Ruleset Update Summary - 2025/12/16 - v11084

rulesbot · December 16, 2025, 9:38pm

Summary:

14 new OPEN, 68 new PRO (14 + 54)

Added rules:

Open:

2066335 - ET EXPLOIT Synology Driver Server SQL Injection (CVE-2024-50631) (exploit.rules)
2066336 - ET MALWARE SantaStealer Data Exfiltration Attempt (malware.rules)
2066337 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ibuyline .com) (exploit_kit.rules)
2066338 - ET EXPLOIT_KIT LandUpdate808 Domain (ibuyline .com) in TLS SNI (exploit_kit.rules)
2066339 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (renegax .sbs) (malware.rules)
2066340 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (renegax .sbs) in TLS SNI (malware.rules)
2066341 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (titanaquaplus .xyz) (malware.rules)
2066342 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (titanaquaplus .xyz) in TLS SNI (malware.rules)
2066343 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
2066344 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
2066345 - ET MALWARE StealC_V2 PowerShell Payload Inbound (malware.rules)
2066346 - ET INFO Infrastructure as a Service Domain in DNS Lookup (railway .app) (info.rules)
2066347 - ET INFO Observed Infrastructure as a Service Domain (railway .app in TLS SNI) (info.rules)
2066348 - ET PHISHING TA397/Bitter CnC Fence Response (phishing.rules)

Pro:

2865382 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865383 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865384 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865385 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865386 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865387 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865388 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865389 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865390 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865391 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865392 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865393 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865394 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865395 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865396 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865397 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865398 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865399 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865400 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865401 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865402 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865403 - ETPRO PHISHING Observed TA456 Domain in DNS Lookup (phishing.rules)
2865404 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865405 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865406 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865407 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865408 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865409 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865410 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865411 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865412 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865413 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865414 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865415 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865416 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865417 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865418 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865419 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865420 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865421 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865422 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865423 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865424 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865425 - ETPRO PHISHING Observed TA456 Domain in TLS SNI (phishing.rules)
2865426 - ETPRO MALWARE Observed TA456 Domain in DNS Lookup (malware.rules)
2865427 - ETPRO MALWARE Observed TA456 Domain in DNS Lookup (malware.rules)
2865428 - ETPRO MALWARE Observed TA456 Domain in DNS Lookup (malware.rules)
2865429 - ETPRO MALWARE Observed TA456 Domain in DNS Lookup (malware.rules)
2865430 - ETPRO MALWARE Observed TA456 Domain in DNS Lookup (malware.rules)
2865431 - ETPRO MALWARE Observed TA456 Domain in TLS SNI (malware.rules)
2865432 - ETPRO MALWARE Observed TA456 Domain in TLS SNI (malware.rules)
2865433 - ETPRO MALWARE Observed TA456 Domain in TLS SNI (malware.rules)
2865434 - ETPRO MALWARE Observed TA456 Domain in TLS SNI (malware.rules)
2865435 - ETPRO MALWARE Observed TA456 Domain in TLS SNI (malware.rules)

Modified inactive rules:

2009594 - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb changepw.php CSRF attempt (web_specific_apps.rules)
2009685 - ET MALWARE Unkown Trojan User-Agent (5.1 …) (malware.rules)
2010192 - ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion (web_specific_apps.rules)
2010252 - ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion (web_specific_apps.rules)
2011128 - ET MALWARE Eleonore Exploit Pack activity variant May 2010 (malware.rules)
2011420 - ET MALWARE FAKEAV client requesting image - sector.hdd.png (malware.rules)
2014827 - ET CURRENT_EVENTS FedEX Spam Inbound (current_events.rules)
2014966 - ET EXPLOIT Generic - PDF with NEW PDF EXPLOIT (exploit.rules)
2016249 - ET EXPLOIT_KIT Redkit Class Request (1) (exploit_kit.rules)
2016742 - ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment (malware.rules)
2017252 - ET EXPLOIT_KIT %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura) (exploit_kit.rules)
2017631 - ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass (current_events.rules)
2018135 - ET CURRENT_EVENTS Current Asprox Spam Campaign 2 (current_events.rules)
2018394 - ET MALWARE Common Upatre Header Structure (malware.rules)
2019279 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
2020079 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
2100543 - GPL FTP FTP ‘STOR 1MB’ possible warez site (ftp.rules)
2102027 - GPL RPC yppasswd old password overflow attempt UDP (rpc.rules)
2102113 - GPL EXPLOIT rexec username overflow attempt (exploit.rules)
2800169 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Message Engine Stack Overflow 2 (exploit.rules)
2800423 - ETPRO EXPLOIT HP OpenView Network Node Manager ovlaunch HTTP Request Buffer Overflow (exploit.rules)
2801186 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x3A (exploit.rules)
2801305 - ETPRO POP3 Inetserv 3.23 POP3 DoS (RETR) (pop3.rules)
2801401 - ETPRO MALWARE Win32.Vilsel.awhu Checkin via Email Form Inbound (malware.rules)
2803897 - ETPRO MALWARE Possible Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Yahoo Translate/Babelfish (malware.rules)
2808252 - ETPRO MALWARE W32.Injector.13824.C config update pull (malware.rules)
2808641 - ETPRO MALWARE W32/Badur.ZYP Checkin (malware.rules)
2808777 - ETPRO MOBILE_MALWARE Android.Svpeng.D Checkin (mobile_malware.rules)

Disabled and modified rules:

2014363 - ET MALWARE Lookup of Algorithm Generated Zeus CnC Domain (DGA) (malware.rules)
2014376 - ET MALWARE Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/06/24 - v10626 Ruleset Updates	312	June 24, 2024
Ruleset Update Summary - 2024/01/23 - v10512 Ruleset Updates	281	January 23, 2024
Ruleset Update Summary - 2025/12/22 - v11088 Ruleset Updates	87	December 22, 2025
Ruleset Update Summary - 2024/06/10 - v10613 Ruleset Updates	166	June 10, 2024
Ruleset Update Summary - 2025/12/03 - v11075 Ruleset Updates	93	December 3, 2025

Ruleset Update Summary - 2025/12/16 - v11084

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related topics