Ruleset Update Summary - 2025/10/21 - v11045

Ruleset Updates
1

Summary:

25 new OPEN, 54 new PRO (25 + 29)

Thanks @Seqrite, @ViriBack

Added rules:

Open:

  • 2065259 - ET WEB_SPECIFIC_APPS ICTBroadcast Command Injection (CVE-2025-2611) (web_specific_apps.rules)
  • 2065260 - ET MALWARE Observed DNS Query to CAPI Backdoor Domain (carprlce .ru) (malware.rules)
  • 2065261 - ET MALWARE Observed CAPI BackDoor Domain (carprlce .ru in TLS SNI) (malware.rules)
  • 2065262 - ET MALWARE Observed Kamasers DDOS Botnet User-Agent (System-Updater/5.0) (malware.rules)
  • 2065263 - ET MALWARE Observed Kamasers DDOS Botnet User-Agent (Kamasers C2 Client) (malware.rules)
  • 2065264 - ET MALWARE Kamasers CnC Victim Initial Checkin (POST) (malware.rules)
  • 2065265 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (charityjs .com) (exploit_kit.rules)
  • 2065266 - ET INFO DYNAMIC_DNS Query to a *.hornburst .com domain (info.rules)
  • 2065267 - ET INFO DYNAMIC_DNS HTTP Request to a *.hornburst .com domain (info.rules)
  • 2065268 - ET INFO DYNAMIC_DNS Query to a *.destroyerkisscover .com .br domain (info.rules)
  • 2065269 - ET INFO DYNAMIC_DNS HTTP Request to a *.destroyerkisscover .com .br domain (info.rules)
  • 2065270 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (endzed .asia) (malware.rules)
  • 2065271 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (endzed .asia) in TLS SNI (malware.rules)
  • 2065272 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (charityjs .com) (exploit_kit.rules)
  • 2065273 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hangxdl .asia) (malware.rules)
  • 2065274 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hangxdl .asia) in TLS SNI (malware.rules)
  • 2065275 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (niqateu .asia) (malware.rules)
  • 2065276 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (niqateu .asia) in TLS SNI (malware.rules)
  • 2065277 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (publishfavorharbouroe .site) (malware.rules)
  • 2065278 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (publishfavorharbouroe .site) in TLS SNI (malware.rules)
  • 2065279 - ET MALWARE TA569 Staging Server Domain in DNS Lookup (git .zionministry .org) (malware.rules)
  • 2065280 - ET MALWARE TA569 Staging Server Domain in TLS SNI (git .zionministry .org) (malware.rules)
  • 2065281 - ET WEB_SPECIFIC_APPS Nagios Log Server Admin API Credential Disclosure (CVE-2025-44823) (web_specific_apps.rules)
  • 2065282 - ET WEB_SPECIFIC_APPS Nagios Log Server API Unauthorized Access to Elasticsearch Service (CVE-2025-44824) (web_specific_apps.rules)
  • 2065283 - ET WEB_SPECIFIC_APPS better-auth Unauthenticated API Key Creation (CVE-2025-61928) (web_specific_apps.rules)

Pro:

  • 2864932 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864933 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864934 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864935 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864936 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864937 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864938 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864939 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864940 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864941 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864942 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864943 - ETPRO PHISHING Generic Phishing Landing Page M1 2025-10-21 (phishing.rules)
  • 2864944 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864945 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864946 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864947 - ETPRO PHISHING Generic Phishing Landing Page M2 2025-10-21 (phishing.rules)
  • 2864948 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864949 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864950 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864951 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864952 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2864953 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864954 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2864955 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2864956 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2864957 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864958 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864959 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864960 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2000006 - ET DOS Cisco Router HTTP DoS (dos.rules)
  • 2000011 - ET DOS Catalyst memory leak attack (dos.rules)
  • 2002095 - ET ADWARE_PUP CWS qck.cc Spyware Installer (web.php) (adware_pup.rules)
  • 2002829 - ET POLICY Googlebot Crawl (policy.rules)
  • 2002830 - ET POLICY Msnbot User Agent (policy.rules)
  • 2003551 - ET MALWARE Bandook v1.2 Kill Process Command (malware.rules)
  • 2003552 - ET MALWARE Bandook v1.2 Reporting Socks Proxy Active (malware.rules)
  • 2003689 - ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt – libsecure.php abs_path (web_specific_apps.rules)
  • 2003741 - ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt – header.php ote_home (web_specific_apps.rules)
  • 2003878 - ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt – header.php ote_home (web_specific_apps.rules)
  • 2003899 - ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startpage.js (web_specific_apps.rules)
  • 2003900 - ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startqs.htm (web_specific_apps.rules)
  • 2003917 - ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt – index.php l (web_specific_apps.rules)
  • 2008220 - ET MALWARE Looked.P/Gamania/Delf #109/! Style CnC Checkin Response from Server (malware.rules)
  • 2009188 - ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009712 - ET ADWARE_PUP Adware PlusDream - GET Config Download/Update (adware_pup.rules)
  • 2012784 - ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request (mobile_malware.rules)
  • 2013167 - ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server (exploit.rules)
  • 2013777 - ET EXPLOIT_KIT Saturn Exploit Kit probable Java MIDI exploit request (exploit_kit.rules)
  • 2014217 - ET RETIRED Delf/Troxen/Zema controller delivering clickfraud instructions (retired.rules)
  • 2014308 - ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script (current_events.rules)
  • 2015672 - ET EXPLOIT_KIT Unknown Exploit Kit redirect (exploit_kit.rules)
  • 2016018 - ET EXPLOIT Embedded Open Type Font file .eot seeing at Cool Exploit Kit (exploit.rules)
  • 2016212 - ET MALWARE BroBot POST (malware.rules)
  • 2018239 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php (current_events.rules)
  • 2018706 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (malware.rules)
  • 2019130 - ET EXPLOIT_KIT Astrum EK Landing (exploit_kit.rules)
  • 2019552 - ET MALWARE Sofacy HTTP Request hotfix-update.com (malware.rules)
  • 2019877 - ET MALWARE MS Office Macro Dridex Download URI Dec 5 2014 (malware.rules)
  • 2020732 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data) (web_specific_apps.rules)
  • 2021042 - ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit Struct April 30 2015 (exploit_kit.rules)
  • 2021043 - ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015 (exploit_kit.rules)
  • 2021183 - ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M3 (web_client.rules)
  • 2021770 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2021771 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2022424 - ET MALWARE Scarlet Mimic DNS Lookup 14 (malware.rules)
  • 2800124 - ETPRO RPC EMC Legato NetWorker Remote Exec Service Buffer Overflow (rpc.rules)
  • 2800125 - ETPRO EXPLOIT Trend Micro ServerProtect RPC NTF_SetPagerNotifyConfig Buffer Overflow 1 (exploit.rules)
  • 2800380 - ETPRO EXPLOIT Sun Solstice AdminSuite sadmind service adm_build_path Set (exploit.rules)
  • 2800381 - ETPRO EXPLOIT Sun Solstice AdminSuite sadmind service adm_build_path Buffer Overflow (exploit.rules)
  • 2800689 - ETPRO EXPLOIT Microsoft XML Core Services MIME Viewer Deference / Memory Corruption Race Condition (exploit.rules)
  • 2801382 - ETPRO EXPLOIT Novell ZENworks Configuration Management TFTPD Remote Code Execution 4 (exploit.rules)
  • 2803392 - ETPRO MALWARE Variant.Buzy.641 Checkin 2 (malware.rules)
  • 2803393 - ETPRO MALWARE Variant.Buzy.641 Checkin (malware.rules)
  • 2803701 - ETPRO MALWARE Win32/Hatigh.D Checkin (malware.rules)
  • 2804840 - ETPRO MALWARE Trojan-Dropper.Win32.Injector.dvnk Checkin (malware.rules)
  • 2805707 - ETPRO MALWARE Backdoor.Win32.DarkMoon.BE Checkin 1 (malware.rules)
  • 2806856 - ETPRO MALWARE Backdoor.MeSub.ey CnC Response (malware.rules)
  • 2807247 - ETPRO MALWARE Splinter RAT Download (malware.rules)
  • 2807651 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0277) 2 (web_client.rules)
  • 2809495 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2809496 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2809606 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 1 (malware.rules)
  • 2810011 - ETPRO MALWARE PSW.MSIL.Agent.zje Checkin 2 (malware.rules)
  • 2814658 - ETPRO EXPLOIT_KIT Magnitude EK Landing Oct 29 2015 (exploit_kit.rules)
  • 2815582 - ETPRO MALWARE MoBi RAT CnC Checkin 2 (malware.rules)
  • 2815796 - ETPRO EXPLOIT_KIT Possible EK SSL Redir DNS Lookup (exploit_kit.rules)
  • 2815797 - ETPRO EXPLOIT_KIT Possible EK SSL Redir DNS Lookup (exploit_kit.rules)
  • 2816169 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.cb Checkin (mobile_malware.rules)
  • 2816170 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.cb Checkin 2 (mobile_malware.rules)
  • 2820363 - ETPRO POLICY External IP Address Check - (ddnss.de) (policy.rules)
  • 2820791 - ETPRO MALWARE Ursnif Injects Domain in SNI (malware.rules)
  • 2820792 - ETPRO MALWARE Ursnif Injects Domain in SNI (malware.rules)
  • 2823444 - ETPRO MALWARE Malicious SSL Certificate Detected (Ursnif Injects) (malware.rules)