Ruleset Update Summary - 2025/11/12 - v11061

Ruleset Updates
1

Summary:

23 new OPEN, 25 new PRO (23 + 2)

Thanks @zscaler

Added rules:

Open:

  • 2065732 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (hcm-technology .com) (malware.rules)
  • 2065733 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (microhosting .pro) (malware.rules)
  • 2065734 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (hcm-technology .com) (malware.rules)
  • 2065735 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (microhosting .pro) (malware.rules)
  • 2065736 - ET MALWARE PikaBot User-Agent Observed (malware.rules)
  • 2065737 - ET MALWARE ZLoader User-Agent Observed (malware.rules)
  • 2065738 - ET MALWARE ZLoader CnC Activity (POST) (malware.rules)
  • 2065739 - ET WEB_SPECIFIC_APPS Advantech R-SeeNet ping.php Command Injection (CVE-2021-21805) (web_specific_apps.rules)
  • 2065740 - ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection wizardLogin Authentication Bypass (CVE-2024-0799) (web_specific_apps.rules)
  • 2065741 - ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection Console Unauthenticated DoS in ASNative.dll (CVE-2024-0801) (web_specific_apps.rules)
  • 2065742 - ET WEB_SPECIFIC_APPS Citrix Netscaler SAML RelayState Reflected Cross-Site Scripting (CVE-2025-12101) (web_specific_apps.rules)
  • 2065743 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (frostshiledr .com) (exploit_kit.rules)
  • 2065744 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (holonimjs .com) (exploit_kit.rules)
  • 2065745 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (frostshiledr .com) (exploit_kit.rules)
  • 2065746 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (holonimjs .com) (exploit_kit.rules)
  • 2065747 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (benefits .cheapguys .com) (malware.rules)
  • 2065748 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (prototype .tapmycard .work) (malware.rules)
  • 2065749 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (register .toastmasters86 .org) (malware.rules)
  • 2065750 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (benefits .cheapguys .com) (malware.rules)
  • 2065751 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (prototype .tapmycard .work) (malware.rules)
  • 2065752 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (register .toastmasters86 .org) (malware.rules)
  • 2065753 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (reechel .com) (exploit_kit.rules)
  • 2065754 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (reechel .com) (exploit_kit.rules)

Pro:

  • 2865166 - ETPRO HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate (hunting.rules)
  • 2865167 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2002302 - ET ADWARE_PUP Searchfeed.com Spyware 7 (adware_pup.rules)
  • 2003218 - ET ADWARE_PUP Conduit Connect Toolbar Message Download(Many report to be benign) (adware_pup.rules)
  • 2010492 - ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt (dos.rules)
  • 2013405 - ET ADWARE_PUP W32/Baigoo User Agent (adware_pup.rules)
  • 2014638 - ET MALWARE Maljava Dropper for OS X (malware.rules)
  • 2015678 - ET EXPLOIT_KIT Sakura exploit kit exploit download request /view.php (exploit_kit.rules)
  • 2018727 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019262 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19 (web_server.rules)
  • 2019563 - ET MALWARE Sofacy HTTP Request checkmalware.org (malware.rules)
  • 2019720 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2020060 - ET MALWARE TorrentLocker DNS Lookup (tweeter-stat.ru) (malware.rules)
  • 2020325 - ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO) (exploit.rules)
  • 2020744 - ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M2 (exploit_kit.rules)
  • 2020960 - ET MALWARE Possible Graftor Downloading Dridex (malware.rules)
  • 2022277 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022446 - ET MALWARE Scarlet Mimic DNS Lookup 36 (malware.rules)
  • 2022676 - ET MALWARE Ransomware/Coverton Checkin (malware.rules)
  • 2022768 - ET MALWARE Retefe Banker .onion Domain (malware.rules)
  • 2023322 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2100270 - GPL MISC Teardrop attack (misc.rules)
  • 2102951 - GPL NETBIOS SMB-DS too many stacked requests (netbios.rules)
  • 2804757 - ETPRO ADWARE_PUP Adware/Kikin.A Checkin (adware_pup.rules)
  • 2804976 - ETPRO MALWARE Trojan.Win32.Diple.deyt Checkin (malware.rules)
  • 2805096 - ETPRO MALWARE Downloader.Win32.Knigsfot.ev Download Request (malware.rules)
  • 2805264 - ETPRO MALWARE Trojan.Win32.S.Banker.167310 Checkin (malware.rules)
  • 2805557 - ETPRO MALWARE Trojan.Generic.KD.697281 Checkin (malware.rules)
  • 2807800 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0297) (web_client.rules)
  • 2809006 - ETPRO MALWARE BackDoor.Tishop.2 Checkin (malware.rules)
  • 2819674 - ETPRO MOBILE_MALWARE Android Trojan Unknown Checkin (mobile_malware.rules)
  • 2820383 - ETPRO MALWARE Hawkeye Keylogger SMTP Stolen Credentials (malware.rules)
  • 2826028 - ETPRO MALWARE Malicious SSL Certificate Observed (Win32/Kryptik.FRIW Banker Injects) (malware.rules)

Disabled and modified rules:

  • 2044604 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (fainstec .com) (malware.rules)