Ruleset Update Summary - 2025/12/08 - v11078

Summary:

58 new OPEN, 58 new PRO (58 + 0)

Added rules:

Open:

• 2066138 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (brands .khaitara .com) (malware.rules)
• 2066139 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (api .weightlosstonight .org) (malware.rules)
• 2066140 - ET INFO Networking Tunneling Service in DNS Lookup (lokal .so) (info.rules)
• 2066141 - ET INFO Networking Tunneling Service in DNS Lookup (openport .io) (info.rules)
• 2066142 - ET INFO Networking Tunneling Service in DNS Lookup (lokal-so .site) (info.rules)
• 2066143 - ET INFO Networking Tunneling Service in DNS Lookup (homeway .io) (info.rules)
• 2066144 - ET INFO Networking Tunneling Service in DNS Lookup (localcan .dev) (info.rules)
• 2066145 - ET INFO Networking Tunneling Service in DNS Lookup (livecycle .run) (info.rules)
• 2066146 - ET INFO Networking Tunneling Service in DNS Lookup (srv .us) (info.rules)
• 2066147 - ET INFO Networking Tunneling Service in DNS Lookup (mmar .dev) (info.rules)
• 2066148 - ET INFO Networking Tunneling Service in DNS Lookup (remote .moe) (info.rules)
• 2066149 - ET INFO Networking Tunneling Service in DNS Lookup (tunwg .com) (info.rules)
• 2066150 - ET INFO Networking Tunneling Service in DNS Lookup (remote .it) (info.rules)
• 2066151 - ET INFO Networking Tunneling Service in DNS Lookup (tunnelite .com) (info.rules)
• 2066152 - ET INFO Network Tunneling Service Domain (lokal .so) in TLS SNI (info.rules)
• 2066153 - ET INFO Network Tunneling Service Domain (openport .io) in TLS SNI (info.rules)
• 2066154 - ET INFO Network Tunneling Service Domain (lokal-so .site) in TLS SNI (info.rules)
• 2066155 - ET INFO Network Tunneling Service Domain (homeway .io) in TLS SNI (info.rules)
• 2066156 - ET INFO Network Tunneling Service Domain (localcan .dev) in TLS SNI (info.rules)
• 2066157 - ET INFO Network Tunneling Service Domain (livecycle .run) in TLS SNI (info.rules)
• 2066158 - ET INFO Network Tunneling Service Domain (srv .us) in TLS SNI (info.rules)
• 2066159 - ET INFO Network Tunneling Service Domain (mmar .dev) in TLS SNI (info.rules)
• 2066160 - ET INFO Network Tunneling Service Domain (remote .moe) in TLS SNI (info.rules)
• 2066161 - ET INFO Network Tunneling Service Domain (tunwg .com) in TLS SNI (info.rules)
• 2066162 - ET INFO Network Tunneling Service Domain (remote .it) in TLS SNI (info.rules)
• 2066163 - ET MALWARE ShadowAgent/TA396 CnC Domain in DNS Lookup (totalservices .info) (malware.rules)
• 2066164 - ET MALWARE ShadowAgent/TA396 CnC Domain in DNS Lookup (broughservice .info) (malware.rules)
• 2066165 - ET MALWARE ShadowAgent/TA396 CnC Domain in DNS Lookup (theoyservices .info) (malware.rules)
• 2066166 - ET MALWARE ShadowAgent/TA396 CnC Domain in DNS Lookup (excesswintex .info) (malware.rules)
• 2066167 - ET MALWARE ShadowAgent/TA396 CnC Domain in DNS Lookup (brityservice .info) (malware.rules)
• 2066168 - ET MALWARE ShadowAgent/TA396 CnC Domain in DNS Lookup (bijoyshare .buzz) (malware.rules)
