Ruleset Update Summary - 2025/09/22 - v11021

Ruleset Updates
1

Summary:

36 new OPEN, 44 new PRO (36 + 8)

Added rules:

Open:

  • 2064819 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tripeggyun .fun) (malware.rules)
  • 2064820 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tripeggyun .fun) in TLS SNI (malware.rules)
  • 2064821 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (vps .denissalazar .com) (malware.rules)
  • 2064822 - ET MALWARE TA569 Staging Server Domain in TLS SNI (vps .denissalazar .com) (malware.rules)
  • 2064823 - ET INFO DYNAMIC_DNS Query to a *.coral-shop .ro domain (info.rules)
  • 2064824 - ET INFO DYNAMIC_DNS HTTP Request to a *.coral-shop .ro domain (info.rules)
  • 2064825 - ET INFO DYNAMIC_DNS Query to a *.jobvn .com domain (info.rules)
  • 2064826 - ET INFO DYNAMIC_DNS HTTP Request to a *.jobvn .com domain (info.rules)
  • 2064827 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bendavo .su) (malware.rules)
  • 2064828 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bendavo .su) in TLS SNI (malware.rules)
  • 2064829 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (conxmsw .su) (malware.rules)
  • 2064830 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (conxmsw .su) in TLS SNI (malware.rules)
  • 2064831 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exposqw .su) (malware.rules)
  • 2064832 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exposqw .su) in TLS SNI (malware.rules)
  • 2064833 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (narroxp .su) (malware.rules)
  • 2064834 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (narroxp .su) in TLS SNI (malware.rules)
  • 2064835 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ozonelf .su) (malware.rules)
  • 2064836 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ozonelf .su) in TLS SNI (malware.rules)
  • 2064837 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (squatje .su) (malware.rules)
  • 2064838 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (squatje .su) in TLS SNI (malware.rules)
  • 2064839 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (squeaue .su) (malware.rules)
  • 2064840 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (squeaue .su) in TLS SNI (malware.rules)
  • 2064841 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vicareu .su) (malware.rules)
  • 2064842 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vicareu .su) in TLS SNI (malware.rules)
  • 2064843 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (docker .smashingboss .com) (malware.rules)
  • 2064844 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (ftp .smashingboss .com) (malware.rules)
  • 2064845 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (phpmyadmin .westinsinsurance .com) (malware.rules)
  • 2064846 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (storage .westinsinsurance .com) (malware.rules)
  • 2064847 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (docker .smashingboss .com) (malware.rules)
  • 2064848 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (ftp .smashingboss .com) (malware.rules)
  • 2064849 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (phpmyadmin .westinsinsurance .com) (malware.rules)
  • 2064850 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (storage .westinsinsurance .com) (malware.rules)
  • 2064851 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (neutralmarlservices .com) (exploit_kit.rules)
  • 2064852 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (commonloamprojects .com) (exploit_kit.rules)
  • 2064853 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (neutralmarlservices .com) (exploit_kit.rules)
  • 2064854 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (commonloamprojects .com) (exploit_kit.rules)

Pro:

