Ruleset Update Summary - 2025/12/05 - v11077

Ruleset Updates
1

Summary:

109 new OPEN, 125 new PRO (109 + 16)

Added rules:

Open:

  • 2066029 - ET WEB_SPECIFIC_APPS Waku RSC React2Shell Unsafe Flight Protocol Property Access (CVE-2025-55182) (web_specific_apps.rules)
  • 2066030 - ET HUNTING Javascript Sandbox Escape via Global Object (process) (hunting.rules)
  • 2066031 - ET WEB_SPECIFIC_APPS Allnet ALL-RUT22GW 4G LTE Cellular Router Unauthenticated Remote Code Execution (CVE-2025-29269) (web_specific_apps.rules)
  • 2066032 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (beardop .click) (malware.rules)
  • 2066033 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (beardop .click) in TLS SNI (malware.rules)
  • 2066034 - ET WEB_SPECIFIC_APPS Allnet ALL-RUT22GW 4G LTE Cellular Router Hardcoded Backdoor Credentials (CVE-2025-29268) (web_specific_apps.rules)
  • 2066035 - ET WEB_SPECIFIC_APPS Synology Driver Server Unauthorized Access (CVE-2024-50630) (web_specific_apps.rules)
  • 2066036 - ET WEB_SPECIFIC_APPS Synology Driver Server CRLF Injection (CVE-2024-50629) (web_specific_apps.rules)
  • 2066037 - ET WEB_SPECIFIC_APPS Zoho ManageEngine API Authentication Bypass (CVE-2022-29081) (web_specific_apps.rules)
  • 2066038 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (email .whyyoushouldwalk .com) (malware.rules)
  • 2066039 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (request .affiliatesalesagent .com) (malware.rules)
  • 2066040 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (email .whyyoushouldwalk .com) (malware.rules)
  • 2066041 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (request .affiliatesalesagent .com) (malware.rules)
  • 2066042 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (mahleinc .com) (exploit_kit.rules)
  • 2066043 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (mahleinc .com) (exploit_kit.rules)
  • 2066044 - ET HUNTING XML External Entity Injection Inbound M1 (hunting.rules)
  • 2066045 - ET HUNTING XML External Entity Injection Inbound M2 (hunting.rules)
  • 2066046 - ET HUNTING XML External Entity Injection Inbound M3 (hunting.rules)
  • 2066047 - ET INFO Observed Network Tunneling Service Domain (ngrok .pro) in TLS SNI (info.rules)
  • 2066048 - ET INFO Observed Network Tunneling Service Domain (pktriot .net) in TLS SNI (info.rules)
  • 2066049 - ET INFO Observed Network Tunneling Service Domain (ngrok .dev) in TLS SNI (info.rules)
  • 2066050 - ET INFO Observed Network Tunneling Service Domain (betabuild .dev) in TLS SNI (info.rules)
  • 2066051 - ET INFO Observed Network Tunneling Service Domain (ngrok .pizza) in TLS SNI (info.rules)
  • 2066052 - ET INFO Observed Network Tunneling Service Domain (ngrok-free .dev) in TLS SNI (info.rules)
  • 2066053 - ET INFO Observed Network Tunneling Service Domain (loclx .io) in TLS SNI (info.rules)
  • 2066054 - ET INFO Observed Network Tunneling Service Domain (reversetunnel .net) in TLS SNI (info.rules)
  • 2066055 - ET INFO Observed Network Tunneling Service Domain (loca .lt) in TLS SNI (info.rules)
  • 2066056 - ET INFO Observed Network Tunneling Service Domain (mediastreamer .app) in TLS SNI (info.rules)
  • 2066057 - ET INFO Observed Network Tunneling Service Domain (ngrok-free .app) in TLS SNI (info.rules)
  • 2066058 - ET INFO Network Tunneling Service in DNS Lookup (localhost .run) (info.rules)
  • 2066059 - ET INFO Network Tunneling Service in DNS Lookup (ngrok .app) (info.rules)
  • 2066060 - ET INFO Network Tunneling Service in DNS Lookup (myzrok .io) (info.rules)
  • 2066061 - ET INFO Network Tunneling Service in DNS Lookup (staqlab .com) (info.rules)
