Ruleset Update Summary - 2025/12/10 - v11080

Summary:

31 new OPEN, 40 new PRO (31 + 9)

Added rules:

Open:

• 2066230 - ET MALWARE PeerBlight Related Domain in DNS Lookup (api .qtss .cc) (malware.rules)
• 2066231 - ET MALWARE PeerBlight Related Domain in DNS Lookup (vps-zap812595-1 .zap-srv .com) (malware.rules)
• 2066232 - ET MALWARE PeerBlight Related Domain in DNS Lookup (help .093214 .xyz) (malware.rules)
• 2066233 - ET MALWARE PeerBlight Related Domain in DNS Lookup (keep .camdvr .org) (malware.rules)
• 2066234 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vimsltd .com) (exploit_kit.rules)
• 2066235 - ET EXPLOIT_KIT LandUpdate808 Domain (vimsltd .com) in TLS SNI (exploit_kit.rules)
• 2066236 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enhancrea .digital) (malware.rules)
• 2066237 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enhancrea .digital) in TLS SNI (malware.rules)
• 2066238 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hellouts .fun) (malware.rules)
• 2066239 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hellouts .fun) in TLS SNI (malware.rules)
• 2066240 - ET MALWARE Observed PeerBlight Domain (api .qtss .cc) in TLS SNI (malware.rules)
• 2066241 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inosthome .fun) (malware.rules)
• 2066242 - ET MALWARE Observed PeerBlight Domain (vps-zap812595-1 .zap-srv .com) in TLS SNI (malware.rules)
• 2066243 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (inosthome .fun) in TLS SNI (malware.rules)
• 2066244 - ET MALWARE Observed PeerBlight Domain (help .093214 .xyz) in TLS SNI (malware.rules)
• 2066245 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (recenjc .qpon) (malware.rules)
• 2066246 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (recenjc .qpon) in TLS SNI (malware.rules)
• 2066247 - ET MALWARE Observed PeerBlight Domain (keep .camdvr .org) in TLS SNI (malware.rules)
• 2066248 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unbinddas .digital) (malware.rules)
• 2066249 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unbinddas .digital) in TLS SNI (malware.rules)
• 2066250 - ET MALWARE Peerblight ZinFoq Backdoor CnC Beacon (malware.rules)
• 2066251 - ET MALWARE PeerBlight BitTorrent DHT CnC Checkin (malware.rules)
• 2066252 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cpajoliette .com) (exploit_kit.rules)
• 2066253 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (watchsmiler .com) (exploit_kit.rules)
• 2066254 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cpajoliette .com) (exploit_kit.rules)
• 2066255 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (watchsmiler .com) (exploit_kit.rules)
• 2066256 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (members .affiliateincomecoach .com) (malware.rules)
• 2066257 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (members .affiliateincomecoach .com) (malware.rules)
• 2066258 - ET WEB_SPECIFIC_APPS Barracuda RMM Service Center Absolute Path Traversal RCE (CVE-2025-34392) (web_specific_apps.rules)
• 2066259 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (brands .khaitara .com) (malware.rules)
• 2066260 - ET WEB_SPECIFIC_APPS Totolink enable enable Parameter Telnet enablement Authentication Bypass Attempt (CVE-2025-13184) (web_specific_apps.rules)

Pro:

• 2865322 - ETPRO PHISHING Observed DNS Query to UNK_NeedleSalt Domain (phishing.rules)
• 2865323 - ETPRO PHISHING Observed DNS Query to UNK_NeedleSalt Domain (phishing.rules)
• 2865324 - ETPRO MALWARE Observed UNK_NeedleSalt Domain in TLS SNI (malware.rules)
• 2865325 - ETPRO MALWARE Observed UNK_NeedleSalt Domain in TLS SNI (malware.rules)
• 2865326 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
• 2865327 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
• 2865328 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
• 2865329 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
• 2865330 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)

Modified inactive rules:

