Ruleset Update Summary - 2025/09/19 - v11020

Ruleset Updates
1

Summary:

17 new OPEN, 23 new PRO (17 + 6)

Thanks @rapid7

Added rules:

Open:

  • 2064802 - ET MALWARE Filch Stealer CnC Checkin (malware.rules)
  • 2064803 - ET MALWARE Filch Stealer CnC Domain in DNS Lookup (cmb8k1nbj000008l1api07o0n .info) (malware.rules)
  • 2064804 - ET MALWARE Observed Filch Stealer Domain (cmb8k1nbj000008l1api07o0n .info) in TLS SNI (malware.rules)
  • 2064805 - ET WEB_SPECIFIC_APPS Tenda SetIPTVCfg list Parameter Command Injection Attempt (CVE-2025-57296) (web_specific_apps.rules)
  • 2064806 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (jtcipher .com) (exploit_kit.rules)
  • 2064807 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (modestknollpartners .com) (exploit_kit.rules)
  • 2064808 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (jtcipher .com) (exploit_kit.rules)
  • 2064809 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (modestknollpartners .com) (exploit_kit.rules)
  • 2064810 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2064811 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2064812 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2064813 - ET EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2064814 - ET EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2064815 - ET EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2064816 - ET MALWARE Prince Ransomware GET Wallpaper M1 (malware.rules)
  • 2064817 - ET MALWARE Prince Ransomware GET Wallpaper M2 (malware.rules)
  • 2064818 - ET MALWARE Prince Ransomware GET Wallpaper M3 (malware.rules)

Pro:

  • 2864624 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864625 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864626 - ETPRO MALWARE Observed DNS Query to TA399 Domain (malware.rules)
  • 2864627 - ETPRO MALWARE Observed DNS Query to TA399 Domain (malware.rules)
  • 2864628 - ETPRO MALWARE Observed TA399 Domain in TLS SNI (malware.rules)
  • 2864629 - ETPRO MALWARE Observed TA399 Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2029745 - ET POLICY File Downloaded via ge.tt Filesharing Service (policy.rules)
  • 2029765 - ET MOBILE_MALWARE Android Lightspy Implant CnC (mobile_malware.rules)
  • 2029910 - ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com (malware.rules)
  • 2029931 - ET MALWARE 401TRG SMB Create AndX Request For Emotet Spreader (malware.rules)
  • 2030055 - ET MALWARE NAZAR EYService Pong response (malware.rules)
  • 2030056 - ET MALWARE NAZAR EYService OSInfo response (malware.rules)
  • 2030057 - ET MALWARE NAZAR EYService File exfiltrate response (malware.rules)
  • 2841409 - ETPRO MALWARE Win32/Injector.EKXA Variant CnC Activity (malware.rules)
  • 2841439 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2842260 - ETPRO HUNTING Generic Ping Keep-Alive Outbound M1 (hunting.rules)
  • 2842269 - ETPRO HUNTING Generic Ping Keep-Alive Inbound M1 (hunting.rules)
  • 2842302 - ETPRO MALWARE Observed Malicious SSL Cert (Strongpity CnC) (malware.rules)
  • 2844194 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)