Ruleset Update Summary - 2025/12/15 - v11083

Ruleset Updates
1

Summary:

26 new OPEN, 47 new PRO (26 + 21)

Added rules:

Open:

  • 2066309 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atthewr .cyou) (malware.rules)
  • 2066310 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atthewr .cyou) in TLS SNI (malware.rules)
  • 2066311 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (yikpspbi .my) (malware.rules)
  • 2066312 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yikpspbi .my) in TLS SNI (malware.rules)
  • 2066313 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (injecto .cyou) (malware.rules)
  • 2066314 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (injecto .cyou) in TLS SNI (malware.rules)
  • 2066315 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relatedsinsportycreiwer .site) (malware.rules)
  • 2066316 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (relatedsinsportycreiwer .site) in TLS SNI (malware.rules)
  • 2066317 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (valuablestraigwhi .shop) (malware.rules)
  • 2066318 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (valuablestraigwhi .shop) in TLS SNI (malware.rules)
  • 2066319 - ET PHISHING TA397/Bitter CnC Activity (phishing.rules)
  • 2066320 - ET MALWARE TA397/Bitter CnC Domain in DNS Lookup (malware.rules)
  • 2066321 - ET MALWARE Observed TA397/Bitter Domain in TLS SNI (malware.rules)
  • 2066322 - ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection (CVE-2025-66516) (web_specific_apps.rules)
  • 2066323 - ET PHISHING TA446 PHP Redirect (phishing.rules)
  • 2066324 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (fsglobe .com) (exploit_kit.rules)
  • 2066325 - ET EXPLOIT_KIT LandUpdate808 Domain (fsglobe .com) in TLS SNI (exploit_kit.rules)
  • 2066326 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (phytonr .cyou) (malware.rules)
  • 2066327 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (phytonr .cyou) in TLS SNI (malware.rules)
  • 2066328 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtu .sbs) (malware.rules)
  • 2066329 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (soundtu .sbs) in TLS SNI (malware.rules)
  • 2066330 - ET INFO Microsoft OAuth 2.0 Device Auth Activity M3 (GET) (info.rules)
  • 2066331 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kuliboku .com) (exploit_kit.rules)
  • 2066332 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kuliboku .com) (exploit_kit.rules)
  • 2066333 - ET WEB_SPECIFIC_APPS ManageEngine ServiceDesk Plus Arbitrary File Access via Parameter Traversal (CVE-2011-2755) (web_specific_apps.rules)
  • 2066334 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)

Pro:

