Ruleset Update Summary - 2025/10/23 - v11047

Ruleset Updates
1

Summary:

32 new OPEN, 43 new PRO (32 + 11)

Thanks @LabsSentinel

Added rules:

Open:

  • 2065334 - ET MALWARE Observed DNS Query to Phantom Captcha Domain (princess-mens-club .com) (malware.rules)
  • 2065335 - ET MALWARE Observed DNS Query to Phantom Captcha Domain (princess-mens .click) (malware.rules)
  • 2065336 - ET MALWARE Observed PhantomCaptcha Domain (princess-mens-club .com) in TLS SNI (malware.rules)
  • 2065337 - ET MALWARE Observed PhantomCaptcha Domain (princess-mens .click) in TLS SNI (malware.rules)
  • 2065338 - ET MALWARE Phantom Captcha Fake Chrome User-Agent Observed (malware.rules)
  • 2065339 - ET MALWARE Observed DNS Query to Phantom Captcha Domain (bsnowcommunications .com) (malware.rules)
  • 2065340 - ET MALWARE Observed DNS Query to Phantom Captcha Domain (lapas .live) (malware.rules)
  • 2065341 - ET MALWARE Observed DNS Query to Phantom Captcha Domain (zoomconference .click) (malware.rules)
  • 2065342 - ET MALWARE Observed DNS Query to Phantom Captcha Domain (goodhillsenterprise .com) (malware.rules)
  • 2065343 - ET MALWARE Observed DNS Query to Phantom Captcha Domain (aerobionix .com) (malware.rules)
  • 2065344 - ET MALWARE Observed DNS Query to Phantom Captcha Domain (zoomconference .app) (malware.rules)
  • 2065345 - ET MALWARE Observed Phantom Captcha Domain (bsnowcommunications .com in TLS SNI) (malware.rules)
  • 2065346 - ET INFO VNT VPN Domain in DNS Lookup (vnt .8443 .eu .org) (info.rules)
  • 2065347 - ET INFO VNT VPN Domain in DNS Lookup (vnt .wherewego .top) (info.rules)
  • 2065348 - ET MALWARE Observed Phantom Captcha Domain (lapas .live in TLS SNI) (malware.rules)
  • 2065349 - ET INFO Observed VNT VPN Domain (vnt .8443 .eu .org in TLS SNI) (info.rules)
  • 2065350 - ET INFO Observed VNT VPN Domain (vnt .wherewego .top in TLS SNI) (info.rules)
  • 2065351 - ET MALWARE Observed Phantom Captcha Domain (zoomconference .click in TLS SNI) (malware.rules)
  • 2065352 - ET MALWARE Observed Phantom Captcha Domain (goodhillsenterprise .com in TLS SNI) (malware.rules)
  • 2065353 - ET MALWARE Observed Phantom Captcha Domain (aerobionix .com in TLS SNI) (malware.rules)
  • 2065354 - ET MALWARE Observed Phantom Captcha Domain (zoomconference .app in TLS SNI) (malware.rules)
  • 2065355 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (estate .verano .life) (malware.rules)
  • 2065356 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (investor .veranofund .com) (malware.rules)
  • 2065357 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (configure .visionsflorida .com) (malware.rules)
  • 2065358 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .paquetesparaorlando .com) (malware.rules)
  • 2065359 - ET MALWARE Phantom Captcha Client Checkin (malware.rules)
  • 2065360 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (estate .verano .life) (malware.rules)
  • 2065361 - ET WEB_SPECIFIC_APPS Ilevia mbus_build_from_csv.php Multiple Parameters Command Injection Attempt (CVE-2025-34513) (web_specific_apps.rules)
  • 2065362 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (investor .veranofund .com) (malware.rules)
  • 2065363 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (configure .visionsflorida .com) (malware.rules)
  • 2065364 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .paquetesparaorlando .com) (malware.rules)
  • 2065365 - ET WEB_SPECIFIC_APPS Ilevia index.php error Parameter Cross Site Scripting Attempt (web_specific_apps.rules)

Pro:

  • 2864967 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864968 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864969 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864970 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864971 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864972 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864973 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864974 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864975 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864976 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2864977 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)

Modified inactive rules:

  • 2001521 - ET ADWARE_PUP Spywaremover Activity (adware_pup.rules)
  • 2002881 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port (snmp.rules)
  • 2002933 - ET ADWARE_PUP CWS Spy-Sheriff.com Infeced Buy Page Request (adware_pup.rules)
  • 2003525 - ET ADWARE_PUP Supergames.aavalue.com Spyware (adware_pup.rules)
  • 2003554 - ET MALWARE Bandook v1.2 Client Ping Reply (malware.rules)
  • 2003719 - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt – lom_update.php ETCDIR (web_specific_apps.rules)
  • 2003720 - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt – check-lom.php ETCDIR (web_specific_apps.rules)
  • 2003915 - ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt – picture.php picture (web_specific_apps.rules)
  • 2007664 - ET ADWARE_PUP AVSystemcare.com.com Fake Anti-Virus Product (adware_pup.rules)
  • 2007723 - ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr (attack_response.rules)
  • 2009096 - ET MALWARE Tigger.a/Syzor Control Checkin (malware.rules)
  • 2009382 - ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion (web_specific_apps.rules)
  • 2016022 - ET WEB_CLIENT MALVERTISING FlashPost - Redirection IFRAME (web_client.rules)
  • 2018494 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2018994 - ET MALWARE Win32/Xema dropping file (malware.rules)
  • 2019134 - ET WEB_CLIENT Flashpack Redirect Method 2 (web_client.rules)
  • 2019244 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1 (web_server.rules)
  • 2019709 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019879 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2022328 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022428 - ET MALWARE Scarlet Mimic DNS Lookup 18 (malware.rules)
  • 2023584 - ET MALWARE Ransomware Goldeneye .onion Payment Domain (goldenhjnqvc2lld) (malware.rules)
  • 2100319 - GPL EXPLOIT bootp x86 linux overflow (exploit.rules)
  • 2100388 - GPL ICMP_INFO Address Mask Request (icmp_info.rules)
  • 2100389 - GPL ICMP Address Mask Request undefined code (icmp.rules)
  • 2101939 - GPL MISC bootp hardware address length overflow (misc.rules)
  • 2800127 - ETPRO EXPLOIT Trend Micro ServerProtect RPCFN Engine RPC Buffer Overflows 1 (exploit.rules)
  • 2800383 - ETPRO ADWARE_PUP LOST DOOR 3.0 (init connection) (adware_pup.rules)
  • 2800692 - ETPRO EXPLOIT Trend Micro ServerProtect RPC ENG_SetRealTimeScanConfigInfo Buffer Overflow (exploit.rules)
  • 2800792 - ETPRO EXPLOIT MailEnable IMAP STATUS Command Buffer Overflow (exploit.rules)
  • 2801385 - ETPRO WORM Worm.Win32.Imamihong.A flowbits set 1 (worm.rules)
  • 2801982 - ETPRO MALWARE Likely Redirect to Exploit Pack (malware.rules)
  • 2802982 - ETPRO MALWARE Win32.Arsinfoder.A Checkin 1 (malware.rules)
  • 2802983 - ETPRO MALWARE Win32.Arsinfoder.A Checkin 2 (malware.rules)
  • 2803097 - ETPRO MALWARE Win32.Cossta.ntv Checkin (malware.rules)
  • 2803098 - ETPRO MALWARE Win32.Rorpian.A Checkin 1 (malware.rules)
  • 2803233 - ETPRO MALWARE Variant.Kazy.15105 Checkin (malware.rules)
  • 2803234 - ETPRO MALWARE Generic.5580844 Checkin (malware.rules)
  • 2803703 - ETPRO USER_AGENTS Win32/Joiner.A User-Agent (Microsoft Windows - Output Audio Director) (user_agents.rules)
  • 2803866 - ETPRO MALWARE Win32/Nosrawec.C Checkin (malware.rules)
  • 2804746 - ETPRO ADWARE_PUP Rogue.Win32/Onescan Checkin (adware_pup.rules)
  • 2804841 - ETPRO MALWARE Win32/Opachki.F Checkin (malware.rules)
  • 2805710 - ETPRO MALWARE PSW.LdPinch.NCB Reporting via SMTP (malware.rules)
  • 2806342 - ETPRO MALWARE Win32.ShipUp.boz Download (malware.rules)
  • 2806987 - ETPRO DOS Active Directory DOS (CVE-2013-3868) (dos.rules)
  • 2807512 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 2 (web_client.rules)
  • 2807654 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0283) (web_client.rules)
  • 2807793 - ETPRO MALWARE Win32/Rootkit.BlackEnergy.AG Checkin (malware.rules)
  • 2808750 - ETPRO EXPLOIT_KIT Flashpack EK Thread 3 Sep 05 2014 (exploit_kit.rules)
  • 2809383 - ETPRO MALWARE Win32/Teerac.A .onion Proxy Domain (humapzcmz744fe7y) (malware.rules)
  • 2809499 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2810885 - ETPRO MALWARE Galaxy Keylogger V3 Reporting Infection Via SMTP (malware.rules)
  • 2812199 - ETPRO EXPLOIT_KIT Magnitude EK SilverLight Exploit Jul 28 2015 M2 (exploit_kit.rules)
  • 2815190 - ETPRO MALWARE W32/Sofacy Variant (CHOPSTICK) CnC 2 (malware.rules)
  • 2816361 - ETPRO MALWARE Ursnif Inject CnC Response 2 (malware.rules)
  • 2816762 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
  • 2820366 - ETPRO MALWARE MSIL/Banker.M Requesting Binary from SQL 2 (malware.rules)
  • 2820794 - ETPRO MALWARE Ursnif Injects Domain in SNI (malware.rules)
  • 2823446 - ETPRO MALWARE Malicious SSL Certificate Detected (Ursnif Injects) (malware.rules)
  • 2823447 - ETPRO MALWARE Malicious SSL Certificate Detected (Zeus OPENSSL) (malware.rules)
  • 2823657 - ETPRO MALWARE Observed Malicious SSL Cert (JS/Ostap Downloader) (malware.rules)
  • 2823858 - ETPRO MALWARE W32.Shigo Ransomware Checkin (malware.rules)