Ruleset Update Summary - 2025/12/17 - v11085

Ruleset Updates
1

Summary:

12 new OPEN, 19 new PRO (12 + 7)

Added rules:

Open:

  • 2066349 - ET MALWARE CastleLoader Malware Outbound Payload Request (malware.rules)
  • 2066350 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (specimennativqepthhy .shop) (malware.rules)
  • 2066351 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (specimennativqepthhy .shop) in TLS SNI (malware.rules)
  • 2066352 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (threeviolen .icu) (malware.rules)
  • 2066353 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (threeviolen .icu) in TLS SNI (malware.rules)
  • 2066354 - ET MALWARE CastleLoader Malware Stager Outbound Payload Request (malware.rules)
  • 2066355 - ET MALWARE CastleLoader Malware Inbound Command Retrieval via Finger Service (malware.rules)
  • 2066356 - ET MALWARE CastleRAT Malware Outbound Handshake (malware.rules)
  • 2066357 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
  • 2066358 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
  • 2066359 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
  • 2066360 - ET MALWARE StealC_V2 CnC Activity (POST) (malware.rules)

Pro:

  • 2865436 - ETPRO MALWARE Observed ClickFix WebPage Inbound (malware.rules)
  • 2865437 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2865438 - ETPRO EXPLOIT_KIT Observed DNS Query to ClickFix Domain (exploit_kit.rules)
  • 2865439 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2865440 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2865441 - ETPRO EXPLOIT_KIT Observed ClickFix Domain in TLS SNI (exploit_kit.rules)
  • 2865442 - ETPRO MALWARE ClickFix Related CnC Activity (POST) (malware.rules)

Modified inactive rules:

  • 2000356 - ET POLICY IRC connection (policy.rules)
  • 2002037 - ET ADWARE_PUP Shop at Home Select Spyware Install (adware_pup.rules)
  • 2002697 - ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution (web_specific_apps.rules)
  • 2002938 - ET MALWARE elitekeylogger v1.0 reporting - Inbound (malware.rules)
  • 2003250 - ET EXPLOIT Symantec Remote Management RTVScan Exploit (exploit.rules)
  • 2003309 - ET P2P Edonkey IP Reply (p2p.rules)
  • 2008283 - ET MALWARE Banload HTTP Checkin Detected (quem=) (malware.rules)
  • 2009179 - ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009595 - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb hardstopvm.php CSRF attempt (web_specific_apps.rules)
  • 2009809 - ET ADWARE_PUP Adware/Antivirus360 Config to client (adware_pup.rules)
  • 2010193 - ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2012908 - ET MALWARE Backdoor Win32/Begman.A Checkin (malware.rules)
  • 2013914 - ET POLICY APT User-Agent to BackTrack Repository (policy.rules)
  • 2014003 - ET MALWARE VBKrypt.dytr Checkin (malware.rules)
  • 2014828 - ET CURRENT_EVENTS UPS Spam Inbound (current_events.rules)
  • 2021699 - ET EXPLOIT_KIT Magnitude EK Landing Aug 21 2015 (exploit_kit.rules)
  • 2022130 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC) (malware.rules)
  • 2101449 - GPL FTP FTP anonymous ftp login attempt (ftp.rules)
  • 2102031 - GPL RPC yppasswd user update UDP (rpc.rules)
  • 2103045 - GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt (netbios.rules)
  • 2800170 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Message Engine Stack Overflow 3 (exploit.rules)
  • 2801187 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x3B (exploit.rules)
  • 2801306 - ETPRO POP3 Inetserv 3.23 POP3 DoS (DELE) (pop3.rules)
  • 2803268 - ETPRO MALWARE Dynamer.dtc/Keylog.km0/Uaneskeylogger.pl Keylogger Version Check (malware.rules)
  • 2803739 - ETPRO MALWARE Backdoor.Win32.Shiz.ufj Checkin (malware.rules)
  • 2803898 - ETPRO MALWARE Possible Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Yahoo Translate/Babelfish 2 (malware.rules)
  • 2804504 - ETPRO ADWARE_PUP rogue anti-spyware Soft-Cop (adware_pup.rules)
  • 2804652 - ETPRO WEB_SPECIFIC_APPS Path Traversal on Polycom Web Management Interface (web_specific_apps.rules)
  • 2811461 - ETPRO MALWARE Worm.Win32.Ackantta.B spreading via SMTP - SET 4 (malware.rules)
  • 2812398 - ETPRO ADWARE_PUP Win32/Adware.FileTour Requesting Torrent (adware_pup.rules)
  • 2814480 - ETPRO EXPLOIT_KIT Generic Mix Alpha-Numeric Encoded HTML Entity in Object (Observed in SunDown/Xer EK) (exploit_kit.rules)
  • 2819967 - ETPRO EXPLOIT Asmax ar_1004g Password Disclosure (exploit.rules)
  • 2822683 - ETPRO MALWARE MSIL/Exotic Ransomware Image Request (malware.rules)
  • 2824896 - ETPRO MALWARE Ransomware CnC DNS Lookup (btbord.org) (malware.rules)

Disabled and modified rules:

  • 2065247 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (wisvetsmuseum .com) (malware.rules)
  • 2065254 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (wisvetsmuseum .com) (malware.rules)