Ruleset Update Summary - 2025/09/23 - v11022

Ruleset Updates
1

Summary:

32 new OPEN, 83 new PRO (32 + 51)

Added rules:

Open:

  • 2064855 - ET INFO DYNAMIC_DNS Query to a *.redemanchete .com .br domain (info.rules)
  • 2064856 - ET INFO DYNAMIC_DNS HTTP Request to a *.redemanchete .com .br domain (info.rules)
  • 2064857 - ET INFO DYNAMIC_DNS Query to a *.ptgrowthasia .com domain (info.rules)
  • 2064858 - ET INFO DYNAMIC_DNS HTTP Request to a *.ptgrowthasia .com domain (info.rules)
  • 2064859 - ET INFO DYNAMIC_DNS Query to a *.projektmetoden .dk domain (info.rules)
  • 2064860 - ET INFO DYNAMIC_DNS HTTP Request to a *.projektmetoden .dk domain (info.rules)
  • 2064861 - ET INFO DYNAMIC_DNS Query to a *.patriciarivera .cl domain (info.rules)
  • 2064862 - ET INFO DYNAMIC_DNS HTTP Request to a *.patriciarivera .cl domain (info.rules)
  • 2064863 - ET INFO DYNAMIC_DNS Query to a *.cacdingles .com .br domain (info.rules)
  • 2064864 - ET INFO DYNAMIC_DNS HTTP Request to a *.cacdingles .com .br domain (info.rules)
  • 2064865 - ET INFO DYNAMIC_DNS Query to a *.wandercoach .ch domain (info.rules)
  • 2064866 - ET INFO DYNAMIC_DNS HTTP Request to a *.wandercoach .ch domain (info.rules)
  • 2064867 - ET INFO DYNAMIC_DNS Query to a *.sarojghimire .com .np domain (info.rules)
  • 2064868 - ET INFO DYNAMIC_DNS HTTP Request to a *.sarojghimire .com .np domain (info.rules)
  • 2064869 - ET INFO DYNAMIC_DNS Query to a *.auszeiter .ch domain (info.rules)
  • 2064870 - ET INFO DYNAMIC_DNS HTTP Request to a *.auszeiter .ch domain (info.rules)
  • 2064871 - ET INFO DYNAMIC_DNS Query to a *.lucashouse .info domain (info.rules)
  • 2064872 - ET INFO DYNAMIC_DNS HTTP Request to a *.lucashouse .info domain (info.rules)
  • 2064873 - ET INFO DYNAMIC_DNS Query to a *.auszeitcoach .ch domain (info.rules)
  • 2064874 - ET INFO DYNAMIC_DNS HTTP Request to a *.auszeitcoach .ch domain (info.rules)
  • 2064875 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decrexd .pics) (malware.rules)
  • 2064876 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (decrexd .pics) in TLS SNI (malware.rules)
  • 2064877 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (extemzd .pics) (malware.rules)
  • 2064878 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (extemzd .pics) in TLS SNI (malware.rules)
  • 2064879 - ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151) (web_specific_apps.rules)
  • 2064880 - ET WEB_SPECIFIC_APPS 2wcom get_data.php Multiple Parameters Command Injection Attempt (CVE-2025-43953) (web_specific_apps.rules)
  • 2064881 - ET WEB_SPECIFIC_APPS D-Link formWPS webpage Parameter Buffer Overflow Attempt (CVE-2025-10792) (web_specific_apps.rules)
  • 2064882 - ET WEB_SPECIFIC_APPS D-Link set_switch_settings port Parameter Command Injection Attempt (CVE-2025-10814) (web_specific_apps.rules)
  • 2064883 - ET WEB_SPECIFIC_APPS Shenzhen Atemi protocol.csp time Parameter Command Injection Attempt (CVE-2025-34152) (web_specific_apps.rules)
  • 2064884 - ET WEB_SPECIFIC_APPS Totolink setEasyMeshAgentCfg agentName Parameter Command Injection Attempt (CVE-2025-52906) (web_specific_apps.rules)
  • 2064885 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (box .kiwisandblasting .com) (malware.rules)
  • 2064886 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (box .kiwisandblasting .com) (malware.rules)

Pro:

  • 2864638 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864639 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864640 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864641 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864642 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864643 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864644 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864645 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864646 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864647 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864648 - ETPRO PHISHING Observed DNS Query to UNK_BlackGold Domain (phishing.rules)
  • 2864649 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864650 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864651 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864652 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864653 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864654 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864655 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864656 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864657 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864658 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864659 - ETPRO PHISHING Observed UNK_BlackGold Domain in TLS SNI (phishing.rules)
  • 2864660 - ETPRO MALWARE Observed DNS Query to UNK_BlackGold Domain (malware.rules)
  • 2864661 - ETPRO MALWARE Observed DNS Query to UNK_BlackGold Domain (malware.rules)
  • 2864662 - ETPRO MALWARE Observed DNS Query to UNK_BlackGold Domain (malware.rules)
  • 2864663 - ETPRO MALWARE Observed UNK_BlackGold Domain in TLS SNI (malware.rules)
  • 2864664 - ETPRO MALWARE Observed UNK_BlackGold Domain in TLS SNI (malware.rules)
  • 2864665 - ETPRO MALWARE Observed UNK_BlackGold Domain in TLS SNI (malware.rules)
  • 2864666 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864667 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864668 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864669 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864670 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2864671 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864672 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2864673 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864674 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2864675 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864676 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864677 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2864678 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864679 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864680 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864681 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864682 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864683 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864684 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864685 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864686 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864687 - ETPRO MALWARE UNK_BlackGold CnC Activity (GET) (malware.rules)
  • 2864688 - ETPRO MALWARE UNK_BlackGold CnC Activity (POST) (malware.rules)

Modified inactive rules:

  • 2027729 - ET MALWARE Windigo SSH Connection Received (Ebury < 1.7.0) (malware.rules)
  • 2027730 - ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0) (malware.rules)
  • 2027768 - ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Urgent Flag (exploit.rules)
  • 2027770 - ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag (exploit.rules)
  • 2027802 - ET MALWARE Win32/Eris Ransomware CnC Checkin (malware.rules)
  • 2027865 - ET INFO Observed DNS Query to .cloud TLD (info.rules)
  • 2837006 - ETPRO MALWARE Observed Malicious SSL Cert (APT33 CnC) (malware.rules)
  • 2837135 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2838020 - ETPRO MALWARE Zeropadypt/Limbo/Ouroboros Ransomware CnC Checkin (malware.rules)
  • 2838194 - ETPRO MALWARE Observed Malicious SSL Cert (PsiXBot CnC) (malware.rules)
  • 2838324 - ETPRO MALWARE Observed Malicious SSL Cert (DonotGroup CnC) (malware.rules)