Ruleset Update Summary - 2025/09/17 - v11018

Summary:

40 new OPEN, 43 new PRO (40 + 3)

Added rules:

Open:

• 2064736 - ET MALWARE VampireBot CnC Instruction Request (GET) (malware.rules)
• 2064737 - ET MALWARE VampireBot CnC Config Inbound (malware.rules)
• 2064738 - ET MALWARE VampireBot CnC ScreenCapture Exfil (POST) (malware.rules)
• 2064739 - ET MALWARE VampireBot CnC Task Request (GET) (malware.rules)
• 2064740 - ET MALWARE FrigidStealer AppleScript Payload (malware.rules)
• 2064741 - ET INFO DYNAMIC_DNS Query to a *.litos .co .uk domain (info.rules)
• 2064742 - ET INFO DYNAMIC_DNS HTTP Request to a *.litos .co .uk domain (info.rules)
• 2064743 - ET INFO DYNAMIC_DNS Query to a *.hippocentre .ru domain (info.rules)
• 2064744 - ET INFO DYNAMIC_DNS HTTP Request to a *.hippocentre .ru domain (info.rules)
• 2064745 - ET INFO DYNAMIC_DNS Query to a *.rkumar .com .np domain (info.rules)
• 2064746 - ET INFO DYNAMIC_DNS HTTP Request to a *.rkumar .com .np domain (info.rules)
• 2064747 - ET INFO DYNAMIC_DNS Query to a *.intinet .com .ar domain (info.rules)
• 2064748 - ET INFO DYNAMIC_DNS HTTP Request to a *.intinet .com .ar domain (info.rules)
• 2064749 - ET INFO DYNAMIC_DNS Query to a *.euro-line .hu domain (info.rules)
• 2064750 - ET INFO DYNAMIC_DNS HTTP Request to a *.euro-line .hu domain (info.rules)
• 2064751 - ET INFO DYNAMIC_DNS Query to a *.insuter .com .ar domain (info.rules)
• 2064752 - ET INFO DYNAMIC_DNS HTTP Request to a *.insuter .com .ar domain (info.rules)
• 2064753 - ET INFO DYNAMIC_DNS Query to a *.gauravn .com .np domain (info.rules)
• 2064754 - ET INFO DYNAMIC_DNS HTTP Request to a *.gauravn .com .np domain (info.rules)
• 2064755 - ET INFO DYNAMIC_DNS Query to a *.vlaves .bg domain (info.rules)
• 2064756 - ET INFO DYNAMIC_DNS HTTP Request to a *.vlaves .bg domain (info.rules)
• 2064757 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (yunded .com) (malware.rules)
• 2064758 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yunded .com) in TLS SNI (malware.rules)
• 2064759 - ET HUNTING Powershell ScheduledTasks cmdlet New-ScheduledTask command in HTTP Body Response (hunting.rules)
• 2064760 - ET HUNTING Powershell ScheduledTasks cmdlet Register-ScheduledTask command in HTTP Body Response (hunting.rules)
• 2064761 - ET HUNTING Powershell ScheduledTasks cmdlet Set-ScheduledTask command in HTTP Body Response (hunting.rules)
• 2064762 - ET HUNTING Powershell ScheduledTasks cmdlet Enable-ScheduledTask command in HTTP Body Response (hunting.rules)
• 2064763 - ET HUNTING Powershell ScheduledTasks cmdlet Disable-ScheduledTask command in HTTP Body Response (hunting.rules)
• 2064764 - ET HUNTING Powershell ScheduledTasks cmdlet Get-ScheduledTask command in HTTP Body Response (hunting.rules)
• 2064765 - ET HUNTING Powershell ScheduledTasks cmdlet Start-ScheduledTask command in HTTP Body Response (hunting.rules)
• 2064766 - ET HUNTING Powershell ScheduledTasks cmdlet Stop-ScheduledTask command in HTTP Body Response (hunting.rules)
• 2064767 - ET HUNTING Powershell ScheduledTasks cmdlet Unregister-ScheduledTask command in HTTP Body Response (hunting.rules)
• 2064768 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (mersinet .com) (exploit_kit.rules)
• 2064769 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (joebesser .com) (exploit_kit.rules)
• 2064770 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (mersinet .com) (exploit_kit.rules)
• 2064771 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (joebesser .com) (exploit_kit.rules)
• 2064772 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (edge .lugerd .com) (malware.rules)
• 2064773 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (alpha .lugerd .com) (malware.rules)
• 2064774 - ET MALWARE FrigidBackdoor Exfil Victim Machine Profile (malware.rules)
• 2064775 - ET MALWARE FrigidBackdoor Checkin (malware.rules)

Pro:

• 2864600 - ETPRO EXPLOIT_KIT Observed DNS Query to ClearFake Domain (exploit_kit.rules)
• 2864601 - ETPRO EXPLOIT_KIT Observed ClearFake Domain in TLS SNI (exploit_kit.rules)
• 2864602 - ETPRO ATTACK_RESPONSE Observed ClearFake JavaScript Inject (attack_response.rules)

Modified inactive rules:

• 2030366 - ET JA3 Hash - Possible POSHC2 Client CnC (ja3.rules)
• 2030367 - ET JA3 Hash - Possible POSHC2 Server Response (ja3.rules)
• 2030377 - ET MALWARE Operation Interception Payload CnC Checkin (malware.rules)
• 2030520 - ET INFO Suspicious HTTP GET Request on Port 53 Outbound (info.rules)
• 2030522 - ET INFO Suspicious HTTP POST Request on Port 53 Outbound (info.rules)
• 2030523 - ET INFO Suspicious HTTP POST Request on Port 53 Inbound (info.rules)
• 2030528 - ET MALWARE EvilNum CnC Client Data Exfil (malware.rules)
• 2030555 - ET INFO Outbound RRSIG DNS Query Observed (info.rules)
• 2030614 - ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL 2020-07-30) (malware.rules)
• 2030728 - ET MALWARE Suspected Zebrocy Downloader Traffic (malware.rules)
• 2843255 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
• 2843260 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
• 2843276 - ETPRO MALWARE Observed SocGholish Domain in TLS SNI (malware.rules)
• 2843287 - ETPRO MALWARE Observed SocGholish Domain in TLS SNI (malware.rules)
• 2843643 - ETPRO MALWARE Observed SocGholish Domain in TLS SNI (malware.rules)
• 2843654 - ETPRO MALWARE Observed SocGholish Domain in TLS SNI (malware.rules)
• 2843727 - ETPRO HUNTING Kerberos Principal Unknown Flood (hunting.rules)
• 2844189 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
• 2844190 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
• 2844195 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
• 2844196 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
• 2844198 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)

Disabled and modified rules:

• 2064267 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (prototypechain .com) (malware.rules)
• 2064270 - ET MALWARE TA569 Staging Server Domain in TLS SNI (prototypechain .com) (malware.rules)