Ruleset Update Summary - 2025/09/16 - v11016

rulesbot · September 16, 2025, 8:21pm

Summary:

43 new OPEN, 53 new PRO (43 + 10)

Thanks @aryakanetworks

Added rules:

Open:

2064265 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (javascriptbasics .com) (exploit_kit.rules)
2064266 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (es6featureshub .com) (exploit_kit.rules)
2064268 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (javascriptbasics .com) (exploit_kit.rules)
2064269 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (es6featureshub .com) (exploit_kit.rules)
2064276 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (typescripttools .com) (exploit_kit.rules)
2064277 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (typescripttools .com) (exploit_kit.rules)
2064698 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (promiseallrace .com) (exploit_kit.rules)
2064699 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (prototypechain .com) (exploit_kit.rules)
2064700 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (debuggingscripts .com) (exploit_kit.rules)
2064701 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (eventdelegationhq .com) (exploit_kit.rules)
2064702 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (proxyreflecttools .com) (exploit_kit.rules)
2064703 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (generatoryieldlab .com) (exploit_kit.rules)
2064704 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (promiseallrace .com) (exploit_kit.rules)
2064705 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (prototypechain .com) (exploit_kit.rules)
2064706 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (debuggingscripts .com) (exploit_kit.rules)
2064707 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (eventdelegationhq .com) (exploit_kit.rules)
2064708 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (proxyreflecttools .com) (exploit_kit.rules)
2064709 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (generatoryieldlab .com) (exploit_kit.rules)
2064710 - ET WEB_SPECIFIC_APPS Edimax cgi_get Object Parameter Command Injection Attempt (CVE-2025-56706) (web_specific_apps.rules)
2064711 - ET WEB_SPECIFIC_APPS LG WebOS getFile path Parameter Directory Traversal Attempt (web_specific_apps.rules)
2064712 - ET MALWARE Observed DNS Query to BatShadow Related Domain (api3 .samsungcareers .work) (malware.rules)
2064713 - ET MALWARE Observed DNS Query to BatShadow Related Domain (jobs-marriott .com) (malware.rules)
2064714 - ET MALWARE Observed DNS Query to BatShadow Related Domain (samsung-work .com) (malware.rules)
2064715 - ET MALWARE Observed BatShadow Related Domain (api3 .samsungcareers .work in TLS SNI) (malware.rules)
2064716 - ET MALWARE Observed BatShadow Related Domain (jobs-marriott .com in TLS SNI) (malware.rules)
2064717 - ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M1 (web_specific_apps.rules)
2064718 - ET MALWARE Observed BatShadow Related Domain (samsung-work .com in TLS SNI) (malware.rules)
2064719 - ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M2 (web_specific_apps.rules)
2064720 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (* .kiwisandblasters .com) (malware.rules)
2064721 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (* .kiwisandblasters .com) (malware.rules)
2064722 - ET INFO DYNAMIC_DNS Query to a *.comit .com .ar domain (info.rules)
2064723 - ET INFO DYNAMIC_DNS HTTP Request to a *.comit .com .ar domain (info.rules)
2064724 - ET INFO DYNAMIC_DNS Query to a *.die-pichlers .at domain (info.rules)
2064725 - ET INFO DYNAMIC_DNS HTTP Request to a *.die-pichlers .at domain (info.rules)
2064726 - ET INFO DYNAMIC_DNS Query to a *.adutchmaninwalldorf .de domain (info.rules)
2064727 - ET INFO DYNAMIC_DNS HTTP Request to a *.adutchmaninwalldorf .de domain (info.rules)
2064728 - ET INFO DYNAMIC_DNS Query to a *.johngross .biz domain (info.rules)
2064729 - ET INFO DYNAMIC_DNS HTTP Request to a *.johngross .biz domain (info.rules)
2064730 - ET INFO DYNAMIC_DNS Query to a *.bukomp .ru domain (info.rules)
2064731 - ET INFO DYNAMIC_DNS HTTP Request to a *.bukomp .ru domain (info.rules)
2064732 - ET MALWARE VampireBot CnC Exfil (POST) (malware.rules)
2064733 - ET EXPLOIT_KIT Malicious TA2727 TDS Domain in DNS Lookup (plainfenassociates .com) (exploit_kit.rules)
2064734 - ET EXPLOIT_KIT Malicious TA2727 TDS Domain in TLS SNI (plainfenassociates .com) (exploit_kit.rules)

Pro:

2864589 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2864590 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2864591 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2864592 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2864593 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2864594 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2864595 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2864596 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2864597 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2864598 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

2030672 - ET MALWARE MSIL/JobCrypter Ransomware Checkin via SMTP (malware.rules)
2030697 - ET MALWARE Suspected REDCURL CnC Activity M1 (malware.rules)
2030835 - ET USER_AGENTS Microsoft Malware Protection User-Agent Observed (user_agents.rules)
2030889 - ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2 (exploit.rules)
2844036 - ETPRO MALWARE Observed IcedID CnC Domain in TLS SNI (malware.rules)
2844191 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844192 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844193 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844467 - ETPRO ADWARE_PUP GKB Loader Config Download (adware_pup.rules)
2844482 - ETPRO HUNTING DNS Query Response (0.0.0.0) (hunting.rules)
2844562 - ETPRO USER_AGENTS Observed Malicious User-Agent (HttpRat) (user_agents.rules)
2844703 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .dns .sb) (info.rules)
2844991 - ETPRO MALWARE Bazaloader Variant CnC Activity (malware.rules)

Removed rules:

2064265 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (javascriptbasics .com) (malware.rules)
2064266 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (es6featureshub .com) (malware.rules)
2064268 - ET MALWARE TA569 Staging Server Domain in TLS SNI (javascriptbasics .com) (malware.rules)
2064269 - ET MALWARE TA569 Staging Server Domain in TLS SNI (es6featureshub .com) (malware.rules)
2064276 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (typescripttools .com) (malware.rules)
2064277 - ET MALWARE TA569 Staging Server Domain in TLS SNI (typescripttools .com) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/04/21 - v10304 Ruleset Updates	1357	April 21, 2023
Ruleset Update Summary - 2025/03/10 - v10875 Ruleset Updates	138	March 10, 2025
Ruleset Update Summary - 2025/06/10 - v10947 Ruleset Updates	124	June 10, 2025
Ruleset Update Summary - 2024/06/07 - v10612 Ruleset Updates	303	June 7, 2024
Ruleset Update Summary - 2024/08/09 - v10663 Ruleset Updates	96	August 9, 2024

Ruleset Update Summary - 2025/09/16 - v11016

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Removed rules:

Related topics