  • 2864630 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864631 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864632 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864633 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864634 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864635 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864636 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864637 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2028367 - ET JA3 Hash - Possible Malware - Eitest Chrome Popup (ja3.rules)
  • 2028371 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update (ja3.rules)
  • 2028375 - ET JA3 Hash - Possible Malware - Java Based RAT (ja3.rules)
  • 2028380 - ET JA3 Hash - Possible Malware - Neutrino (ja3.rules)
  • 2028383 - ET JA3 Hash - Possible Malware - Neutrino (ja3.rules)
  • 2028391 - ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex (ja3.rules)
  • 2028394 - ET JA3 Hash - Possible Malware - USPS Malspam (ja3.rules)
  • 2028395 - ET JA3 Hash - Possible Malware - Various Eitest (ja3.rules)
  • 2028398 - ET JA3 Hash - Possible Malware - Various Malspam/RigEK/Dreambot (ja3.rules)
  • 2028399 - ET JA3 Hash - Possible Malware - Various RigEK/Cryptowall/Dridex (ja3.rules)
  • 2028597 - ET MALWARE Win32/Tflower Ransomware CnC Checkin (malware.rules)
  • 2028883 - ET MALWARE APT 41 LOWKEY Backdoor - Ping Command Inbound (malware.rules)
  • 2028886 - ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - PID Injection Command (malware.rules)
  • 2028887 - ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Establishing Connection with New Host (malware.rules)
  • 2028888 - ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - TCP Relay Successfully Activated on New Host (malware.rules)
  • 2028889 - ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Exchanging RC4 & XOR Encrypted Data with Internal Host (malware.rules)
  • 2028890 - ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Close Socket Command Observed (malware.rules)
  • 2028891 - ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Close Named Pipe Command Observed (malware.rules)
  • 2028972 - ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M1 (exploit_kit.rules)
  • 2029104 - ET MALWARE Win32/Snatch Ransomware - Encryption Finished (malware.rules)
  • 2029176 - ET MALWARE Observed Buran Ransomware UA (malware.rules)
  • 2029187 - ET MALWARE XServer Backdoor Communication Setup Request (malware.rules)
  • 2029188 - ET MALWARE XServer Backdoor Communication Setup Initiate (malware.rules)
  • 2029200 - ET MALWARE Observed Malicious SSL Cert (jssLoader CnC) (malware.rules)
  • 2029240 - ET MALWARE Win32/Filecoder.NZK Variant (malware.rules)
  • 2029245 - ET MALWARE Observed Malicious SSL Cert (ServHelper CnC) (malware.rules)
  • 2029291 - ET MALWARE Observed Nemty Ransomware Payment Page (malware.rules)
  • 2029295 - ET MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2029296 - ET MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2029300 - ET MALWARE Magecart CnC Domain Observed in DNS Query (malware.rules)
  • 2029306 - ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent (malware.rules)
  • 2029424 - ET HUNTING [TGI] Entrust Entelligence Security Provider (Flowbits Set) (hunting.rules)
  • 2029425 - ET HUNTING [TGI] Possible Cobalt Strike Extra Whitespace HTTP Response (hunting.rules)
  • 2029619 - ET MOBILE_MALWARE Suspected SandCat Related CnC (mobile_malware.rules)
  • 2048339 - ET EXPLOIT_KIT ScamClub Domain in DNS Lookup (Namecheap Inc .) (exploit_kit.rules)
  • 2838428 - ETPRO MALWARE Observed Malicious SSL Cert (Inception Group CnC) (malware.rules)
  • 2838429 - ETPRO MALWARE Observed Malicious SSL Cert (Inception Group CnC) (malware.rules)
  • 2838771 - ETPRO MALWARE FTCode Ransomware VBS Inbound (malware.rules)
  • 2839083 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2839085 - ETPRO MALWARE Observed Malicious SSL Cert (SONE CnC) (malware.rules)
  • 2839086 - ETPRO MALWARE Observed Malicious SSL Cert (CobInt CnC) (malware.rules)
  • 2839262 - ETPRO EXPLOIT_KIT Possible GreenFlash Sundown EK Flash Artifact (exploit_kit.rules)
  • 2839423 - ETPRO EXPLOIT_KIT PurpleFox EK Framework Certificate Observed (exploit_kit.rules)
  • 2839549 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (aef4f) (exploit_kit.rules)
  • 2839689 - ETPRO HUNTING Suspicious User-Agent Content - Potential Data Exfiltration (hunting.rules)
  • 2839690 - ETPRO HUNTING Suspicious Accept Header Content - Potential Data Exfiltration (hunting.rules)
  • 2839787 - ETPRO MALWARE Win32/Unk.Ransomware Retreiving External IP Address (malware.rules)
  • 2839796 - ETPRO MALWARE Observed Malicious SSL Cert (GRIFFON CnC) (malware.rules)
  • 2839970 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840030 - ETPRO MALWARE Sifrelendi Ransomware Checkin via FTP (malware.rules)
  • 2840046 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840080 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840114 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2840141 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2019-12-27 (malware.rules)
  • 2840169 - ETPRO MALWARE Win32/Various Ransomware CnC Activity (malware.rules)
  • 2840227 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-02 (malware.rules)
  • 2840228 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-02 (malware.rules)
  • 2840229 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-02 (malware.rules)
  • 2840328 - ETPRO MALWARE Observed Malicious SSL Cert (Gozi CnC) (malware.rules)
  • 2840357 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2840389 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840390 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840417 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-13 (malware.rules)
  • 2840459 - ETPRO EXPLOIT Possible Spoofed TLS Certificate Inbound (CVE-2020-0601) (exploit.rules)
  • 2840478 - ETPRO MALWARE Observed Malicious SSL Cert (Get2 CnC) (malware.rules)
  • 2840506 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840507 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840508 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840547 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840548 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-21 (malware.rules)
  • 2840618 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2840740 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840778 - ETPRO MALWARE Observed Malicious SSL Cert (DonotGroup CnC) (malware.rules)
  • 2840781 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2840868 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840869 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)