Ruleset Update Summary - 2025/12/01 - v11073

rulesbot · December 1, 2025, 10:38pm

Summary:

39 new OPEN, 49 new PRO (39 + 10)

Added rules:

Open:

2065936 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloockflad .pw) (malware.rules)
2065937 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bloockflad .pw) in TLS SNI (malware.rules)
2065938 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bookgames .pw) (malware.rules)
2065939 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bookgames .pw) in TLS SNI (malware.rules)
2065940 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dayzilons .pw) (malware.rules)
2065941 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dayzilons .pw) in TLS SNI (malware.rules)
2065942 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keewoolas .pw) (malware.rules)
2065943 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (keewoolas .pw) in TLS SNI (malware.rules)
2065944 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (killredls .pw) (malware.rules)
2065945 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (killredls .pw) in TLS SNI (malware.rules)
2065946 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (moskhoods .pw) (malware.rules)
2065947 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (moskhoods .pw) in TLS SNI (malware.rules)
2065948 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revivalsecularas .pw) (malware.rules)
2065949 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (revivalsecularas .pw) in TLS SNI (malware.rules)
2065950 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (steycools .pw) (malware.rules)
2065951 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (steycools .pw) in TLS SNI (malware.rules)
2065952 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jocafas .cyou) (malware.rules)
2065953 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jocafas .cyou) in TLS SNI (malware.rules)
2065954 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bakedmatela .fun) (malware.rules)
2065955 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bakedmatela .fun) in TLS SNI (malware.rules)
2065956 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ulaicavr .com) (exploit_kit.rules)
2065957 - ET EXPLOIT_KIT LandUpdate808 Domain (ulaicavr .com) in TLS SNI (exploit_kit.rules)
2065958 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bajzii .cyou) (malware.rules)
2065959 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bajzii .cyou) in TLS SNI (malware.rules)
2065960 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (poisonmantr .online) (exploit_kit.rules)
2065961 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (poisonmantr .online) (exploit_kit.rules)
2065962 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (dmicn .com) (exploit_kit.rules)
2065963 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (dmicn .com) (exploit_kit.rules)
2065964 - ET WEB_SPECIFIC_APPS Flowise Unauthenticated Account Takeover via tempToken (CVE-2025-58434) (web_specific_apps.rules)
2065965 - ET INFO Flowise Exposed User tempToken (info.rules)
2065966 - ET INFO Flowise Reset Password with tempToken (info.rules)
2065967 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (support .kingwoodcomputercenter .com) (malware.rules)
2065968 - ET WEB_SPECIFIC_APPS UniFi Access Unauthenticated Remote Code Execution (CVE-2025-52665) (web_specific_apps.rules)
2065969 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (control .myaffiliateincome .com) (malware.rules)
2065970 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (deploy .webpaydaz .com) (malware.rules)
2065971 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (support .kingwoodcomputercenter .com) (malware.rules)
2065972 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (control .myaffiliateincome .com) (malware.rules)
2065973 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (deploy .webpaydaz .com) (malware.rules)
2065974 - ET WEB_SPECIFIC_APPS GeoServer WMS GetMap XML External Entity Injection (CVE-2025-58360) (web_specific_apps.rules)

Pro:

2865235 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2865236 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2865237 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2865238 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2865239 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2865240 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2865241 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2865242 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2865243 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2865244 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

