Ruleset Update Summary - 2025/09/29 - v11026

Summary:

28 new OPEN, 28 new PRO (28 + 0)

Added rules:

Open:

• 2064943 - ET INFO DYNAMIC_DNS Query to a *.biranchipoudyal .com .np domain (info.rules)
• 2064944 - ET INFO DYNAMIC_DNS HTTP Request to a *.biranchipoudyal .com .np domain (info.rules)
• 2064945 - ET HUNTING Observed Zip Slip in ZIP Archive (../) Inbound M1 (hunting.rules)
• 2064946 - ET HUNTING Observed Zip Slip in TAR Archive (../) Inbound M1 (hunting.rules)
• 2064947 - ET HUNTING Observed Zip Slip in ZIP Archive (../) Upload M1 (hunting.rules)
• 2064948 - ET HUNTING Observed Zip Slip in TAR Archive (../) Upload M1 (hunting.rules)
• 2064949 - ET HUNTING Observed Zip Slip in ZIP Archive (..\) Inbound M2 (hunting.rules)
• 2064950 - ET HUNTING Observed Zip Slip in TAR Archive (..\) Inbound M2 (hunting.rules)
• 2064951 - ET HUNTING Observed Zip Slip in ZIP Archive (..\) Upload M2 (hunting.rules)
• 2064952 - ET HUNTING Observed Zip Slip in TAR Archive (..\) Upload M2 (hunting.rules)
• 2064953 - ET INFO DYNAMIC_DNS Query to a *.hbplw .ch domain (info.rules)
• 2064954 - ET INFO DYNAMIC_DNS HTTP Request to a *.hbplw .ch domain (info.rules)
• 2064955 - ET INFO DYNAMIC_DNS Query to a *.waser-consulting .ch domain (info.rules)
• 2064956 - ET INFO DYNAMIC_DNS HTTP Request to a *.waser-consulting .ch domain (info.rules)
• 2064957 - ET INFO DYNAMIC_DNS Query to a *.mattlucas .info domain (info.rules)
• 2064958 - ET INFO DYNAMIC_DNS HTTP Request to a *.mattlucas .info domain (info.rules)
• 2064959 - ET INFO DYNAMIC_DNS Query to a *.entschleunigungscoach .ch domain (info.rules)
• 2064960 - ET INFO DYNAMIC_DNS HTTP Request to a *.entschleunigungscoach .ch domain (info.rules)
• 2064961 - ET INFO DYNAMIC_DNS Query to a *.martindonnelly .com .au domain (info.rules)
• 2064962 - ET INFO DYNAMIC_DNS HTTP Request to a *.martindonnelly .com .au domain (info.rules)
• 2064963 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enterki .pics) (malware.rules)
• 2064964 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enterki .pics) in TLS SNI (malware.rules)
• 2064965 - ET MALWARE Nimbus Manticore Minibrowse Backdoor CnC Checkin (malware.rules)
• 2064966 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (foolowme .com) (exploit_kit.rules)
• 2064967 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (foolowme .com) (exploit_kit.rules)
• 2064968 - ET MALWARE Nimbus Manticore Minibrowse Data Exfiltration Attempt (malware.rules)
• 2064969 - ET MALWARE Nimbus Manticore CnC Domain in DNS Lookup (oneglobalvisa .com) (malware.rules)
• 2064970 - ET MALWARE Observed Nimbus Manticore Domain (oneglobalvisa .com in TLS SNI) (malware.rules)

Modified inactive rules:

