Ruleset Update Summary - 2025/11/24 - v11069

Ruleset Updates
1

Summary:

22 new OPEN, 45 new PRO (22 + 23)

Please be aware that Thursday and Friday (27 November and 28 November, 2025) are Proofpoint company holidays. There will be no rule releases on either of these days. Daily rule releases will recommence on Monday, 01 December, 2025

Added rules:

Open:

  • 2065882 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (medinflow .com) (exploit_kit.rules)
  • 2065883 - ET EXPLOIT_KIT LandUpdate808 Domain (medinflow .com) in TLS SNI (exploit_kit.rules)
  • 2065884 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholequz .qpon) (malware.rules)
  • 2065885 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wholequz .qpon) in TLS SNI (malware.rules)
  • 2065886 - ET HUNTING POST Request to .cfd Domain (hunting.rules)
  • 2065887 - ET WEB_SPECIFIC_APPS D-Link gena.cgi service Parameter Command Injection Attempt (CVE-2025-13562) (web_specific_apps.rules)
  • 2065888 - ET WEB_SPECIFIC_APPS FLIR setDateTime Command Injection Attempt (CVE-2025-5126) (web_specific_apps.rules)
  • 2065889 - ET WEB_SPECIFIC_APPS FLIR subscribe endpoint Multiple Parameters Command Injection Attempt (CVE-2025-5695) (web_specific_apps.rules)
  • 2065890 - ET WEB_SPECIFIC_APPS FLIR unsubscribe endpoint Multiple Parameters Command Injection Attempt (web_specific_apps.rules)
  • 2065891 - ET WEB_SPECIFIC_APPS FLIR applyfirmware Command Injection Attempt (web_specific_apps.rules)
  • 2065892 - ET WEB_SPECIFIC_APPS FLIR prod.php cmd Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
  • 2065893 - ET WEB_SPECIFIC_APPS FLIR test_login.php action Parameter Authentication Bypass Attempt (CVE-2024-3013) (web_specific_apps.rules)
  • 2065894 - ET WEB_SPECIFIC_APPS FLIR res.php value Parameter Command Injection Attempt (CVE-2023-51126) (web_specific_apps.rules)
  • 2065895 - ET WEB_SPECIFIC_APPS FLIR res.php id Parameter Command Injection Attempt (CVE-2022-37061) (web_specific_apps.rules)
  • 2065896 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (viedorta .com) (exploit_kit.rules)
  • 2065897 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (viedorta .com) (exploit_kit.rules)
  • 2065898 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (feedback .rightontheroad .com) (malware.rules)
  • 2065899 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (funnel .weightlosstonight .com) (malware.rules)
  • 2065900 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (feedback .rightontheroad .com) (malware.rules)
  • 2065901 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (funnel .weightlosstonight .com) (malware.rules)
  • 2065902 - ET EXPLOIT_KIT TA2727 Domain in DNS Lookup (metricsaggregator .to) (exploit_kit.rules)
  • 2065903 - ET EXPLOIT_KIT TA2727 Domain in TLS SNI (metricsaggregator .to) (exploit_kit.rules)

Pro:

  • 2865207 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865208 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865209 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865210 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2865211 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2865212 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2865213 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2865214 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2865215 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865216 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2865217 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865218 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2865219 - ETPRO MALWARE Amatera Binary Download Request from Dotted-Quad Host (malware.rules)
  • 2865222 - ETPRO MALWARE Amatera CnC POST Requests (malware.rules)
  • 2865223 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865224 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865225 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865226 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865227 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865228 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865229 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865230 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865231 - ETPRO WEB_SERVER Zimbra Collaboration (ZCS) Suite Cross-site Scripting (CVE-2025-27915) (web_server.rules)

Modified inactive rules:

  • 2001260 - ET CHAT Yahoo IM message (chat.rules)
  • 2001479 - ET ADWARE_PUP Coolsearch Spyware Install (adware_pup.rules)
  • 2001484 - ET ADWARE_PUP Searchmeup Spyware Install (d.exe) (adware_pup.rules)
  • 2002796 - ET POLICY X-Box Live Connecting (policy.rules)
  • 2003454 - ET POLICY Yahoo 360 Social Site Access (policy.rules)
  • 2003683 - ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt – turbulence.php GLOBALS tcore (web_specific_apps.rules)
  • 2004580 - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt – module_link.php (web_specific_apps.rules)
  • 2004581 - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt – module_table.php editorid (web_specific_apps.rules)
  • 2007679 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (2) (malware.rules)
  • 2007680 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (3) (malware.rules)
  • 2008150 - ET ADWARE_PUP Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller) (adware_pup.rules)
  • 2008426 - ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow (exploit.rules)
  • 2009126 - ET MALWARE Win32/Monkif Downloader Checkin (malware.rules)
  • 2012095 - ET ACTIVEX J-Integra Remote Code Execution (activex.rules)
  • 2013189 - ET MALWARE Unknown Dropper HTTP POST Check-in (malware.rules)
  • 2013912 - ET MALWARE P2P Zeus Response From CnC (malware.rules)
  • 2014129 - ET POLICY Splashtop Remote Control Session Keepalive (policy.rules)
  • 2014477 - ET MALWARE HTTP Request to Zaletelly CnC Domain atserverxx.info (malware.rules)
  • 2015683 - ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012 (exploit_kit.rules)
  • 2015806 - ET MALWARE Mini-Flame v 5.x C2 HTTP request (malware.rules)
  • 2016240 - ET EXPLOIT_KIT Impact Exploit Kit Class Download (exploit_kit.rules)
  • 2016404 - ET INFO MPEG Download Over HTTP (1) (info.rules)
  • 2016993 - ET MALWARE Connection to AnubisNetworks Sinkhole IP (Possible Infected Host) (malware.rules)
  • 2016994 - ET MALWARE Connection to Georgia Tech Sinkhole IP (Possible Infected Host) (malware.rules)
  • 2017110 - ET EXPLOIT_KIT Sweet Orange applet structure Jul 05 2013 (exploit_kit.rules)
  • 2018503 - ET EXPLOIT_KIT Gongda EK Landing 2 (exploit_kit.rules)
  • 2018734 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (malware.rules)
  • 2018888 - ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin (mobile_malware.rules)
  • 2019269 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26 (web_server.rules)
  • 2019404 - ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt (dos.rules)
  • 2019585 - ET MALWARE Sofacy HTTP Request msonlinelive.com (malware.rules)
  • 2019722 - ET EXPLOIT_KIT Archie EK Landing Nov 17 2014 (exploit_kit.rules)
  • 2019723 - ET EXPLOIT_KIT Archie EK Landing Nov 17 2014 M2 (exploit_kit.rules)
  • 2019897 - ET EXPLOIT Possible PYKEK Priv Esc in-use (exploit.rules)
  • 2020328 - ET MALWARE Possible Dridex Campaign Download Jan 28 2015 (malware.rules)
  • 2020659 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
  • 2021622 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022453 - ET MALWARE Scarlet Mimic DNS Lookup 43 (malware.rules)
  • 2100411 - GPL ICMP_INFO IPV6 I-Am-Here (icmp_info.rules)
  • 2100414 - GPL ICMP IPV6 Where-Are-You undefined code (icmp.rules)
  • 2102019 - GPL RPC mountd UDP dump request (rpc.rules)
  • 2800152 - ETPRO ACTIVEX Microsoft Windows MFC Library FileFind Class Heap Overflow (activex.rules)
  • 2800153 - ETPRO EXPLOIT IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (exploit.rules)
  • 2800408 - ETPRO WEB_SERVER HP OpenView Network Node Manager Toolbar.exe HTTP Request Buffer Overflow (web_server.rules)
  • 2800716 - ETPRO EXPLOIT IBM Tivoli Directory Server LDAP Buffer Overflow (exploit.rules)
  • 2800717 - ETPRO EXPLOIT HP Mercury Multiple Products Agent Command Processing Buffer Overflow (exploit.rules)
  • 2801391 - ETPRO EXPLOIT IBM Informix Dynamic Server SET ENVIRONMENT Stack Buffer Overflow (exploit.rules)
  • 2801392 - ETPRO EXPLOIT IBM Informix Dynamic Server SET ENVIRONMENT Stack Buffer Overflow (exploit.rules)
  • 2802001 - ETPRO MALWARE Generic Downloader.x!fdi Checkin (malware.rules)
  • 2802002 - ETPRO MALWARE Backdoor.Win32.Refpron.I Checkin flowbit set (malware.rules)
  • 2803001 - ETPRO NETBIOS Microsoft SMBv2 0-Length Write Request Parsing Vulnerability Attack (netbios.rules)
  • 2803002 - ETPRO NETBIOS Microsoft SMBv2-DS 0-Length Write Request Parsing Vulnerability Attack (netbios.rules)
  • 2803104 - ETPRO EXPLOIT Long If-Modified-Since Field likely iMatix Xitami or other Remote Buffer Overflow (exploit.rules)
  • 2803728 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 (web_server.rules)
  • 2803729 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Unset SSL 3.0 (web_server.rules)
  • 2803886 - ETPRO MALWARE Win32/Dogrobot.G Checkin (malware.rules)
  • 2803887 - ETPRO MALWARE Win32/Vake.A Checkin (malware.rules)
  • 2804015 - ETPRO MALWARE HackTool.Win32.Kiser.aqa INSTALL (malware.rules)
  • 2804163 - ETPRO MALWARE Win32/Banker.XO Checkin (malware.rules)
  • 2805101 - ETPRO MALWARE Trojan.Downloader.JOER Checkin (malware.rules)
  • 2805724 - ETPRO MALWARE Win32/Small.gen!M js check-in (malware.rules)
  • 2807027 - ETPRO MALWARE Win32/Meredrop Checkin (malware.rules)
  • 2807526 - ETPRO MALWARE Win32/Delf.OMB Checkin (malware.rules)
  • 2815052 - ETPRO MALWARE Unknown PWS C2 (malware.rules)
  • 2864238 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864622 - ETPRO MALWARE Observed ClickFix Style URI in HTTP GET (malware.rules)