Ruleset Update Summary - 2025/10/14 - v11039

rulesbot · October 14, 2025, 9:29pm

Summary:

18 new OPEN, 37 new PRO (18 + 19)

Added rules:

Open:

2065176 - ET INFO Observed DNS Query to Actor Abused Cloud Hosting Service Domain (vercel .app) (info.rules)
2065177 - ET INFO Observed DNS Query to Actor Abused Cloud Hosting Service Domain (caspio .com) (info.rules)
2065178 - ET INFO Observed Commonly Actor Abused Cloud Hosting Service Domain (vercel .app in TLS SNI) (info.rules)
2065179 - ET INFO Observed Commonly Actor Abused Cloud Hosting Service Domain (caspio .com in TLS SNI) (info.rules)
2065180 - ET INFO Observed DNS Query to Actor Abused Online Service Domain (getenjoyment .net) (info.rules)
2065181 - ET INFO Observed Observed Commonly Actor Abused Online Service Domain (getenjoyment .net in TLS SNI) (info.rules)
2065182 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lowi1 .com) (exploit_kit.rules)
2065183 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (od2nipo .com) (exploit_kit.rules)
2065184 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (portykold .com) (exploit_kit.rules)
2065185 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cansupeker .com) (exploit_kit.rules)
2065186 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lowi1 .com) (exploit_kit.rules)
2065187 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (od2nipo .com) (exploit_kit.rules)
2065188 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (portykold .com) (exploit_kit.rules)
2065189 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cansupeker .com) (exploit_kit.rules)
2065190 - ET INFO Observed DNS Query to File Sharing Service Domain (app .box .com) (info.rules)
2065191 - ET INFO Observed DNS Query to FIle Sharing Service Domain (acrobat .adobe .com) (info.rules)
2065192 - ET INFO Observed File Sharing Service Domain (app .box .com in TLS SNI) (info.rules)
2065193 - ET INFO Observed File Sharing Service (acrobat .adobe .com in TLS SNI) (info.rules)

Pro:

2864465 - ETPRO MALWARE Observed TA406 Exfiltration Payload Inbound (malware.rules)
2864779 - ETPRO MALWARE UNK_BlackGold Domain in DNS Lookup (malware.rules)
2864780 - ETPRO MALWARE UNK_BlackGold Domain in DNS Lookup (malware.rules)
2864781 - ETPRO MALWARE UNK_BlackGold Domain in DNS Lookup (malware.rules)
2864782 - ETPRO MALWARE UNK_BlackGold Domain in DNS Lookup (malware.rules)
2864783 - ETPRO MALWARE UNK_BlackGold Domain in DNS Lookup (malware.rules)
2864784 - ETPRO MALWARE Observed UNK_BlackGold Domain in TLS SNI (malware.rules)
2864785 - ETPRO MALWARE Observed UNK_BlackGold Domain in TLS SNI (malware.rules)
2864786 - ETPRO MALWARE Observed UNK_BlackGold Domain in TLS SNI (malware.rules)
2864787 - ETPRO MALWARE Observed UNK_BlackGold Domain in TLS SNI (malware.rules)
2864788 - ETPRO MALWARE Observed UNK_BlackGold Domain in TLS SNI (malware.rules)
2864789 - ETPRO MALWARE TA406 CnC Exfiltration (POST) (malware.rules)
2864790 - ETPRO MALWARE TA406 CnC Checkin (GET) (malware.rules)
2864793 - ETPRO MALWARE TA406 CnC Response - Base64 Encoded Payload Inbound (malware.rules)
2864794 - ETPRO MALWARE TA406 Payload Inbound - Exfiltration Script (malware.rules)
2864795 - ETPRO MALWARE TA406 Payload Inbound - Task Scheduler (malware.rules)
2864796 - ETPRO MALWARE TA406 Payload Inbound - Downloader (malware.rules)
2864797 - ETPRO MALWARE Observed DNS Query to TA406 Domain (malware.rules)
2864798 - ETPRO MALWARE Observed TA406 Domain in TLS SNI (malware.rules)

Modified inactive rules:

2001444 - ET ADWARE_PUP Overpro Spyware Bundle Install (adware_pup.rules)
2001451 - ET ADWARE_PUP Bundleware Spyware Download (adware_pup.rules)
2001452 - ET ADWARE_PUP Bundleware Spyware CHM Download (adware_pup.rules)
2001470 - ET ADWARE_PUP Xpire.info Multiple Spyware Installs (7) (adware_pup.rules)
2001471 - ET ADWARE_PUP Xpire.info Spyware Exploit (adware_pup.rules)
2003238 - ET MALWARE W32.Downloader Tibs.jy Reporting to C&C (malware.rules)
2003401 - ET EXPLOIT US-ASCII Obfuscated VBScript download file (exploit.rules)
2003429 - ET ADWARE_PUP xxxtoolbar.com Spyware Install User-Agent (adware_pup.rules)
2003669 - ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt – tpl_message.php right_file (web_specific_apps.rules)
2003690 - ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt – config.php DOCUMENT_ROOT (web_specific_apps.rules)
2007585 - ET MALWARE Win32.SkSocket C&C Connection (malware.rules)
2008412 - ET MALWARE Trojan-Dropper.Win32.Small.avu HTTP Checkin (malware.rules)
2009379 - ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion (web_specific_apps.rules)
2009663 - ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion (web_specific_apps.rules)
2009858 - ET ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt (activex.rules)
2009903 - ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion (web_specific_apps.rules)
2009925 - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion (web_specific_apps.rules)
2011881 - ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt (web_specific_apps.rules)
2012221 - ET MALWARE Malware Related msndown (malware.rules)
2012868 - ET POLICY HTTP Outbound Request containing a password (policy.rules)
2012869 - ET POLICY HTTP Outbound Request containing a pass field (policy.rules)
2013486 - ET WEB_CLIENT Phoenix landing page JAVASMB (web_client.rules)
2013487 - ET EXPLOIT Likely Generic Java Exploit Attempt Request for Java to decimal host (exploit.rules)
2013671 - ET MALWARE Win32.Riberow.A (touch) (malware.rules)
2014205 - ET EXPLOIT_KIT CUTE-IE.html CutePack Exploit Kit Iframe for Landing Page Detected (exploit_kit.rules)
2014206 - ET EXPLOIT_KIT CutePack Exploit Kit Landing Page Detected (exploit_kit.rules)
2014300 - ET MALWARE Win32/Kryptik.ABUD Checkin (malware.rules)
2014619 - ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution (activex.rules)
2014620 - ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution 2 (activex.rules)
2014930 - ET WEB_CLIENT Obfuscated Javascript redirecting to badness 21 June 2012 (web_client.rules)
2015533 - ET MALWARE Karagany checkin (sid5 1) (malware.rules)
2015534 - ET MALWARE Karagany checkin (sid5 2) (malware.rules)
2015666 - ET MALWARE NeoSploit - Version Enumerated - Java (malware.rules)
2016558 - ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure (exploit_kit.rules)
2017092 - ET EXPLOIT_KIT CritX/SafePack/FlashPack Jar Download Jul 01 2013 (exploit_kit.rules)
2017602 - ET EXPLOIT_KIT Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013 (exploit_kit.rules)
2017739 - ET CURRENT_EVENTS Possible WhiteLotus Java Payload (current_events.rules)
2017740 - ET EXPLOIT_KIT Sweet Orange Landing Page Nov 21 2013 (exploit_kit.rules)
2018591 - ET WEB_CLIENT Trojan-Banker.JS.Banker fraudulent redirect boleto payment code (web_client.rules)
2018592 - ET EXPLOIT_KIT Multiple EKs CVE-2013-3918 (exploit_kit.rules)
2018694 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2018695 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2018862 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2018863 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2020028 - ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 1 (malware.rules)
2020727 - ET MALWARE Zbot .onion Proxy Domain (3bjpwsf3fjcwtnwx) (malware.rules)
2021125 - ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server (exploit.rules)
2021254 - ET MALWARE Torrentlocker C2 Domain in SNI (malware.rules)
2021256 - ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M2 (web_client.rules)
2021315 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Possible Sinkhole) (malware.rules)
2021906 - ET EXPLOIT_KIT KaiXin Landing M5 2 Oct 05 2015 (exploit_kit.rules)
2021907 - ET EXPLOIT_KIT KaiXin Landing M5 3 Oct 05 2015 (exploit_kit.rules)
2022413 - ET MALWARE Scarlet Mimic DNS Lookup 3 (malware.rules)
2022414 - ET MALWARE Scarlet Mimic DNS Lookup 4 (malware.rules)
2022561 - ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xlowfznrg4wf7dli) (malware.rules)
2023265 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2023266 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2102179 - GPL FTP PASS format string attempt (ftp.rules)
2102768 - GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt (sql.rules)
2800002 - ETPRO EXPLOIT CVS Entry Line Flag Remote Heap Overflow (exploit.rules)
2800003 - ETPRO EXPLOIT CVS Entry Line Flag Remote Heap Overflow (exploit.rules)
2800368 - ETPRO FTP Rhino Software Serv-U FTP Server rnto Command Directory Traversal 1 (ftp.rules)
2800369 - ETPRO EXPLOIT Novell eDirectory SOAP Handling Accept Language Header Heap Overflow 1 (exploit.rules)
2800675 - ETPRO EXPLOIT HP StorageWorks Storage Mirroring Double Take Service Code Execution 7 (exploit.rules)
2800676 - ETPRO EXPLOIT HP StorageWorks Storage Mirroring Double Take Service Code Execution 8 (exploit.rules)
2800677 - ETPRO EXPLOIT HP StorageWorks Storage Mirroring Double Take Service Code Execution 9 (exploit.rules)
2801274 - ETPRO ADWARE_PUP Gabpath.com Toolbar Tracker Recover (adware_pup.rules)
2801513 - ETPRO NETBIOS Multiple Load Library Vulns dwmapi.dll - SMB Unicode (netbios.rules)
2803223 - ETPRO CHAT mig33 Client Send Message (chat.rules)
2803224 - ETPRO CHAT mig33 Client Keep Alive (chat.rules)
2803225 - ETPRO CHAT mig33 Server Login Challenge (chat.rules)
2803381 - ETPRO ADWARE_PUP Adware Win32/EliteBar Checkin (adware_pup.rules)
2803547 - ETPRO MALWARE Trojan.Win32.Fucobha.A Checkin 2 (malware.rules)
2803859 - ETPRO MALWARE Backdoor.Win32.Wuca Checkin (malware.rules)
2803860 - ETPRO MALWARE Trojan.Win32.Cossta.pyo Checkin (malware.rules)
2803994 - ETPRO MALWARE Backdoor.Win32/Rbot.gen Joining IRC channel (malware.rules)
2804011 - ETPRO MALWARE Kazy.41153 Checkin (malware.rules)
2804122 - ETPRO MALWARE Generic Dropper!dxm!50461342D70E Install (malware.rules)
2804629 - ETPRO MALWARE Win32/Banker.VBY Checkin (malware.rules)
2804630 - ETPRO MALWARE Win32/Delf.CM Checkin (malware.rules)
2804738 - ETPRO MALWARE Trojan-Dropper.Win32.Dapato.afwq Checkin (malware.rules)
2804739 - ETPRO MALWARE Win32/Spy.Banker.VER Checkin (malware.rules)
2805251 - ETPRO MALWARE Madhi Trojan Checkin 2 (malware.rules)
2805823 - ETPRO MALWARE Win32/Injector.Autoit.CI Checkin (malware.rules)
2805824 - ETPRO MALWARE Mal/FakeSg-B Checkin (malware.rules)
2805988 - ETPRO MALWARE Trojan-Spy.Win32.KeyLogger.acqh Checkin (malware.rules)
2805989 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Fakengry.b Checkin 3 (mobile_malware.rules)
2806593 - ETPRO MALWARE AndroidOS.UsbCleaver Zip Download (malware.rules)
2806594 - ETPRO WEB_SPECIFIC_APPS Possible Atlassian Crowd Remote File Read Attempt (web_specific_apps.rules)
2806845 - ETPRO INFO Online Proxy Service 2 (info.rules)
2806846 - ETPRO MALWARE Stealer sending stolen data via SMTP (malware.rules)
2807499 - ETPRO MALWARE Trojan-Spy.Win32.Zbot.rdhf CnC (INBOUND) (malware.rules)
2807925 - ETPRO POLICY Win32/WinVNC Activity - Outbound Connection Attempt (policy.rules)
2809190 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MTK.f Checkin (mobile_malware.rules)
2809595 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Logisr.a Checkin (mobile_malware.rules)
2809999 - ETPRO MALWARE Win32/Pitou.B (malware.rules)
2810000 - ETPRO MALWARE Possible NanoCore RAT Downloading libraries (malware.rules)
2810339 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.rc Checkin (mobile_malware.rules)
2810508 - ETPRO MALWARE MSIL/ClickFraud Variant Retrieving URLs (malware.rules)
2810509 - ETPRO MALWARE MSIL/ClickFraud Variant Retrieving Fake Referers (malware.rules)
2812981 - ETPRO MALWARE Win32/Skeeyah Checkin 3 (malware.rules)
2820560 - ETPRO MALWARE TorrentLocker DNS query to Domain *.pinterpoint.biz (malware.rules)
2823003 - ETPRO MALWARE Malicious SSL Certificate Detected (Unknown Loader) (malware.rules)
2825206 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.EZ Checkin (mobile_malware.rules)

Removed rules:

2864465 - ETPRO ATTACK_RESPONSE Observed TA406 Exfiltration Payload Inbound (attack_response.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/02/08 - v10527 Ruleset Updates	439	February 8, 2024
Ruleset Update Summary - 2023/12/06 - v10480 Ruleset Updates	442	December 6, 2023
Ruleset Update Summary - 2024/02/07 - v10526 Ruleset Updates	518	February 7, 2024
Ruleset Update Summary - 2024/06/18 - v10620 Ruleset Updates	153	June 18, 2024
Ruleset Update Summary - 2024/03/06 - v10546 Ruleset Updates	303	March 6, 2024

Ruleset Update Summary - 2025/10/14 - v11039

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Removed rules:

Related topics