• 2024933 - ET MALWARE IoT_reaper DNS Lookup M4 (cbk99 .com) (malware.rules)
• 2024934 - ET MALWARE IoT_reaper DNS Lookup M5 (bbk80 .com) (malware.rules)
• 2024935 - ET MALWARE IoT_reaper DNS Lookup M6 (bbk86 .com) (malware.rules)
• 2024936 - ET MALWARE IoT_reaper DNS Lookup M7 (ha859 .com) (malware.rules)
• 2024937 - ET MALWARE Downeks/Quasar DNS Lookup (download .data-server .cloudns .club) (malware.rules)
• 2024938 - ET MALWARE Downeks/Quasar DNS Lookup (ping .topsite .life) (malware.rules)
• 2024939 - ET MALWARE Downeks/Quasar DNS Lookup (signup .updatesforme .club) (malware.rules)
• 2024940 - ET MALWARE Downeks/Quasar DNS Lookup (moreoffer .life) (malware.rules)
• 2024986 - ET MALWARE SunOrcal Reaver Domain Observed (tashdqdxp .com) in DNS Lookup (malware.rules)
• 2024987 - ET MALWARE SunOrcal Reaver Domain Observed (weryhstui .com) in DNS Lookup (malware.rules)
• 2024988 - ET MALWARE SunOrcal Reaver Domain Observed (fyoutside .com) in DNS Lookup (malware.rules)
• 2025019 - ET MALWARE Possible NanoCore C2 60B (malware.rules)
• 2025076 - ET MALWARE Brazilian Banker SSL Cert (malware.rules)
• 2025147 - ET MALWARE Win32/Downloader.Small.BIL CnC Checkin (malware.rules)
• 2025155 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC) (malware.rules)
• 2025161 - ET MALWARE Windows executable sent when remote host claims to send an image M4 (malware.rules)
• 2025184 - ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC Based) (web_client.rules)
• 2025319 - ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension (policy.rules)
• 2025320 - ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension (policy.rules)
• 2025370 - ET MALWARE Win32/Backdoor.Small.ao CnC Checkin (malware.rules)
• 2025387 - ET MALWARE SteamStealer Domain in SNI (malware.rules)
• 2025388 - ET MALWARE SteamStealer Malicious SSL Certificate Detected (malware.rules)
• 2025409 - ET CURRENT_EVENTS CERTEGO Possible JScript Coming Over SMB v2 (current_events.rules)
• 2025411 - ET INFO Secondary Flash Request Seen (no alert) (info.rules)
• 2025416 - ET MALWARE StrongPity APT SSL Certificate Detected (malware.rules)
• 2025428 - ET INFO Possible Sandvine PacketLogic Injection (info.rules)
• 2025438 - ET MALWARE Cobalt Group SSL Certificate Detected (malware.rules)
• 2025444 - ET MALWARE [PTsecurity] Ursnif Socks Proxy Check-in (malware.rules)
• 2025445 - ET MALWARE [PTsecurity] Ursnif Socks5 Proxy Connection (malware.rules)
• 2025541 - ET MALWARE MSIL/GX Stealer/GravityRAT Uploading File (malware.rules)
• 2025631 - ET MALWARE [PTsecurity] Paradise Ransomware Check-in (malware.rules)
• 2025914 - ET EXPLOIT_KIT Underminer EK Flash Exploit (exploit_kit.rules)
• 2025985 - ET INFO Adobe PDX in HTTP Flowbit Set (info.rules)
• 2025986 - ET INFO MP3 with ID3 in HTTP Flowbit Set (info.rules)
• 2026002 - ET MALWARE [PTsecurity] Tinba (Banking Trojan) Check-in (malware.rules)
• 2026100 - ET MALWARE Aura Ransomware User-Agent (malware.rules)
• 2026108 - ET EXPLOIT NUUO OS Command Injection M2 (exploit.rules)
• 2828428 - ETPRO MALWARE Malicious SSL certificate detected (TrickBot C2) (malware.rules)
• 2828445 - ETPRO POLICY External IP Address Lookup (howtofindmyipaddress .com) (policy.rules)
• 2828467 - ETPRO MALWARE MSIL/MarioRAT Sending Screenshot to CnC (malware.rules)
• 2828551 - ETPRO MALWARE Observed Malicious SSL Cert (Spymaster Keylogger Domain) (malware.rules)
• 2828564 - ETPRO MALWARE APT28 Uploader Domain (netmediaresources .com) in DNS Lookup (malware.rules)
• 2828571 - ETPRO MALWARE ZeusPanda CnC Domain (rowrorofrat .com in TLS SNI) (malware.rules)
• 2828572 - ETPRO MALWARE ZeusPanda CnC Domain (mysitothar .ru) in DNS Lookup (malware.rules)
• 2828577 - ETPRO MALWARE ZeusPanda CnC Domain (linghogolac .ru in TLS SNI) (malware.rules)
• 2828613 - ETPRO MALWARE Cerber Domain Observed (1aweql .top) in DNS Lookup (malware.rules)
• 2828640 - ETPRO MALWARE Observed Malicious Reypston Ransomware Onion Domain in SNI (7wqzov2j5hkklbw6) (malware.rules)
• 2828662 - ETPRO MALWARE Gootkit Domain (ssl256cert .com in DNS Lookup) (malware.rules)
• 2828664 - ETPRO MALWARE Gootkit Domain (ssl256cert .com in SNI) (malware.rules)
• 2828665 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc HTA Download) (malware.rules)
• 2828781 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda) (malware.rules)
• 2828862 - ETPRO MALWARE Observed Malicious SSL Cert (Minergate Module DL) (malware.rules)
• 2828926 - ETPRO MALWARE PowerRatankba DNS Lookup 6 (malware.rules)
• 2828933 - ETPRO MALWARE PowerRatankba DNS Lookup 13 (malware.rules)
• 2828961 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
• 2829038 - ETPRO MALWARE Bitcoin Miner Known Malicious Basic Auth (NDF5eWJUWEZnYk…) (malware.rules)
• 2829075 - ETPRO MALWARE Observed Malicious SSL Cert (URLZone CnC) (malware.rules)
• 2829076 - ETPRO MALWARE Observed Malicious SSL Cert (Bateleur CnC) (malware.rules)
• 2829109 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
• 2829118 - ETPRO MALWARE Win32/CoinMining Loader CnC Checkin (malware.rules)
• 2829166 - ETPRO MALWARE Bitcoin Miner Known Malicious Basic Auth (NDNRemFNVm5SS1lpc1E…) (malware.rules)
• 2829187 - ETPRO MALWARE MSIL.NepaCollector CnC M1 (buildInfo) (malware.rules)
• 2829188 - ETPRO MALWARE MSIL.NepaCollector CnC M2 (isMaster) (malware.rules)
• 2829189 - ETPRO MALWARE MSIL.NepaCollector CnC M3 (getLastError) (malware.rules)
• 2829214 - ETPRO MALWARE APT32 SSL Certificate Detected Inbound (malware.rules)
• 2829252 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda CnC) (malware.rules)
• 2829286 - ETPRO RETIRED APT28 DNS Lookup (retired.rules)
• 2829288 - ETPRO MALWARE Colony Rootkit Downloader CnC Checkin (malware.rules)
• 2829289 - ETPRO MALWARE Colony Rootkit Downloader Requesting Payload (malware.rules)
• 2829290 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
• 2829408 - ETPRO MALWARE Mirai Variant DNS Lookup M2 (malware.rules)
• 2829411 - ETPRO MALWARE Mirai Variant DNS Lookup M5 (malware.rules)
• 2829653 - ETPRO WEB_CLIENT Possible Adobe Reader TIFF Memory Corruption (CVE-2018-4903) (web_client.rules)
• 2829654 - ETPRO WEB_CLIENT Possible Adobe Reader EMF Memory Corruption M1 (CVE-2018-4906) (web_client.rules)
• 2829655 - ETPRO WEB_CLIENT Possible Adobe Reader EMF Memory Corruption M2 (CVE-2018-4906) (web_client.rules)
• 2829659 - ETPRO MALWARE Hworm/Houdini DNS Lookup M1 (malware.rules)
• 2829688 - ETPRO MALWARE Kovter Malicious SSL Certificate Detected (malware.rules)
• 2829721 - ETPRO MALWARE AfraidBeefcake IRC CnC Checkin (malware.rules)
• 2829758 - ETPRO MALWARE Shifr/Shurl0cker Ransomware Onion Domain in SNI (u4hp32ms2u6s4x7q) (malware.rules)
• 2829777 - ETPRO MALWARE AridViper Domain Observed (katesacker .club in TLS SNI) (malware.rules)
• 2829953 - ETPRO EXPLOIT_KIT GreenFlash SunDown EK SecondaryFlash Call 2018-03-09 (exploit_kit.rules)
• 2830100 - ETPRO MALWARE Java/QRAT Reporting System Info to CnC (malware.rules)
• 2830245 - ETPRO POLICY Request for CSS File Returning Executable (policy.rules)
• 2830248 - ETPRO MALWARE MSIL/SocketPlayer RAT Receiving Instructions to Retrieve New Payload (malware.rules)
• 2830250 - ETPRO MALWARE MSIL/SocketPlayer RAT CnC Checkin (malware.rules)
• 2830327 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL 2018-04-10 2) (malware.rules)
• 2830381 - ETPRO POLICY IP Check Domain (www .dnsstuff .com in DNS Lookup) (policy.rules)
• 2830382 - ETPRO POLICY IP Check Domain (www .dnsstuff .com in TLS SNI) (policy.rules)
• 2830451 - ETPRO WEB_CLIENT SocGoth B64 Inject Inbound (web_client.rules)
• 2830492 - ETPRO MALWARE Win32/Agent.ZKU CnC Checkin (malware.rules)
• 2830648 - ETPRO ADWARE_PUP Win32/InstallCore set bit (adware_pup.rules)
• 2830661 - ETPRO ADWARE_PUP Win32/InstallCore Reporting Successful Install (adware_pup.rules)
• 2830662 - ETPRO MALWARE JS.SocGholish POST Request (malware.rules)
• 2830806 - ETPRO MALWARE JS/Javaxs.Loader CnC Checkin (malware.rules)
• 2830930 - ETPRO MALWARE MSIL/SocketPlayer Killswitch DNS Lookup (malware.rules)
• 2831006 - ETPRO MALWARE LokiBot CnC DNS Lookup (lokipanel) (malware.rules)
• 2831053 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL 2018-05-29 2) (malware.rules)
• 2831092 - ETPRO MALWARE Ursnif Inject Domain (oncofonderot .top in TLS SNI) (malware.rules)
• 2831252 - ETPRO EXPLOIT Flash Player Integer Overflow Inbound (CVE-2018-5000) (exploit.rules)
• 2831253 - ETPRO EXPLOIT Flash Player OOB Read (CVE-2018-5001) (exploit.rules)
• 2831322 - ETPRO MALWARE Observed Malicious SSL Certificate (IcedID) (malware.rules)
• 2831412 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 371 (mobile_malware.rules)
• 2831555 - ETPRO MALWARE MSIL/Supreme Miner CnC Checkin M2 (malware.rules)
• 2831837 - ETPRO MALWARE Cerber Domain Observed (1cknbd .top) in DNS Lookup (malware.rules)
• 2832176 - ETPRO EXPLOIT Flash Player Out-of-bounds Read (CVE-2018-12824) (exploit.rules)
• 2832214 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda CnC) (malware.rules)
• 2832289 - ETPRO MALWARE Win32/Remcos RAT Checkin 39 (malware.rules)
• 2832311 - ETPRO MALWARE SocketPlayer Netflix Killswitch DNS Lookup 3 (asdkaaskdlaksdjjkjsdnddasakkkaksjdjndkjansdkswda) (malware.rules)
• 2832388 - ETPRO EXPLOIT_KIT SocEng Redirect Chain - Evil Keitaro Set-Cookie Inbound (78e5a) (exploit_kit.rules)
• 2832431 - ETPRO MALWARE Win32/Remcos RAT Checkin 46 (malware.rules)