Ruleset Update Summary - 2025/12/19 - v11087

rulesbot · December 19, 2025, 10:15pm

Summary:

16 new OPEN, 21 new PRO (16 + 5)

Added rules:

Open:

2066407 - ET MALWARE Possible CastleRAT Python Malware Outbound Request To IP Geo Location Service ip-api (malware.rules)
2066408 - ET MALWARE Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api (malware.rules)
2066409 - ET MALWARE Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api M2 (malware.rules)
2066410 - ET MALWARE Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api M3 (malware.rules)
2066411 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (husnikmeat .com) (exploit_kit.rules)
2066412 - ET EXPLOIT_KIT LandUpdate808 Domain (husnikmeat .com) in TLS SNI (exploit_kit.rules)
2066413 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (almzsff .shop) (malware.rules)
2066414 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (almzsff .shop) in TLS SNI (malware.rules)
2066415 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (carry-study .cyou) (malware.rules)
2066416 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (carry-study .cyou) in TLS SNI (malware.rules)
2066417 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gunhandl .today) (malware.rules)
2066418 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gunhandl .today) in TLS SNI (malware.rules)
2066419 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rehfreshingdrinks .cyou) (malware.rules)
2066420 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rehfreshingdrinks .cyou) in TLS SNI (malware.rules)
2066421 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (udtbwaz .cyou) (malware.rules)
2066422 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (udtbwaz .cyou) in TLS SNI (malware.rules)

Pro:

2865447 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2865448 - ETPRO PHISHING UNK_ArmyDrive Exfil 2025-12-18 (phishing.rules)
2865449 - ETPRO PHISHING UNK_ArmyDrive Successful Credential Exfil 2025-12-18 (phishing.rules)
2865450 - ETPRO EXPLOIT_KIT Observed DNS Query to Compromised Domain (exploit_kit.rules)
2865451 - ETPRO EXPLOIT_KIT Observed Compromised Domain in TLS SNI (exploit_kit.rules)

Modified inactive rules:

2000048 - ET EXPLOIT CVS server heap overflow attempt (target Linux) (exploit.rules)
2001628 - ET ATTACK_RESPONSE Outbound PHP Connection (attack_response.rules)
2002000 - ET ADWARE_PUP Shopnav Spyware Install (adware_pup.rules)
2002658 - ET POLICY EIN in the clear (US-IRS Employer ID Number) (policy.rules)
2002941 - ET MALWARE elitekeylogger v1.0 reporting - Outbound (malware.rules)
2003198 - ET EXPLOIT TFTP Invalid Mode in file Get (exploit.rules)
2003316 - ET P2P Edonkey IP Query End (p2p.rules)
2008320 - ET MALWARE Banload Gadu-Gadu CnC Message Detected (malware.rules)
2009180 - ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion (web_specific_apps.rules)
2009402 - ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (1) (activex.rules)
2009596 - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb writeconfig.php Remote Command Execution attempt (web_specific_apps.rules)
2009830 - ET MALWARE Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST (malware.rules)
2100553 - GPL FTP FTP anonymous login attempt (ftp.rules)
2103053 - GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt (netbios.rules)
2800171 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Message Engine Stack Overflow 4 (exploit.rules)
2801188 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x3C (exploit.rules)
2801307 - ETPRO EXPLOIT HP OpenView Network Node Manager jovgraph.exe displayWidth Buffer Overflow (exploit.rules)
2801402 - ETPRO MALWARE Generic Gui Trojan Hacker Tool Request to Controller (malware.rules)
2803269 - ETPRO MALWARE Dynamer.dtc/Keylog.km0/Uaneskeylogger.pl Keylogger User-Agent Oddity (malware.rules)
2803426 - ETPRO MALWARE TrojanDownloader.VBS/Badiseso.H Checkin (malware.rules)
2803899 - ETPRO MALWARE Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Google Translate (malware.rules)
2804029 - ETPRO MALWARE Win32/Mafod!rts Checkin (malware.rules)
2820404 - ETPRO EXPLOIT_KIT Possible KaiXin EK Common Flash Exploit URI Constructn May 31 2016 (exploit_kit.rules)
2824548 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/12/03 - v11075 Ruleset Updates	93	December 3, 2025
Ruleset Update Summary - 2025/09/18 - v11019 Ruleset Updates	125	September 18, 2025
Ruleset Update Summary - 2025/11/27 - v11072 Ruleset Updates	151	November 27, 2025
Ruleset Update Summary - 2025/12/22 - v11088 Ruleset Updates	87	December 22, 2025
Ruleset Update Summary - 2025/12/17 - v11085 Ruleset Updates	53	December 17, 2025

Ruleset Update Summary - 2025/12/19 - v11087

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics