Ruleset Update Summary - 2025/10/22 - v11046

Ruleset Updates
1

Summary:

50 new OPEN, 68 new PRO (50 + 18)

Thanks @kaspersky

Added rules:

Open:

  • 2065284 - ET ADWARE_PUP Observed DNS Query to Abused Tools Domain - Commonly Used for SMTP Exfil (4t-niagara .com) (adware_pup.rules)
  • 2065285 - ET ADWARE_PUP Observed Abused Tools Domain in TLS SNI - Commonly Used for SMTP Exfil (4t-niagara .com) (adware_pup.rules)
  • 2065286 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (office-account .ru) (malware.rules)
  • 2065287 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (email-office .ru) (malware.rules)
  • 2065288 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (verifikations .ru) (malware.rules)
  • 2065289 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (supersuit .site) (malware.rules)
  • 2065290 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (email-informer .ru) (malware.rules)
  • 2065291 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (downdown .ru) (malware.rules)
  • 2065292 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (detectis .ru) (malware.rules)
  • 2065293 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (outinfo .ru) (malware.rules)
  • 2065294 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (redaction-voenmeh .info) (malware.rules)
  • 2065295 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (deauthorization .online) (malware.rules)
  • 2065296 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (accouts-verification .ru) (malware.rules)
  • 2065297 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (users-mail .ru) (malware.rules)
  • 2065298 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (mail-cheker .nl) (malware.rules)
  • 2065299 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (vniir .nl) (malware.rules)
  • 2065300 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (office-email .ru) (malware.rules)
  • 2065301 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (claud-mail .ru) (malware.rules)
  • 2065302 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (vniir .space) (malware.rules)
  • 2065303 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (acountservices .nl) (malware.rules)
  • 2065304 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (center-mail .ru) (malware.rules)
  • 2065305 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (bmapps .org) (malware.rules)
  • 2065306 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (anyhostings .ru) (malware.rules)
  • 2065307 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (dragonfires .ru) (malware.rules)
  • 2065308 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (unifikator .ru) (malware.rules)
  • 2065309 - ET MALWARE Observed DNS Query to Librarian Ghoul Domain (anyinfos .ru) (malware.rules)
  • 2065310 - ET MALWARE Observed Librarian Ghoul Domain (office-account .ru in TLS SNI) (malware.rules)
  • 2065311 - ET MALWARE Observed Librarian Ghoul Domain (email-office .ru in TLS SNI) (malware.rules)
  • 2065312 - ET MALWARE Observed Librarian Ghoul Domain (verifikations .ru in TLS SNI) (malware.rules)
  • 2065313 - ET MALWARE Observed Librarian Ghoul Domain (supersuit .site in TLS SNI) (malware.rules)
  • 2065314 - ET MALWARE Observed Librarian Ghoul Domain (email-informer .ru in TLS SNI) (malware.rules)
  • 2065315 - ET MALWARE Observed Librarian Ghoul Domain (downdown .ru in TLS SNI) (malware.rules)
  • 2065316 - ET MALWARE Observed Librarian Ghoul Domain (detectis .ru in TLS SNI) (malware.rules)
  • 2065317 - ET MALWARE Observed Librarian Ghoul Domain (outinfo .ru in TLS SNI) (malware.rules)
  • 2065318 - ET MALWARE Observed Librarian Ghoul Domain (redaction-voenmeh .info in TLS SNI) (malware.rules)
  • 2065319 - ET MALWARE Observed Librarian Ghoul Domain (deauthorization .online in TLS SNI) (malware.rules)
  • 2065320 - ET MALWARE Observed Librarian Ghoul Domain (accouts-verification .ru in TLS SNI) (malware.rules)
  • 2065321 - ET MALWARE Observed Librarian Ghoul Domain (users-mail .ru in TLS SNI) (malware.rules)
  • 2065322 - ET MALWARE Observed Librarian Ghoul Domain (mail-cheker .nl in TLS SNI) (malware.rules)
  • 2065323 - ET MALWARE Observed Librarian Ghoul Domain (vniir .nl in TLS SNI) (malware.rules)
  • 2065324 - ET MALWARE Observed Librarian Ghoul Domain (office-email .ru in TLS SNI) (malware.rules)
  • 2065325 - ET MALWARE Observed Librarian Ghoul Domain (claud-mail .ru in TLS SNI) (malware.rules)
  • 2065326 - ET MALWARE Observed Librarian Ghoul Domain (vniir .space in TLS SNI) (malware.rules)
  • 2065327 - ET MALWARE Observed Librarian Ghoul Domain (acountservices .nl in TLS SNI) (malware.rules)
  • 2065328 - ET MALWARE Observed Librarian Ghoul Domain (center-mail .ru in TLS SNI) (malware.rules)
  • 2065329 - ET MALWARE Observed Librarian Ghoul Domain (bmapps .org in TLS SNI) (malware.rules)
  • 2065330 - ET MALWARE Observed Librarian Ghoul Domain (anyhostings .ru in TLS SNI) (malware.rules)
  • 2065331 - ET MALWARE Observed Librarian Ghoul Domain (dragonfires .ru in TLS SNI) (malware.rules)
  • 2065332 - ET MALWARE Observed Librarian Ghoul Domain (unifikator .ru in TLS SNI) (malware.rules)
  • 2065333 - ET MALWARE Observed Librarian Ghoul Domain (anyinfos .ru in TLS SNI) (malware.rules)

Pro:

  • 2864944 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2864945 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2864946 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2864948 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2864949 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2864950 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2864951 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2864953 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2864957 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2864958 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2864959 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2864960 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2864961 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2864962 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2864963 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864964 - ETPRO MALWARE Observed DNS Query to WhiteCat-Lib Stealer Domain (malware.rules)
  • 2864965 - ETPRO MALWARE Observed WhiteCat-Lib Stealer Domain in TLS SNI (malware.rules)
  • 2864966 - ETPRO EXPLOIT_KIT Observed Generic TDS Activity (exploit_kit.rules)

Modified inactive rules:

  • 2002831 - ET POLICY Msnbot Crawl (policy.rules)
  • 2002880 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port (snmp.rules)
  • 2003547 - ET ADWARE_PUP Privacyprotector.com Fake Anti-Spyware Install (adware_pup.rules)
  • 2003553 - ET MALWARE Bandook v1.2 Reporting Socks Proxy Off (malware.rules)
  • 2003718 - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt – lom.php ETCDIR (web_specific_apps.rules)
  • 2003901 - ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt WindowManager.dll (web_specific_apps.rules)
  • 2007715 - ET ATTACK_RESPONSE Off-Port FTP Without Banners - user (attack_response.rules)
  • 2008757 - ET ADWARE_PUP Zenosearch Malware Checkin HTTP POST (adware_pup.rules)
  • 2009347 - ET MALWARE Tigger.a/Syzor Checkin (malware.rules)
  • 2012227 - ET MALWARE FAKEAV Gemini softupdate*.exe download (malware.rules)
  • 2012644 - ET EXPLOIT Java Exploit Attempt Request for hostile binary (exploit.rules)
  • 2014114 - ET MALWARE Delf/Troxen/Zema Reporting 1 (malware.rules)
  • 2014309 - ET MALWARE W32/LockScreen Scareware Geolocation Request (malware.rules)
  • 2015792 - ET EXPLOIT_KIT Scalaxy Secondary Landing Page 10/11/12 (exploit_kit.rules)
  • 2015793 - ET EXPLOIT Scalaxy Java Exploit 10/11/12 (exploit.rules)
  • 2016397 - ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside of OLE (CVE-2013-0634) (web_client.rules)
  • 2016400 - ET WEB_CLIENT Flash Action Script Invalid Regex (CVE-2013-0634) (web_client.rules)
  • 2018240 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php (current_events.rules)
  • 2018493 - ET WEB_CLIENT Sweet Orange WxH redirection (web_client.rules)
  • 2018707 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2018708 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019131 - ET EXPLOIT_KIT Astrum EK Landing (exploit_kit.rules)
  • 2019708 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019878 - ET MALWARE Destover RAT Check-in (malware.rules)
  • 2020733 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie) (web_specific_apps.rules)
  • 2021044 - ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015 (exploit_kit.rules)
  • 2021045 - ET EXPLOIT_KIT CottonCastle/Niteris EK SilverLight Exploit April 30 2015 (exploit_kit.rules)
  • 2021695 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
  • 2021772 - ET MALWARE Malicious SSL certificate detected (FindPOS) (malware.rules)
  • 2022010 - ET WEB_CLIENT Fake AV Phone Scam Landing Oct 29 (web_client.rules)
  • 2100387 - GPL ICMP Address Mask Reply undefined code (icmp.rules)
  • 2102340 - GPL FTP SITE CHMOD overflow attempt (ftp.rules)
  • 2103095 - GPL NETBIOS SMB-DS llsrpc unicode create tree attempt (netbios.rules)
  • 2800126 - ETPRO EXPLOIT Trend Micro ServerProtect RPC NTF_SetPagerNotifyConfig Buffer Overflow (exploit.rules)
  • 2800382 - ETPRO EXPLOIT Trend Micro OfficeScan Multiple CGI Modules HTTP Form Processing Buffer Overflow (exploit.rules)
  • 2801383 - ETPRO WORM Worm.Win32.Imamihong.A flowbits set 1 (worm.rules)
  • 2801384 - ETPRO WORM Worm.Win32.Imamihong.A Activity 1 (worm.rules)
  • 2803394 - ETPRO MALWARE Trojan.Win32.Banker.BXF Checkin (malware.rules)
  • 2803865 - ETPRO MALWARE Trojan.Generic.6643598 Checkin (malware.rules)
  • 2804000 - ETPRO MALWARE Worm.Win32/Skopvel.gen!A Checkin (malware.rules)
  • 2804001 - ETPRO MALWARE Win32/TrojanDownloader.Delf.QUT Checkin (malware.rules)
  • 2804463 - ETPRO EXPLOIT libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0 and Cisco IronPort Appliances Buffer overflow (exploit.rules)
  • 2804464 - ETPRO ADWARE_PUP BHO.Win32.Zwangi!IK Install (adware_pup.rules)
  • 2804967 - ETPRO MALWARE Win32/Bancos.AEW Checkin (malware.rules)
  • 2805253 - ETPRO ADWARE_PUP Win32/Adware.Kraddare.W Checkin (adware_pup.rules)
  • 2805708 - ETPRO MALWARE Backdoor.Win32.DarkMoon.BE Checkin 2 (malware.rules)
  • 2806990 - ETPRO DOS Active Directory DOS (CVE-2013-3868) (dos.rules)
  • 2807248 - ETPRO MALWARE Splinter RAT Client Reporting (malware.rules)
  • 2807249 - ETPRO MALWARE Splinter RAT Server To Client Coms (malware.rules)
  • 2807511 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 1 (web_client.rules)
  • 2807652 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0279) (web_client.rules)
  • 2807653 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0281) (web_client.rules)
  • 2808487 - ETPRO MOBILE_MALWARE Worm.AndroidOS.Samsapo Checkin (mobile_malware.rules)
  • 2808894 - ETPRO MOBILE_MALWARE Android.Trojan.Magwei.A Checkin (mobile_malware.rules)
  • 2808895 - ETPRO MOBILE_MALWARE Android.Trojan.Magwei.A Checkin 2 (mobile_malware.rules)
  • 2809497 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2809498 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2809607 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 2 (malware.rules)
  • 2809608 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 3 (malware.rules)
  • 2810715 - ETPRO MALWARE VBS.BackDoor.DuCk.1 Checkin 1 (malware.rules)
  • 2811249 - ETPRO MALWARE Naikon Domain in SNI (malware.rules)
  • 2811250 - ETPRO MOBILE_MALWARE Android/SMForw.AC Checkin (mobile_malware.rules)
  • 2812198 - ETPRO EXPLOIT_KIT Magnitude EK SilverLight Exploit Jul 28 2015 M1 (exploit_kit.rules)
  • 2815390 - ETPRO MALWARE AlphaCrypt Payment Page (malware.rules)
  • 2815584 - ETPRO MALWARE MoBi RAT CnC Checkin (malware.rules)
  • 2815585 - ETPRO MALWARE Win32.Cl0wnbot Checkin (malware.rules)
  • 2816359 - ETPRO MALWARE Ursnif Inject CnC Request 2 (malware.rules)
  • 2816360 - ETPRO MALWARE Ursnif Inject CnC Response 1 (malware.rules)
  • 2816761 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
  • 2820793 - ETPRO MALWARE Ursnif Injects Domain in SNI (malware.rules)
  • 2823445 - ETPRO MALWARE Malicious SSL Certificate Detected (Ursnif Injects) (malware.rules)

Removed rules:

  • 2864944 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864945 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864946 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864948 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864949 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864950 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864951 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864953 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864957 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
  • 2864958 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864959 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
  • 2864960 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)