Ruleset Update Summary - 2025/09/24 - v11023

rulesbot · September 24, 2025, 8:28pm

Summary:

30 new OPEN, 32 new PRO (30 + 2)

Added rules:

Open:

2064887 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (members .aielloscigarbar .com) (malware.rules)
2064888 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (members .aielloscigarbar .com) (malware.rules)
2064889 - ET INFO DYNAMIC_DNS Query to a *.ingredientsplus .com .my domain (info.rules)
2064890 - ET INFO DYNAMIC_DNS HTTP Request to a *.ingredientsplus .com .my domain (info.rules)
2064891 - ET INFO DYNAMIC_DNS Query to a *.thisisnothing .pw domain (info.rules)
2064892 - ET INFO DYNAMIC_DNS HTTP Request to a *.thisisnothing .pw domain (info.rules)
2064893 - ET INFO DYNAMIC_DNS Query to a *.lamichhaneprakash .com .np domain (info.rules)
2064894 - ET INFO DYNAMIC_DNS HTTP Request to a *.lamichhaneprakash .com .np domain (info.rules)
2064895 - ET INFO DYNAMIC_DNS Query to a *.rauszeiter .ch domain (info.rules)
2064896 - ET INFO DYNAMIC_DNS HTTP Request to a *.rauszeiter .ch domain (info.rules)
2064897 - ET INFO DYNAMIC_DNS Query to a *.mecanicatecnicar .com .ar domain (info.rules)
2064898 - ET INFO DYNAMIC_DNS HTTP Request to a *.mecanicatecnicar .com .ar domain (info.rules)
2064899 - ET INFO DYNAMIC_DNS Query to a *.tirri .com .ar domain (info.rules)
2064900 - ET INFO DYNAMIC_DNS HTTP Request to a *.tirri .com .ar domain (info.rules)
2064901 - ET INFO DYNAMIC_DNS Query to a *.stadtwandern .ch domain (info.rules)
2064902 - ET INFO DYNAMIC_DNS HTTP Request to a *.stadtwandern .ch domain (info.rules)
2064903 - ET INFO DYNAMIC_DNS Query to a *.dikpalkc .com .np domain (info.rules)
2064904 - ET INFO DYNAMIC_DNS HTTP Request to a *.dikpalkc .com .np domain (info.rules)
2064905 - ET INFO DYNAMIC_DNS Query to a *.qwe-qwe .me domain (info.rules)
2064906 - ET INFO DYNAMIC_DNS HTTP Request to a *.qwe-qwe .me domain (info.rules)
2064907 - ET INFO DYNAMIC_DNS Query to a *.clientesussalarmas .com .ar domain (info.rules)
2064908 - ET INFO DYNAMIC_DNS HTTP Request to a *.clientesussalarmas .com .ar domain (info.rules)
2064909 - ET INFO DYNAMIC_DNS Query to a *.auszeit-seminar .ch domain (info.rules)
2064910 - ET INFO DYNAMIC_DNS HTTP Request to a *.auszeit-seminar .ch domain (info.rules)
2064911 - ET INFO DYNAMIC_DNS Query to a *.primebuildings .bg domain (info.rules)
2064912 - ET INFO DYNAMIC_DNS HTTP Request to a *.primebuildings .bg domain (info.rules)
2064913 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (delfxus .today) (malware.rules)
2064914 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (delfxus .today) in TLS SNI (malware.rules)
2064915 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noticedseuh .icu) (malware.rules)
2064916 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (noticedseuh .icu) in TLS SNI (malware.rules)

Pro:

2864689 - ETPRO MALWARE UNK_BlackGold CnC Response (malware.rules)
2864690 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

2027167 - ET NETBIOS DCERPC WMI Remote Process Execution (netbios.rules)
2027176 - ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement (policy.rules)
2027187 - ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement (policy.rules)
2027188 - ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement (policy.rules)
2027190 - ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement (netbios.rules)
2027191 - ET POLICY Executable Transfer in SMB (policy.rules)
2027222 - ET MALWARE Observed Malicious SSL Cert (Unattributed CnC) (malware.rules)
2027223 - ET MALWARE Observed Malicious SSL Cert (Unattributed CnC) (malware.rules)
2027414 - ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) 2019-05-30 (malware.rules)
2027445 - ET MALWARE Buran Ransomware Activity M2 (malware.rules)
2834920 - ETPRO MALWARE Brushaloader Domain in DNS Lookup (malware.rules)
2835199 - ETPRO MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC) (malware.rules)
2835695 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2835753 - ETPRO MALWARE Win32.Floxif.H Checkin (malware.rules)
2835824 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2835851 - ETPRO WEB_CLIENT VBScript Heap Overflow CVE-2019-0666 (web_client.rules)
2835917 - ETPRO MALWARE Observed Malicious SSL Cert (CoreDn Activity) (malware.rules)
2836269 - ETPRO MALWARE QuasarRAT C2 KeepAlive (malware.rules)
2836297 - ETPRO MALWARE Win32/Pterodo.NG Checkin 3 (malware.rules)
2836743 - ETPRO MALWARE MuddyWater PowerShell RAT Check-in (malware.rules)
2836902 - ETPRO MALWARE Suspected APT33 Spearphishing Related DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/11/28 - v10760 Ruleset Updates	62	November 28, 2024
Ruleset Update Summary - 2024/03/25 - v10559 Ruleset Updates	337	March 25, 2024
Ruleset Update Summary - 2024/06/03 - v10608 Ruleset Updates	245	June 3, 2024
Ruleset Update Summary - 2025/09/10 - v11012 Ruleset Updates	69	September 10, 2025
Ruleset Update Summary - 2024/09/09 - v10684 Ruleset Updates	85	September 9, 2024

Ruleset Update Summary - 2025/09/24 - v11023

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics