Ruleset Update Summary - 2025/10/24 - v11048

Ruleset Updates
1

Summary:

33 new OPEN, 62 new PRO (33 + 29)

Thanks @suyog41

Added rules:

Open:

  • 2065366 - ET PHISHING Tykit Domain in DNS Lookup (segy .xyz) (phishing.rules)
  • 2065367 - ET PHISHING Tykit Domain in DNS Lookup (segy .zip) (phishing.rules)
  • 2065368 - ET PHISHING Tykit Domain in DNS Lookup (segy .shop) (phishing.rules)
  • 2065369 - ET PHISHING Tykit Domain in DNS Lookup (segy .cc) (phishing.rules)
  • 2065370 - ET PHISHING Tykit Domain in DNS Lookup (segy2 .cc) (phishing.rules)
  • 2065371 - ET PHISHING Observed TyKit Domain (segy .xyz in TLS SNI) (phishing.rules)
  • 2065372 - ET PHISHING Observed TyKit Domain (segy .zip in TLS SNI) (phishing.rules)
  • 2065373 - ET PHISHING Observed TyKit Domain (segy .shop in TLS SNI) (phishing.rules)
  • 2065374 - ET PHISHING Observed TyKit Domain (segy .cc in TLS SNI) (phishing.rules)
  • 2065375 - ET PHISHING Observed TyKit Domain (segy2 .cc in TLS SNI) (phishing.rules)
  • 2065376 - ET PHISHING TyKit CnC Request M1 2025-10-23 (phishing.rules)
  • 2065377 - ET PHISHING TyKit CnC Request M2 2025-10-23 (phishing.rules)
  • 2065378 - ET PHISHING TyKit Exfil M1 2025-10-23 (phishing.rules)
  • 2065379 - ET PHISHING TyKit Exfil M2 2025-10-23 (phishing.rules)
  • 2065380 - ET MALWARE Valkyrie Stealer Data Exfiltration Attempt M1 (malware.rules)
  • 2065381 - ET MALWARE Valkyrie Stealer CnC Domain in DNS Lookup (thenewflights .xyz) (malware.rules)
  • 2065382 - ET WEB_SERVER Microsoft Windows Server Update Services (WSUS) Unauthenticated Remote Code Execution via Insecure Deserialization (CVE-2025-59287) (web_server.rules)
  • 2065383 - ET MALWARE Shark Stealer Domain (windowsupdateorg .live) in DNS Lookup (malware.rules)
  • 2065384 - ET MALWARE Shark Stealer CnC Checkin (malware.rules)
  • 2065385 - ET MALWARE Valkyrie Stealer Data Exfiltration Attempt M2 (malware.rules)
  • 2065386 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (auctiongutollyjkui .shop) (malware.rules)
  • 2065387 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (auctiongutollyjkui .shop) in TLS SNI (malware.rules)
  • 2065388 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (joiner .best) (exploit_kit.rules)
  • 2065389 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (demo .halfmoonboulder .com) (malware.rules)
  • 2065390 - ET MALWARE APT36/TransparentTribe Domain (modgovindia .com) in DNS Lookup (malware.rules)
  • 2065391 - ET MALWARE APT36/TransparentTribe Domain (newforsomething .rest) in DNS Lookup (malware.rules)
  • 2065392 - ET MALWARE APT36/TransparentTribe Domain (seeconnectionalive .website) in DNS Lookup (malware.rules)
  • 2065393 - ET MALWARE Observed APT36/TransparentTribe Domain (modgovindia .com in TLS SNI) (malware.rules)
  • 2065394 - ET MALWARE Observed APT36/TransparentTribe Domain (newforsomething .rest in TLS SNI) (malware.rules)
  • 2065395 - ET MALWARE Observed APT36/TransparentTribe Domain (seeconnectionalive .website in TLS SNI) (malware.rules)
  • 2065396 - ET WEB_SPECIFIC_APPS Adobe Commerce & Magento SessionReaper Unauthenticated Remote Code Execution (CVE-2025-54236) (web_specific_apps.rules)
  • 2065397 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (demo .halfmoonboulder .com) (malware.rules)
  • 2065398 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (joiner .best) (exploit_kit.rules)

Pro:

