Ruleset Update Summary - 2025/12/22 - v11088

Summary:

23 new OPEN, 52 new PRO (23 + 29)

Added rules:

Open:

• 2066423 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (csmultimedia .com) (exploit_kit.rules)
• 2066424 - ET EXPLOIT_KIT LandUpdate808 Domain (csmultimedia .com) in TLS SNI (exploit_kit.rules)
• 2066425 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (rorkery .com) (exploit_kit.rules)
• 2066426 - ET EXPLOIT_KIT LandUpdate808 Domain (rorkery .com) in TLS SNI (exploit_kit.rules)
• 2066427 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (freshideastop .top) (malware.rules)
• 2066428 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (freshideastop .top) in TLS SNI (malware.rules)
• 2066429 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostwritexmskz .shop) (malware.rules)
• 2066430 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostwritexmskz .shop) in TLS SNI (malware.rules)
• 2066431 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talktaitoovee .shop) (malware.rules)
• 2066432 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (talktaitoovee .shop) in TLS SNI (malware.rules)
• 2066433 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stoneuf .cyou) (malware.rules)
• 2066434 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stoneuf .cyou) in TLS SNI (malware.rules)
• 2066435 - ET MALWARE Win.Supper Tunnel C2 Magic Bytes Detected (malware.rules)
• 2066436 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (zealmovies .com) (exploit_kit.rules)
• 2066437 - ET EXPLOIT_KIT LandUpdate808 Domain (zealmovies .com) in TLS SNI (exploit_kit.rules)
• 2066438 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gruntpo .cyou) (malware.rules)
• 2066439 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gruntpo .cyou) in TLS SNI (malware.rules)
• 2066440 - ET MALWARE Executable Downloaded From Common Stealer C2 Host (GET) (malware.rules)
• 2066441 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .weightlosstonight .net) (malware.rules)
• 2066442 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .weightlosstonight .net) (malware.rules)
• 2066443 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
• 2066444 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
• 2066445 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)

Pro:

• 2865452 - ETPRO PHISHING UNK_ArmyDrive Phish Landing Page M1 2025-12-19 (phishing.rules)
• 2865453 - ETPRO PHISHING UNK_ArmyDrive Phish Landing Page M2 2025-12-19 (phishing.rules)
• 2865454 - ETPRO PHISHING UNK_ArmyDrive Phish Landing Page M3 2025-12-19 (phishing.rules)
• 2865455 - ETPRO PHISHING UNK_ArmyDrive Phish Landing Page M4 2025-12-19 (phishing.rules)
• 2865456 - ETPRO PHISHING UNK_ArmyDrive Phish Landing Page M5 2025-12-19 (phishing.rules)
• 2865457 - ETPRO PHISHING UNK_ArmyDrive User Fingerprint Exil (phishing.rules)
• 2865458 - ETPRO PHISHING UNK_ArmyDrive Phish Landing Page M6 2025-12-19 (phishing.rules)
• 2865459 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2865460 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2865461 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2865462 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2865463 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2865464 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2865465 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2865466 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2865467 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2865468 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2865469 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2865470 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2865471 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2865472 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2865473 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2865474 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2865475 - ETPRO PHISHING UNK_ArmyDrive Redirect Activity (phishing.rules)
• 2865476 - ETPRO HUNTING Observed Generic Phish Landing Page Inbound (hunting.rules)
• 2865477 - ETPRO PHISHING UNK_ArmyDrive Phish Landing Page 2025-12-19 (phishing.rules)
• 2865478 - ETPRO PHISHING Observed DNS Query to UNK_ArmyDrive Domain (phishing.rules)
• 2865479 - ETPRO PHISHING Observed UNK_ArmyDrive Domain in TLS SNI (phishing.rules)
• 2865480 - ETPRO PHISHING UNK_ArmyDrive Successful Credential Phish 2025-12-22 (phishing.rules)

Modified inactive rules:

• 2000031 - ET EXPLOIT CVS server heap overflow attempt (target BSD) (exploit.rules)
• 2003199 - ET EXPLOIT TFTP Invalid Mode in file Put (exploit.rules)
• 2003310 - ET P2P Edonkey Publicize File (p2p.rules)
• 2008370 - ET ADWARE_PUP Shopcenter.co .kr Spyware Install Report (adware_pup.rules)
• 2008405 - ET MALWARE Obitel trojan calling home (malware.rules)
• 2009403 - ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (2) (activex.rules)
• 2013046 - ET MALWARE DLoader PWS Module Data Upload Activity (malware.rules)
• 2014264 - ET POLICY IP Geo Location Request (policy.rules)
• 2014265 - ET POLICY IP geo location service response (policy.rules)
• 2014829 - ET CURRENT_EVENTS Post Express Spam Inbound (current_events.rules)
• 2015688 - ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg) (current_events.rules)
• 2016412 - ET EXPLOIT_KIT TDS Vdele (exploit_kit.rules)
• 2016858 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) (malware.rules)
• 2017254 - ET EXPLOIT_KIT %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura) (exploit_kit.rules)
• 2017634 - ET EXPLOIT_KIT Sweet Orange Landing Page Oct 25 2013 (exploit_kit.rules)
• 2018011 - ET EXPLOIT_KIT Fiesta EK Landing Jan 24 2013 (exploit_kit.rules)
• 2019147 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
• 2019604 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
• 2021931 - ET MALWARE MSIL/Banker.M Downloading Binary from SQL (malware.rules)
• 2022132 - ET MALWARE Rincux CnC (malware.rules)
• 2101445 - GPL FTP FTP file_id.diz access possible warez site (ftp.rules)
• 2102033 - GPL RPC ypserv maplist request UDP (rpc.rules)
• 2103021 - GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt (netbios.rules)
• 2800172 - ETPRO EXPLOIT CA Multiple Products DBASVR RPC Server Crafted Pointer Buffer Overflow 1 (exploit.rules)
• 2801189 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x3D (exploit.rules)
• 2801308 - ETPRO MALWARE Trojan.Win32.Bohu.A check in (malware.rules)
• 2801403 - ETPRO ADWARE_PUP Trymedia Related Executable Download (adware_pup.rules)
• 2802890 - ETPRO EXPLOIT McAfee Firewall Reporter isValidClient Remote Code Execution (exploit.rules)
• 2803427 - ETPRO MALWARE Common Trojan Header Pattern Accept with double slash (malware.rules)
• 2803741 - ETPRO MALWARE Backdoor.Win32.Dekara.A Checkin (malware.rules)
• 2804653 - ETPRO MALWARE Win32/Rorpian.B Checkin (malware.rules)
• 2809388 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin (mobile_malware.rules)
• 2809639 - ETPRO MALWARE Kakfum Possible DNS Query 1 (malware.rules)
• 2811081 - ETPRO MALWARE Pontoeb .onion Proxy Domain (malware.rules)
• 2814482 - ETPRO MALWARE Njogv/Joggver Backdoor SSL Client Hello (malware.rules)
• 2814881 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.hr Checkin (mobile_malware.rules)
• 2820192 - ETPRO MALWARE Win32/PaySafeCrypt Ransomware .onion Proxy Domain (malware.rules)