• 2001296 - ET P2P eDonkey File Status (p2p.rules)
• 2001683 - ET ADWARE_PUP Windows executable sent when remote host claims to send an image (adware_pup.rules)
• 2002784 - ET EXPLOIT Java private function call sun.misc.unsafe (exploit.rules)
• 2003378 - ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow (exploit.rules)
• 2003920 - ET WEB_SPECIFIC_APPS DVDdb XSS Attempt – loan.php movieid (web_specific_apps.rules)
• 2007968 - ET MALWARE Universal1337 Email Upload of Compromised Data (malware.rules)
• 2008016 - ET ADWARE_PUP Servicepack.kr Fake Patch Software Checkin (adware_pup.rules)
• 2008136 - ET MALWARE Egspy Install Report via HTTP (malware.rules)
• 2009590 - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt (web_specific_apps.rules)
• 2011186 - ET MALWARE Nine Ball Infection ya.ru Post (malware.rules)
• 2013197 - ET MALWARE Win32.Genome Download.php HTTP Request (malware.rules)
• 2016053 - ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Received (exploit_kit.rules)
• 2016054 - ET EXPLOIT_KIT Unknown_gmf EK - Server Response - Application Error (exploit_kit.rules)
• 2016737 - ET EXPLOIT_KIT GonDadEK Kit Jar (exploit_kit.rules)
• 2016851 - ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response (current_events.rules)
• 2016852 - ET EXPLOIT_KIT Sakura obfuscated javascript May 10 2013 (exploit_kit.rules)
• 2018741 - ET EXPLOIT_KIT Fiesta EK randomized javascript Gate Jul 18 2014 (exploit_kit.rules)
• 2019415 - ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack (policy.rules)
• 2021549 - ET MALWARE CryptoLocker .onion Proxy Domain (vacdgwaw5djp5hmu) (malware.rules)
• 2021783 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2021842 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC) (malware.rules)
• 2024113 - ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain (malware.rules)
• 2066059 - ET INFO Network Tunneling Service in DNS Lookup (ngrok .app) (info.rules)
• 2066134 - ET INFO Observed Network Tunneling Service Domain (ply .gg) in TLS SNI (info.rules)
• 2100421 - GPL ICMP_INFO Mobile Registration Reply (icmp_info.rules)
• 2100547 - GPL FTP MKD space space possible warez site (ftp.rules)
• 2101237 - GPL WEB_SERVER Tomcat sourcecode view attempt 2 (web_server.rules)
• 2800164 - ETPRO EXPLOIT CA BrightStor ARCServe Backup LGServer Authentication Password Buffer Overflow (exploit.rules)
• 2800165 - ETPRO EXPLOIT CA BrightStor ARCServe Backup LGServer Authentication Password Buffer Overflow (exploit.rules)
• 2800728 - ETPRO DOS Squid Proxy FTP URI Processing Denial of Service (dos.rules)
• 2802014 - ETPRO MALWARE Trojan.Win32.Banker.qmd Runtime Detection (malware.rules)
• 2803423 - ETPRO WORM Worm.Win32.Ganelp.B Checkin 2 (worm.rules)
• 2804867 - ETPRO MALWARE Trojan-Banker.Win32.Banker.srjp Checkin (malware.rules)
• 2805278 - ETPRO MALWARE Win32/Weelsof.C Checkin (malware.rules)
• 2805417 - ETPRO MALWARE Win32/Vobfus Checkin (malware.rules)
• 2808772 - ETPRO MALWARE Win32.Yakes.fudl Checkin (malware.rules)
• 2809302 - ETPRO WEB_CLIENT Possible Internet Explorerer Use After Free CVE-2014-6330 (web_client.rules)
• 2809385 - ETPRO MALWARE Win32/Injector.BOVV .onion Proxy Domain (malware.rules)
• 2809884 - ETPRO MALWARE Cryptolocker .onion Proxy Domain (udm744mfh5wbwxye) (malware.rules)
• 2815410 - ETPRO MALWARE Trojan-Ransomware Radamant Checkin (malware.rules)
• 2816396 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.hr Checkin (mobile_malware.rules)
• 2819693 - ETPRO EXPLOIT Possible Windows RPC Downgrade Vulnerability (CVE-2016-0128) (exploit.rules)
• 2820603 - ETPRO EXPLOIT Possible CVE-2016-3218 Executable Inbound (exploit.rules)
• 2824544 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit CnC) (malware.rules)
• 2824730 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.NE Checkin (mobile_malware.rules)