  • 2865361 - ETPRO PHISHING Observed DNS Query to UNK_NeedleSalt Domain (phishing.rules)
  • 2865362 - ETPRO PHISHING Observed DNS Query to UNK_NeedleSalt Domain (phishing.rules)
  • 2865363 - ETPRO PHISHING Observed UNK_NeedleSalt Domain in TLS SNI (phishing.rules)
  • 2865364 - ETPRO PHISHING Observed UNK_NeedleSalt Domain in TLS SNI (phishing.rules)
  • 2865365 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865366 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865367 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865368 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865369 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865370 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865371 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865372 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865373 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865374 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865375 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865376 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865377 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865378 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865379 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865380 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865381 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2000581 - ET ADWARE_PUP Shop At Home Select.com Install Download (adware_pup.rules)
  • 2001299 - ET P2P eDonkey Server Status (p2p.rules)
  • 2001708 - ET ADWARE_PUP Shop at Home Select Spyware Heartbeat (adware_pup.rules)
  • 2002896 - ET EXPLOIT Symantec Scan Engine Request Password Hash (exploit.rules)
  • 2003308 - ET P2P Edonkey IP Request (p2p.rules)
  • 2003750 - ET EXPLOIT CA Brightstor ARCServe caloggerd DoS (exploit.rules)
  • 2003751 - ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS (exploit.rules)
  • 2008074 - ET MALWARE Banload User-Agent Detected (WebUpdate) (malware.rules)
  • 2009443 - ET MALWARE NoBo Downloader Dropper GET (malware.rules)
  • 2009532 - ET MALWARE BackDoor-EGB Check-in (malware.rules)
  • 2009593 - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt (web_specific_apps.rules)
  • 2010191 - ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2010248 - ET MALWARE Eleonore Exploit Pack activity (malware.rules)
  • 2011419 - ET MALWARE FAKEAV landing page - sector.hdd.png no-repeat (malware.rules)
  • 2013411 - ET MALWARE Bancos.DV MSSQL CnC Connection Outbound (malware.rules)
  • 2014136 - ET EXPLOIT_KIT Unknown Java Exploit Version Check with hidden applet (exploit_kit.rules)
  • 2015812 - ET CURRENT_EVENTS SofosFO Jar file 10/17/12 (current_events.rules)
  • 2016056 - ET EXPLOIT_KIT Unknown_gmf EK - flsh.html (exploit_kit.rules)
  • 2016247 - ET EXPLOIT_KIT StyX Landing Page (exploit_kit.rules)
  • 2016584 - ET INFO SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain (info.rules)
  • 2016855 - ET MALWARE Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt (malware.rules)
  • 2017250 - ET EXPLOIT_KIT %Hex Encoded jnlp_embedded (Observed in Sakura) (exploit_kit.rules)
  • 2017251 - ET EXPLOIT_KIT %Hex Encoded applet_ssv_validated (Observed in Sakura) (exploit_kit.rules)
  • 2018008 - ET MALWARE DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org (malware.rules)
  • 2018263 - ET CURRENT_EVENTS Dell Kace backdoor (current_events.rules)
  • 2018264 - ET MALWARE Linux/Kimodin SSH backdoor activity (malware.rules)
  • 2019242 - ET MALWARE Linux/DDoS.M distributed via CVE-2014-6271 Checkin (malware.rules)
  • 2019418 - ET EXPLOIT SSL excessive fatal alerts (possible POODLE attack against server) (exploit.rules)
  • 2019600 - ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JNLP) (exploit_kit.rules)
  • 2021698 - ET EXPLOIT_KIT Possible Magnitude EK Landing URI Struct Aug 21 2015 (exploit_kit.rules)
  • 2021845 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022129 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC) (malware.rules)
  • 2022339 - ET MALWARE Dridex Download 6th Jan 2016 Flowbit (malware.rules)
  • 2022340 - ET MALWARE W32/Dridex Binary Download 6th Jan 2016 (malware.rules)
  • 2022569 - ET MALWARE PadCrypt .onion Payment Domain (malware.rules)
  • 2024116 - ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain (malware.rules)
  • 2024117 - ET MALWARE Ransomware CrypMIC Payment Onion Domain (malware.rules)
  • 2100467 - GPL SCAN Nemesis v1.1 Echo (scan.rules)
  • 2100544 - GPL FTP FTP ‘RETR 1MB’ possible warez site (ftp.rules)
  • 2102029 - GPL RPC yppasswd new password overflow attempt UDP (rpc.rules)
  • 2102114 - GPL RPC rexec password overflow attempt (rpc.rules)
  • 2103037 - GPL NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt (netbios.rules)
  • 2800168 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Message Engine Stack Overflow 1 (exploit.rules)
  • 2800422 - ETPRO EXPLOIT Squid HTTP Version Number Parsing Denial of Service (exploit.rules)
  • 2800731 - ETPRO EXPLOIT Trend Micro ServerProtect Crafted RPC Call CMON_NetTestConnection Buffer Overflow (exploit.rules)
  • 2801185 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x39 (exploit.rules)
  • 2801304 - ETPRO POP3 Inetserv 3.23 POP3 DoS (pop3.rules)
  • 2801400 - ETPRO MALWARE Win32.Vilsel.awhu Checkin via Email Form (malware.rules)
  • 2804990 - ETPRO MALWARE Trojan.FirewallBypass.VqX@aCTjNMlb Checkin (malware.rules)
  • 2805281 - ETPRO MALWARE Win32/Spy.Banker.TXN Checkin (malware.rules)
  • 2805282 - ETPRO ADWARE_PUP Adware.Casino-36 Checkin 2 (adware_pup.rules)
  • 2806121 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MTK.a Checkin (mobile_malware.rules)
  • 2807040 - ETPRO MOBILE_MALWARE Andr/DroidRt-A Checkin (mobile_malware.rules)
  • 2807150 - ETPRO ADWARE_PUP Security Cleaner Pro FakeAV Checkin (adware_pup.rules)
  • 2808393 - ETPRO MOBILE_MALWARE Android/Fakeinst.HX Checkin (mobile_malware.rules)
  • 2808776 - ETPRO MALWARE Win32/ProxyChanger.EO Checkin 2 (malware.rules)
  • 2809887 - ETPRO MALWARE Win32/Injector.AEJK .onion Proxy Domain (malware.rules)
  • 2810910 - ETPRO MALWARE .zip Download from GoogleAPI with Minimal headers Possible Trojan.MSIL.Banload.DD Dropping Spy.Banker (Download) (malware.rules)
  • 2815064 - ETPRO MALWARE Win32/Kitkiot.A CnC Outbound (malware.rules)
  • 2815225 - ETPRO MALWARE Generic VBScript HeapSpray Construct (malware.rules)
  • 2820607 - ETPRO EXPLOIT Win32k Privilege Elevation Vuln (CVE-2016-3221 2) (exploit.rules)
  • 2824546 - ETPRO MALWARE Observed Malicious SSL Cert (Gootkit) (malware.rules)
  • 2825040 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2825041 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2825257 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.AZ Checkin (mobile_malware.rules)

Disabled and modified rules:

  • 2028802 - ET JA3 Hash - [Abuse.ch] Possible Adware (ja3.rules)
  • 2066279 - ET WEB_SPECIFIC_APPS Vaultwarden Escalation of Privilege via OrgHeaders Variable Confusion (CVE-2025-24365) (web_specific_apps.rules)
  • 2865322 - ETPRO PHISHING Observed DNS Query to UNK_NeedleSalt Domain (phishing.rules)
  • 2865323 - ETPRO PHISHING Observed DNS Query to UNK_NeedleSalt Domain (phishing.rules)
  • 2865324 - ETPRO PHISHING Observed UNK_NeedleSalt Domain in TLS SNI (phishing.rules)
  • 2865325 - ETPRO PHISHING Observed UNK_NeedleSalt Domain in TLS SNI (phishing.rules)