2001263 - ET CHAT Yahoo IM conference request (chat.rules)
2001264 - ET CHAT Yahoo IM conference watch (chat.rules)
2001403 - ET POLICY ZIPPED XLS in transit (policy.rules)
2001404 - ET POLICY ZIPPED EXE in transit (policy.rules)
2001405 - ET POLICY ZIPPED PPT in transit (policy.rules)
2001780 - ET EXPLOIT Solaris TTYPROMPT environment variable set (exploit.rules)
2002656 - ET EXPLOIT malformed Sack - Snort DoS-by-$um$id (exploit.rules)
2002766 - ET ADWARE_PUP Corpsespyware.net BlackList - pcpeek (adware_pup.rules)
2002767 - ET ADWARE_PUP Corpsespyware.net Distribution - bos.biz (adware_pup.rules)
2007682 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (5) (malware.rules)
2007683 - ET MALWARE E-Jihad 3.0 HTTP Activity 1 (malware.rules)
2007684 - ET MALWARE E-Jihad 3.0 HTTP Activity 2 (malware.rules)
2008025 - ET MALWARE Turkojan C&C Logs Parse Response Response (LOGS1) (malware.rules)
2008062 - ET ACTIVEX Universal HTTP File Upload Remote File Deletetion (activex.rules)
2011395 - ET MALWARE wisp backdoor detected reporting (malware.rules)
2011397 - ET MALWARE FakeYak or Related Infection Checkin 2 (malware.rules)
2011673 - ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt (dos.rules)
2012101 - ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt (exploit.rules)
2012102 - ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow (activex.rules)
2013683 - ET MALWARE Win32.Parite Checkin SQL Database (malware.rules)
2013783 - ET MALWARE W32.Duqu UA and Filename Requested (malware.rules)
2014029 - ET MALWARE Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe (malware.rules)
2014219 - ET MALWARE TSPY_SPCESEND.A Checkin (malware.rules)
2014818 - ET MALWARE Possible SKyWIper/Win32.Flame UA (malware.rules)
2014957 - ET MALWARE Backdoor Win32/Hupigon.CK Client Idle (malware.rules)
2015901 - ET EXPLOIT_KIT Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar (exploit_kit.rules)
2016567 - ET MALWARE Win32/Urausy.C Checkin 2 (malware.rules)
2016996 - ET MALWARE Connection to Zinkhole Sinkhole IP (Possible Infected Host) (malware.rules)
2016997 - ET MALWARE Connection to Dr Web Sinkhole IP(Possible Infected Host) (malware.rules)
2017113 - ET MALWARE VBulletin Backdoor C2 Domain (malware.rules)
2017366 - ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632 (web_server.rules)
2017474 - ET EXPLOIT_KIT CoolEK Variant Landing Page - Applet Sep 16 2013 (exploit_kit.rules)
2017626 - ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound) (current_events.rules)
2018385 - ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014 (malware.rules)
2018738 - ET MALWARE Pain File Stealer sending wallet.dat via SMTP (malware.rules)
2018739 - ET MALWARE Kuluoz / Asprox checkin (malware.rules)
2019272 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29 (web_server.rules)
2019273 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30 (web_server.rules)
2019588 - ET MALWARE W32/ZxShell Checkin (malware.rules)
2019725 - ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct 2 Nov 17 2014 (exploit_kit.rules)
2019726 - ET EXPLOIT_KIT Archie EK Landing URI Struct 2 Nov 17 2014 (exploit_kit.rules)
2020069 - ET MALWARE TROJ_WHAIM.A message (malware.rules)
2020070 - ET MALWARE Unknown Dropped by RIG EK (malware.rules)
2020662 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
2020663 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
2021325 - ET MALWARE CryptoLocker .onion Proxy Domain (xvha2ctkacx2ug3b) (malware.rules)
2021624 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (BlackEnergy CnC) (malware.rules)
2021926 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2022605 - ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M1 (web_client.rules)
2100360 - GPL FTP serv-u directory transversal (ftp.rules)
2100363 - GPL ICMP_INFO IRDP router advertisement (icmp_info.rules)
2100364 - GPL ICMP_INFO IRDP router selection (icmp_info.rules)
2100491 - GPL FTP FTP Bad login (ftp.rules)
2101926 - GPL RPC mountd UDP exportall request (rpc.rules)
2101952 - GPL RPC mountd UDP mount request (rpc.rules)
2800155 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 2 (exploit.rules)
2800156 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 3 (exploit.rules)
2800157 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 4 (exploit.rules)
2800411 - ETPRO EXPLOIT Oracle Secure Backup NDMP CONECT_CLIENT_AUTH Command Buffer Overflow (exploit.rules)
2800412 - ETPRO EXPLOIT Oracle Secure Backup NDMP Packet Handling Multiple Memory Corruption 1 (exploit.rules)
2800719 - ETPRO EXPLOIT Apache HTTP Server mod_rewrite Module LDAP Scheme Handling Buffer Overflow (exploit.rules)
2800720 - ETPRO EXPLOIT IBM Lotus Domino LDAP Server Memory Exception Vulnerability via ASN.1 (exploit.rules)
2800791 - ETPRO EXPLOIT Atrium Mercur IMAP Remote Buffer Overflow (exploit.rules)
2801295 - ETPRO WEB_SERVER Known Fraudulent UA inbound Likely Trojan (web_server.rules)
2802004 - ETPRO MALWARE Backdoor.Win32.Gootkit.A HTTP Checkin (malware.rules)
2802005 - ETPRO EXPLOIT IBM solidDB solid.exe Authentication Bypass Little Endian 1 (exploit.rules)
2803004 - ETPRO NETBIOS Microsoft SMBv2-DS Negative EOF Create Response Parsing Vulnerability Attack (netbios.rules)
2803106 - ETPRO DNS ISC BIND RRSIG RRsets Denial of Service TCP 1 (dns.rules)
2803107 - ETPRO EXPLOIT HP OpenView Storage Data Protector EXEC_CMD Buffer Overflow (exploit.rules)
2803260 - ETPRO MALWARE Filecodi.net Related Trojan Checkin (malware.rules)
2803563 - ETPRO WORM Worm.Win32.Morto.A Propagating via Windows Remote Desktop Protocol Flowbit Set (worm.rules)
2803564 - ETPRO WORM Worm.Win32.Morto.A Propagating via Windows Remote Desktop Protocol (worm.rules)
2804019 - ETPRO MALWARE Trojan-Downloader.Win32.Generic Install - SET (malware.rules)
2804165 - ETPRO MALWARE Yakes/Cryptor Dropper Checkin to load.php (malware.rules)
2804322 - ETPRO MALWARE Exploit.Win32/MS08067.gen!A Checkin (malware.rules)
2804323 - ETPRO MALWARE Win32/Ransom.EJ checkin (malware.rules)
2804642 - ETPRO INFO Remote Manipulator System (RMS) Init Connect (info.rules)
2804643 - ETPRO ADWARE_PUP Win32/Adware.Kraddare.AX Checkin (adware_pup.rules)
2804985 - ETPRO MALWARE PSW.Banker6.ZXK Checkin (malware.rules)
2805559 - ETPRO MALWARE Spy.298841 Checkin (malware.rules)
2805726 - ETPRO MALWARE Win32/Small.gen!M Possible js C2 (malware.rules)
2805842 - ETPRO MALWARE Troj/Ransom-KS / Troj/Matsu-A Checkin (malware.rules)
2806358 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use After Free 2 (CVE-2013-2551) (web_client.rules)
2806359 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use After Free 1 (CVE-2013-2551) (web_client.rules)
2807668 - ETPRO MALWARE W32/KeyLogger.OFP!tr.spy Response (malware.rules)
2808766 - ETPRO MALWARE Win32.Black.cvdvox Checkin (malware.rules)
2809518 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin 2 (mobile_malware.rules)
2810364 - ETPRO MALWARE Chanitor .onion Proxy Domain (omi62yc6jtsd2q37) (malware.rules)
2814866 - ETPRO MALWARE Win32/Pifagor CMS Bruteforcer CnC Checkin (malware.rules)
2815603 - ETPRO MALWARE Win32.Nitol.K Variant Checkin 1 (malware.rules)
2816775 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Caresy.a Checkin (mobile_malware.rules)
2820177 - ETPRO MALWARE Unknown Locker C2 domain (malware.rules)
2820178 - ETPRO MALWARE Unknown Locker C2 domain (malware.rules)
2820594 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
2821472 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
2824536 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.TP Checkin (mobile_malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/09/22 - v11021 Ruleset Updates	137	September 22, 2025
Ruleset Update Summary - 2025/04/28 - v10915 Ruleset Updates	133	April 28, 2025
Ruleset Update Summary - 2025/01/13 - v10836 Ruleset Updates	103	January 13, 2025
Ruleset Update Summary - 2025/11/10 - v11059 Ruleset Updates	70	November 10, 2025
Ruleset Update Summary - 2025/04/14 - v10904 Ruleset Updates	143	April 14, 2025

Ruleset Update Summary - 2025/12/01 - v11073

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics