Ruleset Update Summary - 2025/11/21 - v11068

rulesbot · November 21, 2025, 9:18pm

Summary:

14 new OPEN, 16 new PRO (14 + 2)

2065868 - ET INFO Observed request to common DOH pattern in URI M1 (info.rules)
2065869 - ET INFO Observed HTTP Content-Type Common to DoH Services (info.rules)
2065870 - ET MALWARE Observed DNS Query to Aura Stealer Domain (secondhandcloth .shop) (malware.rules)
2065871 - ET MALWARE Observed DNS Query to Aura Stealer Domain (softytoys .shop) (malware.rules)
2065872 - ET MALWARE Observed DNS Query to Aura Stealer Domain (opencamping .shop) (malware.rules)
2065873 - ET MALWARE Observed DNS Query to Aura Stealer Domain (auracorp .cc) (malware.rules)
2065874 - ET MALWARE Observed DNS Query to Aura Stealer Domain (glossmagazine .shop) (malware.rules)
2065875 - ET MALWARE Observed DNS Query to Aura Stealer Domain (armydevice .shop) (malware.rules)
2065876 - ET MALWARE Observed Aura Stealer Domain (secondhandcloth .shop in TLS SNI) (malware.rules)
2065877 - ET MALWARE Observed Aura Stealer Domain (softytoys .shop in TLS SNI) (malware.rules)
2065878 - ET MALWARE Observed Aura Stealer Domain (opencamping .shop in TLS SNI) (malware.rules)
2065879 - ET MALWARE Observed Aura Stealer Domain (auracorp .cc in TLS SNI) (malware.rules)
2065880 - ET MALWARE Observed Aura Stealer Domain (glossmagazine .shop in TLS SNI) (malware.rules)
2065881 - ET MALWARE Observed Aura Stealer Domain (armydevice .shop in TLS SNI) (malware.rules)

2865205 - ETPRO MALWARE MysteryMansion CnC Exfil (POST) (malware.rules)
2865206 - ETPRO MALWARE MysteryMansion CnC Response - File sent successfully (malware.rules)

2000032 - ET NETBIOS LSA exploit (netbios.rules)
2003462 - ET ADWARE_PUP CoolDeskAlert Spyware Activity (adware_pup.rules)
2018502 - ET EXPLOIT_KIT Gongda EK Landing 1 (exploit_kit.rules)
2018733 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (malware.rules)
2019009 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2019268 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25 (web_server.rules)
2021321 - ET MALWARE Gozi/Ursnif/Papras Grabftp Module Download (malware.rules)
2022125 - ET WEB_CLIENT Fake AV Phone Scam Landing Nov 20 (web_client.rules)
2100412 - GPL ICMP IPV6 I-Am-Here undefined code (icmp.rules)
2808498 - ETPRO MALWARE Backdoor.Korgapam CnC (INBOUND) 2 (malware.rules)
2809623 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Perkel.c Checkin 2 (mobile_malware.rules)
2814105 - ETPRO MALWARE Spammer MSIL/Misnt.A Spam Payload Download (malware.rules)
2820173 - ETPRO MALWARE Malicious SSL certificate detected (Gozi CnC) (malware.rules)
2824718 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.BS Checkin (mobile_malware.rules)

2060943 - ET PHISHING Github Credential Phish Domain in DNS Lookup (.* github* .onrender .com) (phishing.rules)
2060944 - ET PHISHING Observed Github Credential Phish Domain (.* github* .onrender .com in TLS SNI) (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/03/25 - v10559 Ruleset Updates	341	March 25, 2024
Ruleset Update Summary - 2024/09/12 - v10688 Ruleset Updates	48	September 12, 2024
Ruleset Update Summary - 2025/09/17 - v11018 Ruleset Updates	85	September 17, 2025
Ruleset Update Summary - 2024/01/11 - v10505 Ruleset Updates	664	January 11, 2024
Ruleset Update Summary - 2025/11/17 - v11064 Ruleset Updates	82	November 17, 2025