Ruleset Update Summary - 2025/10/28 - v11050

Ruleset Updates
1

Summary:

32 new OPEN, 34 new PRO (32 + 2)

Thanks @aryakanetworks

Friday (10/31) is a team holiday and there will not be a release

Added rules:

Open:

  • 2065529 - ET MALWARE EtherHiding Magecart Exfil M1 (malware.rules)
  • 2065530 - ET MALWARE EtherHiding Magecart Exfil M2 (malware.rules)
  • 2065531 - ET HUNTING Google API AddItNow Open Redirect Link Inbound (hunting.rules)
  • 2065532 - ET PHISHING Common Phish Redirect Chain - GCS to divists .us .com (phishing.rules)
  • 2065533 - ET PHISHING Observed DNS Query to Phish Landing Page Domain (1wckjo .life) (phishing.rules)
  • 2065534 - ET PHISHING Observed DNS Query to Phish Landing Page Domain (1wkcif .com) (phishing.rules)
  • 2065535 - ET PHISHING Observed DNS Query to Phish Landing Page Domain (1whrrf .life) (phishing.rules)
  • 2065536 - ET PHISHING Observed DNS Query to Phish Landing Page Domain (1wvipf .com) (phishing.rules)
  • 2065537 - ET PHISHING Observed Phish Landing Page Domain (1wckjo .life in TLS SNI) (phishing.rules)
  • 2065538 - ET PHISHING Observed Phish Landing Page Domain (1wkcif .com in TLS SNI) (phishing.rules)
  • 2065539 - ET PHISHING Observed Phish Landing Page Domain (1whrrf .life in TLS SNI) (phishing.rules)
  • 2065540 - ET PHISHING Observed Phish Landing Page Domain (1wvipf .com in TLS SNI) (phishing.rules)
  • 2065541 - ET PHISHING Request to Fake Gambling Website (GET) (phishing.rules)
  • 2065542 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (hlherb .com) (exploit_kit.rules)
  • 2065543 - ET EXPLOIT_KIT LandUpdate808 Domain (hlherb .com) in TLS SNI (exploit_kit.rules)
  • 2065544 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (rodriggez .com) (exploit_kit.rules)
  • 2065545 - ET EXPLOIT_KIT LandUpdate808 Domain (rodriggez .com) in TLS SNI (exploit_kit.rules)
  • 2065546 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (perstby .cyou) (malware.rules)
  • 2065547 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (perstby .cyou) in TLS SNI (malware.rules)
  • 2065548 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (gorelo .tech) (info.rules)
  • 2065549 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (gorelo .tech) (info.rules)
  • 2065550 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (gorelo-rmm .azurewebsites .net) (info.rules)
  • 2065551 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (gorelo-rmm .azurewebsites .net) (info.rules)
  • 2065552 - ET PHISHING Landing Page Victim Registration Validation (phishing.rules)
  • 2065553 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (prajsm .com) (exploit_kit.rules)
  • 2065554 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (prajsm .com) (exploit_kit.rules)
  • 2065555 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (global .coachmyresume .com) (malware.rules)
  • 2065556 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .sayyesmovement .ca) (malware.rules)
  • 2065557 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (global .coachmyresume .com) (malware.rules)
  • 2065558 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .sayyesmovement .ca) (malware.rules)
  • 2065559 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (simplecopseholding .com) (malware.rules)
  • 2065560 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (simplecopseholding .com) (malware.rules)

Pro:

  • 2865016 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2865017 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)

Modified inactive rules:

  • 2001032 - ET ADWARE_PUP Casino on Net Ping Hit (adware_pup.rules)
  • 2001311 - ET ADWARE_PUP Rdxrp.com Traffic (adware_pup.rules)
  • 2002333 - ET POLICY Google IM traffic friend invited (policy.rules)
  • 2003560 - ET MALWARE Bandook v1.35 Window List Command Send (malware.rules)
  • 2003725 - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt – login.php ETCDIR (web_specific_apps.rules)
  • 2008647 - ET ADWARE_PUP Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus) (adware_pup.rules)
  • 2009062 - ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion (web_specific_apps.rules)
  • 2010755 - ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt (dos.rules)
  • 2018714 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2018872 - ET MALWARE Tor based locker .onion Proxy domain in SNI July 31 2014 (malware.rules)
  • 2019249 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6 (web_server.rules)
  • 2019710 - ET MALWARE VBS/Autorun.J Checkin (malware.rules)
  • 2019883 - ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.ws) (malware.rules)
  • 2021911 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022058 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu) (malware.rules)
  • 2022433 - ET MALWARE Scarlet Mimic DNS Lookup 23 (malware.rules)
  • 2800346 - ETPRO ADWARE_PUP BugsPrey (Init Connection Reply) (adware_pup.rules)
  • 2807659 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0288) (web_client.rules)
  • 2808747 - ETPRO MOBILE_MALWARE Android/Tekwon.A Checkin 4 (mobile_malware.rules)
  • 2812014 - ETPRO MALWARE Python/N3Cr0m0rPh IRC Checkin (malware.rules)
  • 2816176 - ETPRO MALWARE Malicious SSL certificate detected (Backdoor.Mizzmo) (malware.rules)
  • 2823449 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.mb Checkin (mobile_malware.rules)

Disabled and modified rules:

  • 2065431 - ET WEB_SPECIFIC_APPS Kaseya VSA Authenticated SQL Injection in exportFldr (CVE-2021-30116) (web_specific_apps.rules)