Ruleset Update Summary - 2025/09/12 - v11014

Ruleset Updates
1

Summary:

44 new OPEN, 53 new PRO (44 + 9)

Added rules:

Open:

  • 2064578 - ET INFO DYNAMIC_DNS Query to a *.o-rg .net domain (info.rules)
  • 2064579 - ET INFO DYNAMIC_DNS HTTP Request to a *.o-rg .net domain (info.rules)
  • 2064580 - ET INFO DYNAMIC_DNS Query to a *.lyxcorp .com domain (info.rules)
  • 2064581 - ET INFO DYNAMIC_DNS HTTP Request to a *.lyxcorp .com domain (info.rules)
  • 2064582 - ET INFO DYNAMIC_DNS Query to a *.art-motel .com domain (info.rules)
  • 2064583 - ET INFO DYNAMIC_DNS HTTP Request to a *.art-motel .com domain (info.rules)
  • 2064584 - ET INFO DYNAMIC_DNS Query to a *.bernhard-rau .com domain (info.rules)
  • 2064585 - ET INFO DYNAMIC_DNS HTTP Request to a *.bernhard-rau .com domain (info.rules)
  • 2064586 - ET INFO DYNAMIC_DNS Query to a *.qs0 .de domain (info.rules)
  • 2064587 - ET INFO DYNAMIC_DNS HTTP Request to a *.qs0 .de domain (info.rules)
  • 2064588 - ET INFO DYNAMIC_DNS Query to a *.bernhard-rau .de domain (info.rules)
  • 2064589 - ET INFO DYNAMIC_DNS HTTP Request to a *.bernhard-rau .de domain (info.rules)
  • 2064590 - ET INFO DYNAMIC_DNS Query to a *.enenet .co .uk domain (info.rules)
  • 2064591 - ET INFO DYNAMIC_DNS HTTP Request to a *.enenet .co .uk domain (info.rules)
  • 2064592 - ET INFO DYNAMIC_DNS Query to a *.u-resort .com domain (info.rules)
  • 2064593 - ET INFO DYNAMIC_DNS HTTP Request to a *.u-resort .com domain (info.rules)
  • 2064594 - ET MALWARE Oyster Backdoor Domain (updaterputty .com) in DNS Lookup (malware.rules)
  • 2064595 - ET MALWARE Oyster Backdoor Domain (zephyrhype .com) in DNS Lookup (malware.rules)
  • 2064596 - ET MALWARE Oyster Backdoor Domain (www-putty .com) in DNS Lookup (malware.rules)
  • 2064597 - ET MALWARE Oyster Backdoor Domain (daniellaurel .tv) in DNS Lookup (malware.rules)
  • 2064598 - ET MALWARE Oyster Backdoor Domain (bjxqd .com) in DNS Lookup (malware.rules)
  • 2064599 - ET MALWARE Oyster Backdoor Domain (funkyfirmware .com) in DNS Lookup (malware.rules)
  • 2064600 - ET MALWARE Oyster Backdoor Domain (daringdatadaredevils .com) in DNS Lookup (malware.rules)
  • 2064601 - ET MALWARE Oyster Backdoor Domain (putty .bet) in DNS Lookup (malware.rules)
  • 2064602 - ET MALWARE Oyster Backdoor Domain (putty .run) in DNS Lookup (malware.rules)
  • 2064603 - ET MALWARE Oyster Backdoor Domain (microsoft-teams-download .com) in DNS Lookup (malware.rules)
  • 2064604 - ET MALWARE Oyster Backdoor Domain (cyberneticodyssey .com) in DNS Lookup (malware.rules)
  • 2064605 - ET MALWARE Oyster Backdoor Domain (datadrivendreamers .com) in DNS Lookup (malware.rules)
  • 2064606 - ET MALWARE Oyster Backdoor Domain (ruben .findinit .com) in DNS Lookup (malware.rules)
  • 2064607 - ET MALWARE Oyster Backdoor Domain (putty .us .com) in DNS Lookup (malware.rules)
  • 2064608 - ET MALWARE Observed Oyster Backdoor Domain (updaterputty .com) in TLS SNI (malware.rules)
  • 2064609 - ET MALWARE Observed Oyster Backdoor Domain (zephyrhype .com) in TLS SNI (malware.rules)
  • 2064610 - ET MALWARE Observed Oyster Backdoor Domain (www-putty .com) in TLS SNI (malware.rules)
  • 2064611 - ET MALWARE Observed Oyster Backdoor Domain (daniellaurel .tv) in TLS SNI (malware.rules)
  • 2064612 - ET MALWARE Observed Oyster Backdoor Domain (bjxqd .com) in TLS SNI (malware.rules)
  • 2064613 - ET MALWARE Observed Oyster Backdoor Domain (funkyfirmware .com) in TLS SNI (malware.rules)
  • 2064614 - ET MALWARE Observed Oyster Backdoor Domain (daringdatadaredevils .com) in TLS SNI (malware.rules)
  • 2064615 - ET MALWARE Observed Oyster Backdoor Domain (putty .bet) in TLS SNI (malware.rules)
  • 2064616 - ET MALWARE Observed Oyster Backdoor Domain (putty .run) in TLS SNI (malware.rules)
  • 2064617 - ET MALWARE Observed Oyster Backdoor Domain (microsoft-teams-download .com) in TLS SNI (malware.rules)
  • 2064618 - ET MALWARE Observed Oyster Backdoor Domain (cyberneticodyssey .com) in TLS SNI (malware.rules)
  • 2064619 - ET MALWARE Observed Oyster Backdoor Domain (datadrivendreamers .com) in TLS SNI (malware.rules)
  • 2064620 - ET MALWARE Observed Oyster Backdoor Domain (ruben .findinit .com) in TLS SNI (malware.rules)
  • 2064621 - ET MALWARE Observed Oyster Backdoor Domain (putty .us .com) in TLS SNI (malware.rules)

Pro:

  • 2864568 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864569 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864570 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864571 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864572 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864573 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864574 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864575 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864576 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2032318 - ET MALWARE Suspected Jobcrypter Ransomware Exfil (SMTP) (malware.rules)
  • 2032343 - ET MALWARE Valyria Maldoc Activity (GET) (malware.rules)
  • 2032763 - ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .live) 2021-04-15 (phishing.rules)
  • 2032764 - ET EXPLOIT_KIT Observed BottleEK Domain in DNS Lookup 2021-04-15 (exploit_kit.rules)
  • 2032765 - ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .xyz) 2021-04-15 (phishing.rules)
  • 2032779 - ET HUNTING Malformed Domain Name in DNS Query (Domain Length Exceeds 253 Bytes) (hunting.rules)
  • 2032847 - ET MOBILE_MALWARE Arid Viper (fasebcck .com in DNS Lookup) (mobile_malware.rules)
  • 2032893 - ET MALWARE Observed DNS Query to Buer - DomainInfo Domain (malware.rules)
  • 2032908 - ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M1 (malware.rules)
  • 2032909 - ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M2 (malware.rules)
  • 2032914 - ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (malware.rules)
  • 2033242 - ET MALWARE Mirai pTea Variant - Attack Command Outbound (malware.rules)
  • 2033720 - ET MALWARE Unknown Chinese Threat Actor Malicious Redirect Activity (malware.rules)
  • 2847831 - ETPRO MALWARE Campo Loader CnC Checkin (malware.rules)
  • 2847971 - ETPRO MALWARE MSIL/Agent.UL Variant CnC Activity (malware.rules)
  • 2848101 - ETPRO MALWARE MSIL/Browsstl.GA!MTB Stealer CnC Exfil (malware.rules)
  • 2848197 - ETPRO MALWARE Win32/Woreflint Activity (POST) (malware.rules)
  • 2848200 - ETPRO MALWARE RedLine - GetUpdates Request (malware.rules)
  • 2848217 - ETPRO MALWARE Unk.MalDoc CnC Exfil (malware.rules)
  • 2848280 - ETPRO MALWARE Unk.Shellcode Loader Inbound (malware.rules)
  • 2848345 - ETPRO MALWARE MSIL/NM.Stealer CnC Data Exfil (malware.rules)
  • 2848373 - ETPRO MALWARE MSIL/HELLRAZOR Stealer CnC Exfil (malware.rules)
  • 2848382 - ETPRO MOBILE_MALWARE Android Finspy Activity - SET (mobile_malware.rules)
  • 2848383 - ETPRO MOBILE_MALWARE Android Finspy Activity (mobile_malware.rules)
  • 2848407 - ETPRO MALWARE RatraDownloader Activity (malware.rules)
  • 2848416 - ETPRO MALWARE Avalon Stealer Variant CnC Exfil (malware.rules)
  • 2849197 - ETPRO HUNTING Inbound Batch Script Deleting Log Files (hunting.rules)