  • 2864978 - ETPRO MALWARE TA450 CnC Checkin (POST) (malware.rules)
  • 2864979 - ETPRO MALWARE TA450 CnC Auth Login (POST) (malware.rules)
  • 2864980 - ETPRO MALWARE TA450 CnC GET Status (malware.rules)
  • 2864981 - ETPRO MALWARE TA450 CnC Server Status Response Inbound (malware.rules)
  • 2864982 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
  • 2864983 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
  • 2864984 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
  • 2864985 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
  • 2864986 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
  • 2864987 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
  • 2864988 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
  • 2864989 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
  • 2864990 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864991 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864992 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864993 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864994 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864995 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864996 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864997 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864998 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864999 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865000 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865001 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865002 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865003 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865004 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865005 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865006 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2001748 - ET ADWARE_PUP Pynix.dll BHO Activity (adware_pup.rules)
  • 2002740 - ET ADWARE_PUP adservs.com Spyware (adware_pup.rules)
  • 2002882 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port (snmp.rules)
  • 2002926 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port (snmp.rules)
  • 2002944 - ET POLICY python.urllib User Agent (policy.rules)
  • 2003556 - ET MALWARE Bandook v1.35 Keepalive Send (malware.rules)
  • 2003721 - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt – weigh_keywords.php ETCDIR (web_specific_apps.rules)
  • 2004559 - ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt – cand_login.asp strJobIDs (web_specific_apps.rules)
  • 2008347 - ET MALWARE Swizzor Checkin (malware.rules)
  • 2009880 - ET ADWARE_PUP Casalemedia Spyware Reporting URL Visited 3 (adware_pup.rules)
  • 2014115 - ET MALWARE Delf/Troxen/Zema Reporting 2 (malware.rules)
  • 2014464 - ET MALWARE DwnLdr-JMZ Downloading Binary (malware.rules)
  • 2016403 - ET EXPLOIT_KIT CoolEK Payload - obfuscated binary base 0 (exploit_kit.rules)
  • 2017095 - ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class (exploit_kit.rules)
  • 2017747 - ET MALWARE Trojan-Downloader Win32.Genome.AV server response (malware.rules)
  • 2018600 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019135 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019245 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2 (web_server.rules)
  • 2019246 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3 (web_server.rules)
  • 2019553 - ET MALWARE Sofacy HTTP Request microsofi.org (malware.rules)
  • 2019881 - ET MALWARE Chthonic Check-in (malware.rules)
  • 2021129 - ET MALWARE Blue Bot DDoS Blog Request (malware.rules)
  • 2021130 - ET MALWARE Blue Bot DDoS Target Request (malware.rules)
  • 2021186 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021426 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021546 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
  • 2022329 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022429 - ET MALWARE Scarlet Mimic DNS Lookup 19 (malware.rules)
  • 2023453 - ET MALWARE Ransomware/Cerber Checkin 2 (malware.rules)
  • 2023585 - ET MALWARE Ransomware Goldeneye .onion Payment Domain (golden2uqpiqcs6j) (malware.rules)
  • 2100391 - GPL ICMP Alternate Host Address undefined code (icmp.rules)
  • 2100504 - GPL MISC source port 53 to <1024 (misc.rules)
  • 2102039 - GPL EXPLOIT bootp hostname format string attempt (exploit.rules)
  • 2800128 - ETPRO EXPLOIT Trend Micro ServerProtect RPCFN Engine RPC Buffer Overflows 2 (exploit.rules)
  • 2800129 - ETPRO EXPLOIT Trend Micro ServerProtect RPCFN Engine RPC Buffer Overflows 3 (exploit.rules)
  • 2800693 - ETPRO EXPLOIT Trend Micro ServerProtect RPC ENG_SetRealTimeScanConfigInfo Buffer Overflow (exploit.rules)
  • 2801386 - ETPRO WORM Worm.Win32.Imamihong.A Activity 2 (worm.rules)
  • 2801983 - ETPRO MALWARE Known Redirect Cookie to Exploit Pack (malware.rules)
  • 2803099 - ETPRO MALWARE Win32.Rorpian.A Checkin 2 (malware.rules)
  • 2803548 - ETPRO MALWARE Win32/Bedobot.A Checkin (malware.rules)
  • 2803705 - ETPRO MALWARE Trojan.Win32.ToriaSpy.A Checkin (malware.rules)
  • 2804003 - ETPRO EXPLOIT Cisco Unified Communications Manager Directory Traversal (exploit.rules)
  • 2804004 - ETPRO EXPLOIT Cisco Unified Communications Manager Request to sensitive file platformConfig.xml (exploit.rules)
  • 2804846 - ETPRO MALWARE Win32/Ponfoy.A Checkin (malware.rules)
  • 2804969 - ETPRO MALWARE Mal/ZboCheMan-D Checkin (malware.rules)
  • 2804970 - ETPRO MALWARE Trojan.Win32.Inse.c Checkin (malware.rules)
  • 2805255 - ETPRO MALWARE Trojan Madi/Mahdi Checkin (malware.rules)
  • 2805392 - ETPRO EXPLOIT_KIT Orange Exploit Kit Infector (exploit_kit.rules)
  • 2805545 - ETPRO MALWARE Trojan-Dropper.Win32.Smiscer.hf Checkin (malware.rules)
  • 2805546 - ETPRO ADWARE_PUP Adware.Win32.Facetheme Checkin (adware_pup.rules)
  • 2805711 - ETPRO MALWARE Trojan.Win32.Llac.cxaz Checkin (malware.rules)
  • 2805712 - ETPRO MALWARE W32/Banker.ULW!tr Checkin (malware.rules)
  • 2805997 - ETPRO MOBILE_MALWARE Monitoring-Tool.Android/Trackplus.A Checkin (mobile_malware.rules)
  • 2806104 - ETPRO MALWARE TROJ_AGENT.EVF checkin (malware.rules)
  • 2807014 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.eh Checkin (mobile_malware.rules)
  • 2807655 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0284) (web_client.rules)
  • 2807656 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0285) (web_client.rules)
  • 2807795 - ETPRO MALWARE Win32/Quervar.C Possible NetBIOS Query (KASPERSKY) (malware.rules)
  • 2809500 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2809501 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2812528 - ETPRO MALWARE Win32/Misdat.A CnC Checkin (malware.rules)
  • 2812790 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fj Checkin (mobile_malware.rules)
  • 2814440 - ETPRO MALWARE Win32/Bagoox.A Checkin (malware.rules)
  • 2815191 - ETPRO MALWARE W32/Sofacy Variant (CHOPSTICK) CnC 2 (malware.rules)
  • 2816173 - ETPRO MALWARE Malicious SSL certificate detected (Backdoor.Mizzmo) (malware.rules)
  • 2820573 - ETPRO MALWARE TorrentLocker DNS query to Domain *.varstent.net (malware.rules)
  • 2823134 - ETPRO MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)

Disabled and modified rules:

  • 2043275 - ET MALWARE Observed IcedID Domain in DNS Lookup (spkdeutshnewsupp .com) (malware.rules)
  • 2054444 - ET MALWARE Observed Malvertising Domain (ciltrix .com in TLS SNI) (malware.rules)
  • 2054445 - ET MALWARE Observed Malvertising Domain (doxy .ws in TLS SNI) (malware.rules)