• 2066169 - ET MALWARE ShadowAgent/TA396 CnC Domain in DNS Lookup (sharetobijoy .buzz) (malware.rules)
• 2066170 - ET MALWARE Observed ShadowAgent/TA396 Domain (totalservices .info in TLS SNI) (malware.rules)
• 2066171 - ET MALWARE Observed ShadowAgent/TA396 Domain (broughservice .info in TLS SNI) (malware.rules)
• 2066172 - ET MALWARE Observed ShadowAgent/TA396 Domain (theoyservices .info in TLS SNI) (malware.rules)
• 2066173 - ET MALWARE Observed ShadowAgent/TA396 Domain (excesswintex .info in TLS SNI) (malware.rules)
• 2066174 - ET MALWARE Observed ShadowAgent/TA396 Domain (brityservice .info in TLS SNI) (malware.rules)
• 2066175 - ET MALWARE Observed ShadowAgent/TA396 Domain (bijoyshare .buzz in TLS SNI) (malware.rules)
• 2066176 - ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX) (hunting.rules)
• 2066177 - ET MALWARE Observed ShadowAgent/TA396 Domain (sharetobijoy .buzz in TLS SNI) (malware.rules)
• 2066178 - ET WEB_SPECIFIC_APPS D-Link HNAP1 GetDeviceSettings Buffer Overflow Attempt (2022-37055) (web_specific_apps.rules)
• 2066179 - ET MALWARE ShadowAgent/TA396 CnC Activity (POST) M1 (malware.rules)
• 2066180 - ET WEB_SPECIFIC_APPS Tenda SetIPTVCfg iptvType Parameter Buffer Overflow Attempt (CVE-2025-65804) (web_specific_apps.rules)
• 2066181 - ET MALWARE ShadowAgent/TA396 CnC Activity (POST) M2 (malware.rules)
• 2066182 - ET WEB_SPECIFIC_APPS Ruijie RGOS Access Points web_action.do command Parameter Command Injection Attempt (CVE-2025-65363) (web_specific_apps.rules)
• 2066183 - ET WEB_SPECIFIC_APPS D-Link setSystemAdmin AdminID Parameter Command Injection Attempt (CVE-2025-14225) (web_specific_apps.rules)
• 2066184 - ET WEB_SPECIFIC_APPS ZSPACE open safe_dir Parameter Command Injection Attempt (CVE-2025-14108) (web_specific_apps.rules)
• 2066185 - ET WEB_SPECIFIC_APPS ZSPACE close safe_dir Parameter Command Injection Attempt (CVE-2025-14106) (web_specific_apps.rules)
• 2066186 - ET WEB_SPECIFIC_APPS ZSPACE status safe_dir Parameter Command Injection Attempt (CVE-2025-14107) (web_specific_apps.rules)
• 2066187 - ET WEB_SPECIFIC_APPS Edimax formTracerouteDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14093) (web_specific_apps.rules)
• 2066188 - ET WEB_SPECIFIC_APPS Edimax formDebugDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14092) (web_specific_apps.rules)
• 2066189 - ET INFO Network Tunneling Service Domain (tunnelite .com) in TLS SNI (info.rules)
• 2066190 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deoxyrq .click) (malware.rules)
• 2066191 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deoxyrq .click) in TLS SNI (malware.rules)
• 2066192 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eastcxl .click) (malware.rules)
• 2066193 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eastcxl .click) in TLS SNI (malware.rules)
• 2066194 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (entraiz .cyou) (malware.rules)
• 2066195 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (entraiz .cyou) in TLS SNI (malware.rules)

Modified inactive rules:

• 2000330 - ET P2P ed2k connection to server (p2p.rules)
• 2000342 - ET EXPLOIT Squid NTLM Auth Overflow Exploit (exploit.rules)
• 2001408 - ET POLICY hidden zip extension .scr (policy.rules)
• 2001453 - ET ADWARE_PUP Couponage Download (adware_pup.rules)
• 2001454 - ET ADWARE_PUP Couponage Configure (adware_pup.rules)
• 2001650 - ET ADWARE_PUP Search Scout Related Spyware (content) (adware_pup.rules)
• 2001653 - ET ADWARE_PUP Search Scout Related Spyware (results) (adware_pup.rules)
• 2002771 - ET ADWARE_PUP Corpsespyware.net - msys.exe access (adware_pup.rules)
• 2003369 - ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption (exploit.rules)
• 2007825 - ET MALWARE Neonaby.com Related Trojan User-Agent (neonabyupdate) (malware.rules)
• 2007937 - ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (exploit.rules)
• 2008030 - ET MALWARE Turkojan C&C nxt Command Response (nxt) (malware.rules)
• 2008481 - ET MALWARE Trojan-PSW.Win32.Nilage.crg Checkin (malware.rules)
• 2008674 - ET MALWARE Likely eCard Malware Laden Email Inbound (malware.rules)
• 2009408 - ET MALWARE Patcher/Bankpatch V2 Communication with Controller (malware.rules)
• 2009409 - ET MALWARE Patcher/Bankpatch Module Download Request (malware.rules)
• 2009459 - ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion (web_specific_apps.rules)
• 2009460 - ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion (web_specific_apps.rules)
• 2010877 - ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt (exploit.rules)
• 2010941 - ET EXPLOIT Possible Sendmail SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt (exploit.rules)
• 2011400 - ET MALWARE Yoyo-DDoS Bot Execute SYN Flood Command Message From CnC Server (malware.rules)
• 2011402 - ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Inbound (malware.rules)
• 2011403 - ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Outbound (malware.rules)
• 2013048 - ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable (current_events.rules)
• 2014959 - ET EXPLOIT Base64 - Java Exploit Requested - /1Digit (exploit.rules)
• 2014960 - ET WEB_CLIENT Base64 - Landing Page Received - base64encode(GetOs() (web_client.rules)
• 2014961 - ET MALWARE W32/Scar CnC Checkin (malware.rules)
• 2016051 - ET MALWARE W32.Daws/Sanny CnC POST (malware.rules)
• 2016566 - ET EXPLOIT_KIT SNET EK Downloading Payload (exploit_kit.rules)
• 2016735 - ET EXPLOIT_KIT GonDadEK Java Exploit Requested (exploit_kit.rules)
• 2017001 - ET MALWARE Connection to a cert.pl Sinkhole IP (Possible Infected Host) (malware.rules)
• 2017118 - ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013 (exploit_kit.rules)
• 2017119 - ET EXPLOIT_KIT CritX/SafePack Java Exploit Payload June 03 2013 (exploit_kit.rules)
• 2018613 - ET EXPLOIT_KIT Evil EK Redirector Cookie June 27 2014 (exploit_kit.rules)
• 2018892 - ET MALWARE Zbot .onion Proxy domain in SNI Aug 04 2014 (malware.rules)
• 2019594 - ET EXPLOIT_KIT FlashPack EK Plugin-Detect Post (exploit_kit.rules)
• 2019595 - ET MALWARE FlashPack Payload Download Oct 29 (malware.rules)
• 2020075 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
• 2020667 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
• 2020668 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
• 2020669 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
• 2021141 - ET EXPLOIT_KIT DNSChanger EK Landing URI Struct May 22 2015 (exploit_kit.rules)
• 2021391 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
• 2021779 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2021780 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2021781 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2022286 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2023403 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2023404 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2023405 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC) (malware.rules)
• 2023508 - ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2 (mobile_malware.rules)
• 2024110 - ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain (malware.rules)
• 2024111 - ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain (malware.rules)
• 2100139 - GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP (web_server.rules)
• 2100419 - GPL ICMP_INFO Mobile Host Redirect (icmp_info.rules)
• 2100420 - GPL ICMP Mobile Host Redirect undefined code (icmp.rules)
• 2100489 - GPL FTP FTP no password (ftp.rules)
• 2100499 - GPL ICMP Large ICMP Packet (icmp.rules)
• 2100546 - GPL FTP FTP 'CWD ’ possible warez site (ftp.rules)
• 2100612 - GPL SCAN rusers query UDP (scan.rules)
• 2101111 - GPL EXPLOIT Tomcat server exploit access (exploit.rules)
• 2102083 - GPL RPC rpc.xfsmd xfs_export attempt UDP (rpc.rules)
• 2103051 - GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt (netbios.rules)
• 2800160 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 7 (exploit.rules)
• 2800161 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 8 (exploit.rules)
• 2800162 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 9 (exploit.rules)
• 2800415 - ETPRO ACTIVEX AXIS Communications Camera Control image_pan_tilt Buffer Overflow 2 (activex.rules)
• 2800977 - ETPRO SMTP Exim string_format Remote Code Execution Attempt (smtp.rules)
• 2800979 - ETPRO SMTP Exim string_format Remote Code Execution (smtp.rules)
• 2801178 - ETPRO EXPLOIT Microsoft IIS FTP Server Telnet IAC Buffer Overflow (exploit.rules)
• 2801179 - ETPRO ACTIVEX Microsoft Internet Explorer HTML Object Memory Corruption (activex.rules)
• 2801396 - ETPRO ADWARE_PUP Hotbar Checkin and Report (adware_pup.rules)
• 2802009 - ETPRO EXPLOIT IBM solidDB solid.exe Authentication Bypass Big Endian 2 (exploit.rules)
• 2802010 - ETPRO EXPLOIT IBM solidDB solid.exe Authentication Bypass Big Endian 3 (exploit.rules)
• 2802011 - ETPRO MALWARE Trojan.Win32.Fisp.A Chinese Bootkit Checkin 2 (malware.rules)
• 2803420 - ETPRO MALWARE Backdoor.Win32.Msposer.A Checkin (malware.rules)
• 2803568 - ETPRO MALWARE Trojan.Win32.Banload.ABY Checkin 1 (malware.rules)
• 2803892 - ETPRO ADWARE_PUP AdWare.Win32.Eorezo Install (adware_pup.rules)
• 2803893 - ETPRO MALWARE Trojan-Downloader.Win32.Bagle.eds Checkin (malware.rules)
• 2804497 - ETPRO MALWARE Trojan.Win32.Sasfis Checkin (malware.rules)
• 2804862 - ETPRO MALWARE HackTool.Win32.Binder.bs Checkin (malware.rules)
• 2804863 - ETPRO MALWARE Trojan.Win32.Invader CnC Traffic (malware.rules)
• 2804989 - ETPRO MALWARE Trojan-Dropper.Win32.Bina.f Checkin (malware.rules)
• 2805275 - ETPRO ADWARE_PUP Win32/Adware.Hebogo Checkin (adware_pup.rules)
• 2805276 - ETPRO MALWARE Win32/AgentBypass.gen!G Checkin (malware.rules)
• 2805414 - ETPRO MALWARE Win32/Vundo.HIY Checkin (malware.rules)
• 2805415 - ETPRO MALWARE PSW.Banker6.AFNY Checkin (malware.rules)
• 2806876 - ETPRO MALWARE Optix Pro RAT connection acknowledgement (malware.rules)
• 2807143 - ETPRO MALWARE Win32.RatTool Checkin (malware.rules)
• 2807255 - ETPRO MALWARE Trojan.Win32.Buzus.fcjf Checkin (malware.rules)
• 2808089 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Cynos.b Checkin 3 (mobile_malware.rules)
• 2808900 - ETPRO MALWARE Chanitor .onion Proxy Domain (malware.rules)
• 2809213 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Galf.a Checkin (mobile_malware.rules)
• 2809299 - ETPRO WEB_CLIENT Internet Explorer Use After Free CVE-2014-6329 M1 (web_client.rules)
• 2809300 - ETPRO WEB_CLIENT Internet Explorer Use After Free CVE-2014-6329 M2 (web_client.rules)
• 2809631 - ETPRO MALWARE Critroni Variant .onion Proxy Domain (malware.rules)
• 2809792 - ETPRO MALWARE WORM_AUTORUN.BMC (Update) (malware.rules)
• 2809793 - ETPRO MALWARE WORM_AUTORUN.BMC (ServerTime) (malware.rules)
• 2809881 - ETPRO MALWARE Unknown Trojan .onion Proxy Domain (qj2n3eebuuwvt7ju) (malware.rules)
• 2809882 - ETPRO MALWARE Dridex Post Checkin Activity 3 (malware.rules)
• 2810370 - ETPRO MALWARE Darkleech Iframe Injection Detected (malware.rules)
• 2812231 - ETPRO MALWARE Win32/Litera.A CnC Checkin (malware.rules)
• 2812389 - ETPRO MALWARE Possible Dridex Open Command in Pastebin Title (malware.rules)
• 2812390 - ETPRO MALWARE Possible Dridex Exe Command in Pastebin Title (malware.rules)
• 2814107 - ETPRO MALWARE AutoClicker Test Page (malware.rules)
• 2814471 - ETPRO MALWARE InfiniteLocker .onion Proxy Domain (malware.rules)
• 2815059 - ETPRO MALWARE Trojan.Win32.Swrort.A Checkin Response 2 (malware.rules)
• 2815609 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Checkin 5 (mobile_malware.rules)
• 2816201 - ETPRO MALWARE Possible PlugX DNS Lookup (malware.rules)
• 2816202 - ETPRO MALWARE Possible PlugX DNS Lookup (malware.rules)
• 2819691 - ETPRO EXPLOIT Possible Windows RPC Downgrade Vulnerability SMB (CVE-2016-0128) (exploit.rules)
• 2819960 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
• 2820181 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.by Checkin 2 (mobile_malware.rules)

Disabled and modified rules:

• 2066059 - ET INFO Network Tunneling Service in DNS Lookup (ngrok .app) (info.rules)
• 2066134 - ET INFO Observed Network Tunneling Service Domain (ply .gg) in TLS SNI (info.rules)