECT Packet On High Port (policy.rules)
  • 2848867 - ETPRO POLICY Outbound H.323 Q.931 FACILITY Packet On High Port (policy.rules)
  • 2848894 - ETPRO POLICY Outbound H.323 Q.931 FACILITY Packet - Possible Low Port Slipstreaming Attempt (policy.rules)
  • 2848895 - ETPRO POLICY Inbound H.323 Q.931 FACILITY Packet - Possible Low Port Slipstreaming Attempt (policy.rules)
  • 2849067 - ETPRO MALWARE Observed Malicious SSL Cert (DCRAT Variant) (malware.rules)
  • 2849129 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx (policy.rules)
  • 2849196 - ETPRO HUNTING Inbound Batch Script Deleting IIS Log Directory (hunting.rules)

Disabled and modified rules:

  • 2063446 - ET PHISHING Tycoon2FA Phish Landing Page 2025-07-14 (phishing.rules)