Ruleset Update Summary - 2025/12/18 - v11086

rulesbot · December 18, 2025, 9:48pm

Summary:

46 new OPEN, 50 new PRO (46 + 4)

Added rules:

Open:

2066361 - ET MALWARE ZeitLoader Payload Retrieval attempt (malware.rules)
2066362 - ET WEB_SPECIFIC_APPS Gladinet CentreStack/Triofox Hardcoded AES Key Arbitrary File Read (CVE-2025-14611) (web_specific_apps.rules)
2066363 - ET MALWARE CastleRAT Malware Outbound Handshake M2 (malware.rules)
2066364 - ET MALWARE CastleRAT Malware Outbound Handshake M3 (malware.rules)
2066365 - ET MALWARE ZeitLoader IP Address Check User-Agent (TimeClient/1.0) (malware.rules)
2066366 - ET MALWARE CastleRAT Malware Outbound Handshake M4 (malware.rules)
2066367 - ET MALWARE CastleRAT Malware Outbound Handshake M5 (malware.rules)
2066368 - ET MALWARE CastleRAT Malware Outbound Handshake M6 (malware.rules)
2066369 - ET MALWARE CastleRAT Malware Outbound Handshake M7 (malware.rules)
2066370 - ET MALWARE CastleRAT Malware Outbound Handshake M8 (malware.rules)
2066371 - ET MALWARE CastleRAT Malware Outbound Handshake M9 (malware.rules)
2066372 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (clllier .com) (exploit_kit.rules)
2066373 - ET EXPLOIT_KIT LandUpdate808 Domain (clllier .com) in TLS SNI (exploit_kit.rules)
2066374 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (leprixnet .com) (exploit_kit.rules)
2066375 - ET EXPLOIT_KIT LandUpdate808 Domain (leprixnet .com) in TLS SNI (exploit_kit.rules)
2066376 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (perceptivitysczio .shop) (malware.rules)
2066377 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (perceptivitysczio .shop) in TLS SNI (malware.rules)
2066378 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thicew .xyz) (malware.rules)
2066379 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thicew .xyz) in TLS SNI (malware.rules)
2066380 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (welfaredcattewd .xyz) (malware.rules)
2066381 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (welfaredcattewd .xyz) in TLS SNI (malware.rules)
2066382 - ET ATTACK_RESPONSE Obfuscated PowerShell Payload Inbound (attack_response.rules)
2066383 - ET WEB_SPECIFIC_APPS Tenda onSSIDChange ssid_index Parameter Buffer Overflow Attempt (CVE-2025-14879) (web_specific_apps.rules)
2066384 - ET WEB_SPECIFIC_APPS Phoenix Contact dyn_conn.php objSave Parameter Cross Site Scripting Attempt (CVE-2025-41695) (web_specific_apps.rules)
2066385 - ET WEB_SPECIFIC_APPS Phoenix Contact pxc_portCntr2.php activeTab Parameter Cross Site Scripting Attempt (CVE-2025-41745) (web_specific_apps.rules)
2066386 - ET WEB_SPECIFIC_APPS Phoenix Contact pxc_portSecCfg.php portSelect Parameter Cross Site Scripting Attempt (CVE-2025-41746) (web_specific_apps.rules)
2066387 - ET WEB_SPECIFIC_APPS Phoenix Contact pxc_vlanIntfCfg.php activeInf Parameter Cross Site Scripting Attempt (CVE-2025-41747) (web_specific_apps.rules)
2066388 - ET WEB_SPECIFIC_APPS Phoenix Contact pxc_Dot1xCfg.php port Parameter Cross Site Scripting Attempt (CVE-2025-41748) (web_specific_apps.rules)
2066389 - ET WEB_SPECIFIC_APPS Phoenix Contact port_util.php portSelect Parameter Cross Site Scripting Attempt (CVE-2025-41749) (web_specific_apps.rules)
2066390 - ET WEB_SPECIFIC_APPS Phoenix Contact pxc_PortCfg.php port Parameter Cross Site Scripting Attempt (CVE-2025-41750) (web_specific_apps.rules)
2066391 - ET WEB_SPECIFIC_APPS Phoenix Contact pxc_portCntr.php port Parameter Cross Site Scripting Attempt (CVE-2025-41751) (web_specific_apps.rules)
2066392 - ET WEB_SPECIFIC_APPS Phoenix Contact pxc_portSfp.php port Parameter Cross Site Scripting Attempt (CVE-2025-41752) (web_specific_apps.rules)
2066393 - ET INFO Observed Smart Chain Domain in DNS Lookup (bsctestapi .terminet .io) (info.rules)
2066394 - ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet-rpc .publicnode .com) (info.rules)
2066395 - ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet .drpc .org) (info.rules)
2066396 - ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet .public .blastapi .io) (info.rules)
2066397 - ET INFO Observed Smart Chain Domain in DNS Lookup (bnb-testnet .api .onfinality .io) (info.rules)
2066398 - ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet .4everland .org) (info.rules)
2066399 - ET INFO Observed Smart Chain Domain in TLS SNI (bsctestapi .terminet .io) (info.rules)
2066400 - ET INFO Observed Smart Chain Domain in TLS SNI (bsc-testnet-rpc .publicnode .com) (info.rules)
2066401 - ET INFO Observed Smart Chain Domain in TLS SNI (bsc-testnet .drpc .org) (info.rules)
2066402 - ET INFO Observed Smart Chain Domain in TLS SNI (bsc-testnet .public .blastapi .io) (info.rules)
2066403 - ET INFO Observed Smart Chain Domain in TLS SNI (bnb-testnet .api .onfinality .io) (info.rules)
2066404 - ET INFO Observed Smart Chain Domain in TLS SNI (bsc-testnet .4everland .org) (info.rules)
2066405 - ET MALWARE Observed DNS Query to Etherhiding Domain (faxnamegl .top) (malware.rules)
2066406 - ET MALWARE Observed Etherhiding Domain (faxnamegl .top in TLS SNI) (malware.rules)

Pro:

2865443 - ETPRO MALWARE Koi Stealer Payload Request (GET) (malware.rules)
2865444 - ETPRO MALWARE Koi Stealer CnC Exfil (POST) (malware.rules)
2865445 - ETPRO MALWARE Observed DNS Query to Koi Stealer Domain (malware.rules)
2865446 - ETPRO MALWARE Observed Koi Stealer Domain in TLS SNI (malware.rules)

Modified inactive rules:

2016250 - ET EXPLOIT_KIT Redkit Class Request (2) (exploit_kit.rules)
2017253 - ET EXPLOIT_KIT %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura) (exploit_kit.rules)
2017632 - ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass (current_events.rules)
2019146 - ET EXPLOIT_KIT Sweet Orange CDN Gate Sept 09 2014 Method 2 (exploit_kit.rules)
2019603 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2019739 - ET MALWARE W32/AlienSpy RAT Checkin (malware.rules)
2021930 - ET MALWARE MSIL/Banker.M Requesting Binary from SQL (malware.rules)
2022131 - ET MALWARE Rincux CnC (set) (malware.rules)
2805420 - ETPRO MALWARE Sality.IK!/Tedroo.AE Checkin (malware.rules)
2810577 - ETPRO MALWARE Win.Backdoor.Igliveforg Checkin 2 (malware.rules)
2811655 - ETPRO MALWARE Possible Adwind/AlienSpy JAR Observed (malware.rules)
2814111 - ETPRO MALWARE Vawtrak Retrieving Update (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/12/23 - v11089 Ruleset Updates	77	December 23, 2025
Ruleset Update Summary - 2025/12/11 - v11081 Ruleset Updates	64	December 11, 2025
Ruleset Update Summary - 2025/12/17 - v11085 Ruleset Updates	59	December 17, 2025
Ruleset Update Summary - 2025/03/11 - v10876 Ruleset Updates	156	March 11, 2025
Ruleset Update Summary - 2025/09/19 - v11020 Ruleset Updates	132	September 19, 2025

Ruleset Update Summary - 2025/12/18 - v11086

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics