Summary:
26 new OPEN, 30 new PRO (26 + 4)
Thanks @osint_barbie
Added rules:
Open:
- 2064776 - ET MALWARE FrigidBackdoor Health Check (malware.rules)
- 2064777 - ET MALWARE FrigidBackdoor Exfil Zip (malware.rules)
- 2064778 - ET MALWARE FrigidBackdoor Request ZIP (malware.rules)
- 2064779 - ET MALWARE FrigidBackdoor Log Results (malware.rules)
- 2064780 - ET EXPLOIT_KIT Malicious TA2727 TDS Domain in DNS Lookup (00704ae865ee .ngrok .app) (exploit_kit.rules)
- 2064781 - ET EXPLOIT_KIT Malicious TA2727 TDS Domain in TLS SNI (00704ae865ee .ngrok .app) (exploit_kit.rules)
- 2064782 - ET INFO DYNAMIC_DNS Query to a *.premnewar .com .np domain (info.rules)
- 2064783 - ET INFO DYNAMIC_DNS HTTP Request to a *.premnewar .com .np domain (info.rules)
- 2064784 - ET INFO DYNAMIC_DNS Query to a *.carluciocruzfotografia .com .br domain (info.rules)
- 2064785 - ET INFO DYNAMIC_DNS HTTP Request to a *.carluciocruzfotografia .com .br domain (info.rules)
- 2064786 - ET INFO DYNAMIC_DNS Query to a *.sojda .org domain (info.rules)
- 2064787 - ET INFO DYNAMIC_DNS HTTP Request to a *.sojda .org domain (info.rules)
- 2064788 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Domain (lehmanpipe .com) (exploit_kit.rules)
- 2064789 - ET EXPLOIT_KIT Observed ClickFix Domain (lehmanpipe .com in TLS SNI) (exploit_kit.rules)
- 2064790 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (external .eliteworkxmarketing .com) (malware.rules)
- 2064791 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (schedule .eliteworkxmarketing .com) (malware.rules)
- 2064792 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (external .eliteworkxmarketing .com) (malware.rules)
- 2064793 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (schedule .eliteworkxmarketing .com) (malware.rules)
- 2064794 - ET WEB_SPECIFIC_APPS D-Link set_server_settings Multiple Parameters Command Injection Attempt (CVE-2025-10634) (web_specific_apps.rules)
- 2064795 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (porsasystem .com) (exploit_kit.rules)
- 2064796 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (porsasystem .com) (exploit_kit.rules)
- 2064797 - ET WEB_SPECIFIC_APPS D-Link SSDP ST Header Command Injection Attempt (CVE-2025-10629) (web_specific_apps.rules)
- 2064798 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (retiregenz .com) (exploit_kit.rules)
- 2064799 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (retiregenz .com) (exploit_kit.rules)
- 2064800 - ET WEB_SPECIFIC_APPS D-Link hedwig.cgi (DEVICE.TIME) server XML Parameter Command Injection Attempt (CVE-2025-10628) (web_specific_apps.rules)
- 2064801 - ET WEB_SPECIFIC_APPS D-Link apply.cgi countdown_time Parameter Buffer Overflow Attempt (CVE-2025-10666) (web_specific_apps.rules)
Pro:
- 2864620 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
- 2864621 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
- 2864622 - ETPRO MALWARE Observed ClickFix Style URI in HTTP GET (malware.rules)
- 2864623 - ETPRO ATTACK_RESPONSE Shellcode Loader .ps1 Script Inbound (attack_response.rules)
Modified inactive rules:
- 2030183 - ET MALWARE BigLock Ransomware CnC Activity (gen) (malware.rules)
- 2030184 - ET MALWARE BigLock Ransomware CnC Activity (id) (malware.rules)
- 2030221 - ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617) (exploit.rules)
- 2030249 - ET WEB_CLIENT Cushion Redirection (web_client.rules)
- 2030342 - ET MOBILE_MALWARE ActionSpy CnC (POST) (mobile_malware.rules)
- 2030345 - ET SCAN Zmap User-Agent (Outbound) (scan.rules)
- 2030521 - ET INFO Suspicious HTTP GET Request on Port 53 Inbound (info.rules)
- 2842411 - ETPRO MALWARE Suspected MEDUSA RAT CnC Response (malware.rules)
- 2842432 - ETPRO HUNTING Suspected DNSTEAL DNS Traffic (hunting.rules)
- 2842774 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
- 2842822 - ETPRO MALWARE W32/Sofacy Variant Checkin (malware.rules)
- 2844197 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)