  • 2066062 - ET INFO Network Tunneling Service in DNS Lookup (portr .dev) (info.rules)
  • 2066063 - ET INFO Network Tunneling Service in DNS Lookup (pagekite .me) (info.rules)
  • 2066064 - ET INFO Network Tunneling Service in DNS Lookup (packetriot .com) (info.rules)
  • 2066065 - ET INFO Network Tunneling Service in DNS Lookup (tunnelmole .net) (info.rules)
  • 2066066 - ET INFO Network Tunneling Service in DNS Lookup (tunn .dev) (info.rules)
  • 2066067 - ET INFO Network Tunneling Service in DNS Lookup (tuns .sh) (info.rules)
  • 2066068 - ET INFO Network Tunneling Service in DNS Lookup (serveo .net) (info.rules)
  • 2066069 - ET INFO Network Tunneling Service in DNS Lookup (expose .dev) (info.rules)
  • 2066070 - ET INFO Network Tunneling Service in DNS Lookup (gw .run) (info.rules)
  • 2066071 - ET INFO Network Tunneling Service in DNS Lookup (dataplicity .com) (info.rules)
  • 2066072 - ET INFO Network Tunneling Service in DNS Lookup (staqlab-tunnel .com) (info.rules)
  • 2066073 - ET INFO Network Tunneling Service in DNS Lookup (sshreach .me) (info.rules)
  • 2066074 - ET INFO Network Tunneling Service in DNS Lookup (burrow .link) (info.rules)
  • 2066075 - ET INFO Network Tunneling Service in DNS Lookup (hrzn .run) (info.rules)
  • 2066076 - ET INFO Network Tunneling Service in DNS Lookup (shellhub .io) (info.rules)
  • 2066077 - ET INFO Network Tunneling Service in DNS Lookup (tunnelto .dev) (info.rules)
  • 2066078 - ET INFO Network Tunneling Service in DNS Lookup (packetriot .net) (info.rules)
  • 2066079 - ET INFO Network Tunneling Service in DNS Lookup (pitunnel .com) (info.rules)
  • 2066080 - ET INFO Network Tunneling Service in DNS Lookup (loophole .site) (info.rules)
  • 2066081 - ET INFO Network Tunneling Service in DNS Lookup (pinggy .link) (info.rules)
  • 2066082 - ET INFO Network Tunneling Service in DNS Lookup (pagekite .net) (info.rules)
  • 2066083 - ET INFO Network Tunneling Service in DNS Lookup (loophole .cloud) (info.rules)
  • 2066084 - ET INFO Network Tunneling Service in DNS Lookup (inlets .dev) (info.rules)
  • 2066085 - ET INFO Network Tunneling Service in DNS Lookup (telebit .fun) (info.rules)
  • 2066086 - ET INFO Network Tunneling Service in DNS Lookup (rel .tunnels .api .visualstudio .com) (info.rules)
  • 2066087 - ET INFO Network Tunneling Service in DNS Lookup (tunnelmole .com) (info.rules)
  • 2066088 - ET INFO Network Tunneling Service in DNS Lookup (pinggy .io) (info.rules)
  • 2066089 - ET INFO Network Tunneling Service in DNS Lookup (tmate .io) (info.rules)
  • 2066090 - ET INFO Network Tunneling Service in DNS Lookup (ssi .sh) (info.rules)
  • 2066091 - ET INFO Network Tunneling Service in DNS Lookup (localxpose .io) (info.rules)
  • 2066092 - ET INFO Network Tunneling Service in DNS Lookup (hoppy .network) (info.rules)
  • 2066093 - ET INFO Network Tunneling Service in DNS Lookup (telebit .cloud) (info.rules)
  • 2066094 - ET INFO Network Tunneling Service in DNS Lookup (ngrok .io) (info.rules)
  • 2066095 - ET INFO Network Tunneling Service in DNS Lookup (tabserve .dev) (info.rules)
  • 2066096 - ET INFO Observed Network Tunneling Service Domain (localhost .run) in TLS SNI (info.rules)
  • 2066097 - ET INFO Observed Network Tunneling Service Domain (ngrok .app) in TLS SNI (info.rules)
  • 2066098 - ET INFO Observed Network Tunneling Service Domain (myzrok .io) in TLS SNI (info.rules)
  • 2066099 - ET INFO Observed Network Tunneling Service Domain (staqlab .com) in TLS SNI (info.rules)
  • 2066100 - ET INFO Observed Network Tunneling Service Domain (portr .dev) in TLS SNI (info.rules)
  • 2066101 - ET INFO Observed Network Tunneling Service Domain (pagekite .me) in TLS SNI (info.rules)
  • 2066102 - ET INFO Observed Network Tunneling Service Domain (packetriot .com) in TLS SNI (info.rules)
  • 2066103 - ET INFO Observed Network Tunneling Service Domain (tunnelmole .net) in TLS SNI (info.rules)
  • 2066104 - ET INFO Observed Network Tunneling Service Domain (tunn .dev) in TLS SNI (info.rules)
  • 2066105 - ET INFO Observed Network Tunneling Service Domain (tuns .sh) in TLS SNI (info.rules)
  • 2066106 - ET INFO Observed Network Tunneling Service Domain (serveo .net) in TLS SNI (info.rules)
  • 2066107 - ET INFO Observed Network Tunneling Service Domain (expose .dev) in TLS SNI (info.rules)
  • 2066108 - ET INFO Observed Network Tunneling Service Domain (gw .run) in TLS SNI (info.rules)
  • 2066109 - ET INFO Observed Network Tunneling Service Domain (dataplicity .com) in TLS SNI (info.rules)
  • 2066110 - ET INFO Observed Network Tunneling Service Domain (staqlab-tunnel .com) in TLS SNI (info.rules)
  • 2066111 - ET INFO Observed Network Tunneling Service Domain (sshreach .me) in TLS SNI (info.rules)
  • 2066112 - ET INFO Observed Network Tunneling Service Domain (burrow .link) in TLS SNI (info.rules)
  • 2066113 - ET INFO Observed Network Tunneling Service Domain (hrzn .run) in TLS SNI (info.rules)
  • 2066114 - ET INFO Observed Network Tunneling Service Domain (shellhub .io) in TLS SNI (info.rules)
  • 2066115 - ET INFO Observed Network Tunneling Service Domain (tunnelto .dev) in TLS SNI (info.rules)
  • 2066116 - ET INFO Observed Network Tunneling Service Domain (playit .gg) in TLS SNI (info.rules)
  • 2066117 - ET INFO Observed Network Tunneling Service Domain (packetriot .net) in TLS SNI (info.rules)
  • 2066118 - ET INFO Observed Network Tunneling Service Domain (pitunnel .com) in TLS SNI (info.rules)
  • 2066119 - ET INFO Observed Network Tunneling Service Domain (loophole .site) in TLS SNI (info.rules)
  • 2066120 - ET INFO Observed Network Tunneling Service Domain (pinggy .link) in TLS SNI (info.rules)
  • 2066121 - ET INFO Observed Network Tunneling Service Domain (pagekite .net) in TLS SNI (info.rules)
  • 2066122 - ET INFO Observed Network Tunneling Service Domain (loophole .cloud) in TLS SNI (info.rules)
  • 2066123 - ET INFO Observed Network Tunneling Service Domain (burrow .io) in TLS SNI (info.rules)
  • 2066124 - ET INFO Observed Network Tunneling Service Domain (inlets .dev) in TLS SNI (info.rules)
  • 2066125 - ET INFO Observed Network Tunneling Service Domain (telebit .fun) in TLS SNI (info.rules)
  • 2066126 - ET INFO Observed Network Tunneling Service Domain (rel .tunnels .api .visualstudio .com) in TLS SNI (info.rules)
  • 2066127 - ET INFO Observed Network Tunneling Service Domain (tunnelmole .com) in TLS SNI (info.rules)
  • 2066128 - ET INFO Observed Network Tunneling Service Domain (pinggy .io) in TLS SNI (info.rules)
  • 2066129 - ET INFO Observed Network Tunneling Service Domain (tmate .io) in TLS SNI (info.rules)
  • 2066130 - ET INFO Observed Network Tunneling Service Domain (ssi .sh) in TLS SNI (info.rules)
  • 2066131 - ET INFO Observed Network Tunneling Service Domain (localxpose .io) in TLS SNI (info.rules)
  • 2066132 - ET INFO Observed Network Tunneling Service Domain (hoppy .network) in TLS SNI (info.rules)
  • 2066133 - ET INFO Observed Network Tunneling Service Domain (telebit .cloud) in TLS SNI (info.rules)
  • 2066134 - ET INFO Observed Network Tunneling Service Domain (ply .gg) in TLS SNI (info.rules)
  • 2066135 - ET INFO Observed Network Tunneling Service Domain (ngrok .io) in TLS SNI (info.rules)
  • 2066136 - ET INFO Observed Network Tunneling Service Domain (tabserve .dev) in TLS SNI (info.rules)
  • 2066137 - ET INFO Network Tunneling Service in DNS Lookup (burrow .io) (info.rules)

Pro:

  • 2865273 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865274 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865275 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865276 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865277 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865278 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865279 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865280 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865281 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865282 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865283 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865284 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865285 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865286 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865287 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865288 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2001742 - ET EXPLOIT Arkeia full remote access without password or authentication (exploit.rules)
  • 2002091 - ET ADWARE_PUP Searchmiracle.com Spyware Install - silent.exe (adware_pup.rules)
  • 2002770 - ET ADWARE_PUP Corpsespyware.net - msits.exe access (adware_pup.rules)
  • 2007687 - ET MALWARE E-Jihad 3.0 DDoS HTTP Activity INBOUND (malware.rules)
  • 2008028 - ET MALWARE Turkojan C&C Browse Drive Command Response (metin) (malware.rules)
  • 2009863 - ET MALWARE Banker Trojan CnC Hello Command (malware.rules)
  • 2011399 - ET MALWARE Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server (malware.rules)
  • 2015561 - ET INFO PDF Using CCITTFax Filter (info.rules)
  • 2016048 - ET MALWARE W32/Prinimalka Configuration Update Request (malware.rules)
  • 2016733 - ET EXPLOIT_KIT Sakura encrypted binary (2) (exploit_kit.rules)
  • 2017116 - ET WEB_CLIENT Sweet Orange Landing with Applet July 08 2013 (web_client.rules)
  • 2018386 - ET MALWARE cryptodefense Checkin (malware.rules)
  • 2018610 - ET MALWARE Likely CryptoWall .onion Proxy domain in SNI (malware.rules)
  • 2020570 - ET EXPLOIT_KIT KaiXin Secondary Landing Page (exploit_kit.rules)
  • 2020666 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
  • 2022011 - ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 30 (web_client.rules)
  • 2022460 - ET MALWARE Scarlet Mimic DNS Lookup 50 (malware.rules)
  • 2023402 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2100466 - GPL ICMP L3retriever Ping (icmp.rules)
  • 2103043 - GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt (netbios.rules)
  • 2805412 - ETPRO MALWARE Win32/Spy.BZub CnC Response (malware.rules)
  • 2805562 - ETPRO MALWARE W32/VB.PGK!tr.dldr Checkin (malware.rules)
  • 2807031 - ETPRO MALWARE TrojanDropper.Agent.axkq Response 2 (malware.rules)
  • 2808770 - ETPRO MALWARE Backdoor.Win32.Androm Requesting payload (malware.rules)
  • 2809790 - ETPRO MALWARE WORM_AUTORUN.BMC (Initialize) (malware.rules)
  • 2814269 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.de Checkin 5 (mobile_malware.rules)
  • 2816200 - ETPRO MALWARE Possible PlugX DNS Lookup (malware.rules)
  • 2823043 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ke Checkin (mobile_malware.rules)

Disabled and modified rules:

  • 2025138 - ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in DNS Lookup) (policy.rules)
  • 2065892 - ET WEB_SPECIFIC_APPS FLIR prod.php cmd Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
  • 2065987 - ET WEB_SPECIFIC_APPS D-Link mng_platform.asp addr Parameter Command Injection Attempt (CVE-2025-9769) (web_specific_apps.rules)