Ruleset Update Summary - 2026/01/05 - v11096

Ruleset Updates
1

Summary:

31 new OPEN, 33 new PRO (31 + 2)

Added rules:

Open:

  • 2066560 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (recitebl .cyou) (malware.rules)
  • 2066561 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (recitebl .cyou) in TLS SNI (malware.rules)
  • 2066562 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genusstv .cyou) (malware.rules)
  • 2066563 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genusstv .cyou) in TLS SNI (malware.rules)
  • 2066564 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (statisnv .cyou) (malware.rules)
  • 2066565 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (statisnv .cyou) in TLS SNI (malware.rules)
  • 2066566 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (witchhyf .cyou) (malware.rules)
  • 2066567 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (witchhyf .cyou) in TLS SNI (malware.rules)
  • 2066568 - ET WEB_SPECIFIC_APPS Beward fileread READ.filepath Parameter Arbitrary File Disclosure Attempt (CVE-2019-25246) (web_specific_apps.rules)
  • 2066569 - ET WEB_SPECIFIC_APPS Ivanti EPMM Authentication Bypass & RCE (CVE-2025-4427) M2 (web_specific_apps.rules)
  • 2066570 - ET WEB_SPECIFIC_APPS Ivanti EPMM Authentication Bypass & RCE (CVE-2025-4427) M3 (web_specific_apps.rules)
  • 2066571 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (scrroeder .com) (exploit_kit.rules)
  • 2066572 - ET EXPLOIT_KIT LandUpdate808 Domain (scrroeder .com) in TLS SNI (exploit_kit.rules)
  • 2066573 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annonalc .cyou) (malware.rules)
  • 2066574 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (annonalc .cyou) in TLS SNI (malware.rules)
  • 2066575 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (porcupvu .cyou) (malware.rules)
  • 2066576 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (porcupvu .cyou) in TLS SNI (malware.rules)
  • 2066577 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sideruq .cyou) (malware.rules)
  • 2066578 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sideruq .cyou) in TLS SNI (malware.rules)
  • 2066579 - ET WEB_SPECIFIC_APPS sgwbox eshell COPY Parameter Directory Traversal Attempt (CVE-2025-14704) (web_specific_apps.rules)
  • 2066580 - ET WEB_SPECIFIC_APPS sgwbox eshell SHARESERVERCREATE Parameter Command Injection Attempt (CVE-2025-14705) (web_specific_apps.rules)
  • 2066581 - ET WEB_SPECIFIC_APPS sgwbox eshell NETREBOOT Parameter Command Injection Attempt (CVE-2025-14706) (web_specific_apps.rules)
  • 2066582 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (app .abuarerestaurant .net) (malware.rules)
  • 2066583 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (app .abuarerestaurant .net) (malware.rules)
  • 2066584 - ET MALWARE Observed DNS Query to StealC Payload Delivery Domain (servachok .space) (malware.rules)
  • 2066585 - ET PHISHING GhostFrame Phish Kit Request (phishing.rules)
  • 2066586 - ET WEB_SPECIFIC_APPS sgwbox eshell WIREDCFGGET Parameter Command Injection Attempt (CVE-2025-14708) (web_specific_apps.rules)
  • 2066587 - ET WEB_SPECIFIC_APPS sgwbox eshell WIRELESSCFGGET Parameter Command Injection Attempt (CVE-2025-14709) (web_specific_apps.rules)
  • 2066588 - ET WEB_SPECIFIC_APPS sgwbox eshell DOCKERARMI Parameter Command Injection Attempt (CVE-2025-14707) (web_specific_apps.rules)
  • 2066589 - ET MALWARE Observed StealC Payload Delivery Domain (servachok .space in TLS SNI) (malware.rules)
  • 2066590 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)

Pro:

  • 2865579 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2865580 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2001238 - ET WEB_SPECIFIC_APPS Possible Xedus Webserver Directory Traversal Attempt (web_specific_apps.rules)
  • 2001505 - ET ADWARE_PUP Smartpops.com Spyware Install rh.exe (adware_pup.rules)
  • 2003314 - ET P2P Edonkey Search Request (by file hash) (p2p.rules)
  • 2003315 - ET P2P Edonkey Search Reply (p2p.rules)
  • 2007653 - ET ATTACK_RESPONSE RFI Scanner detected (attack_response.rules)
  • 2007654 - ET ATTACK_RESPONSE C99 Modified phpshell detected (attack_response.rules)
  • 2007692 - ET MALWARE Basine Trojan Checkin (malware.rules)
  • 2009511 - ET EXPLOIT VLC web interface buffer overflow attempt (exploit.rules)
  • 2009756 - ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2 (web_specific_apps.rules)
  • 2009894 - ET ACTIVEX Possible HTTP ACTi SaveXMLFile()/DeleteXMLFile() nvUnifiedControl.dll Arbitrary File Overwrite/Deletion Attempt (activex.rules)
  • 2011008 - ET POLICY Possible Multiple Levels of Javascript Encoding & Compression Filters in PDF, Possibly Hostile PDF (policy.rules)
  • 2011012 - ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI (snmp.rules)
  • 2011241 - ET EXPLOIT M3U File Request Flowbit Set (exploit.rules)
  • 2014971 - ET CURRENT_EVENTS JS.Runfore Malware Campaign Request (current_events.rules)
  • 2015824 - ET MALWARE GeckaSeka User-Agent (malware.rules)
  • 2016860 - ET WEB_CLIENT Sweet Orange Landing Page May 16 2013 (web_client.rules)
  • 2017370 - ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL (current_events.rules)
  • 2019149 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019745 - ET EXPLOIT_KIT SPL2 EK Flash Exploit Nov 18 2014 (exploit_kit.rules)
  • 2024071 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Android Marcher C2) (malware.rules)
  • 2024072 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM) (malware.rules)
  • 2100525 - GPL POLICY udp port 0 traffic (policy.rules)
  • 2101326 - GPL SHELLCODE ssh CRC32 overflow NOOP (shellcode.rules)
  • 2103146 - GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt (netbios.rules)
  • 2800176 - ETPRO EXPLOIT CA Multiple Products DBASVR RPC Server Crafted Pointer Buffer Overflow 5 (exploit.rules)
  • 2800430 - ETPRO SQL MySQL XML Functions Scalar XPath Denial of Service (sql.rules)
  • 2800865 - ETPRO SQL IBM Informix Dynamic Server SQLEXEC oninit.exe EXPLAIN Stack Buffer Overflow (sql.rules)
  • 2801193 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x43 (exploit.rules)
  • 2801407 - ETPRO EXPLOIT IBM Lotus Domino LDAP Bind Request Integer Overflow (exploit.rules)
  • 2801585 - ETPRO NETBIOS Multiple Load Library Vulns ibfs32.dll - SMB Unicode (netbios.rules)
  • 2804032 - ETPRO MALWARE Win32/Bancos.DV Reporting via SMTP 3 (malware.rules)
  • 2804184 - ETPRO MALWARE Win32/Bividon.A Checkin (malware.rules)
  • 2804994 - ETPRO MALWARE Mal/Autorun-G Checkin (malware.rules)
  • 2805729 - ETPRO MALWARE liquid backdoor Checkin (malware.rules)
  • 2807820 - ETPRO MALWARE Backdoor.Win32.Hupigon Checkin (AMD) (malware.rules)
  • 2808100 - ETPRO MALWARE qq.com C2 response (malware.rules)
  • 2808648 - ETPRO MALWARE Backdoor.Win32.Stantinko.A Checkin 2 (malware.rules)
  • 2809530 - ETPRO MALWARE Backdoor.Win32.DarkKomet Keep-Alive (malware.rules)
  • 2809799 - ETPRO MALWARE TrojanSpy.MSIL/Golroted.A Checkin FTP 2 (malware.rules)
  • 2811843 - ETPRO MALWARE NanoCore RAT CnC 4 (malware.rules)
  • 2815621 - ETPRO MALWARE Sacto DNS Lookup (malware.rules)
  • 2816405 - ETPRO MALWARE Win32/Tepoyx Malicious SSL Certificate Detected (malware.rules)
  • 2819703 - ETPRO MOBILE_MALWARE Android/Agent.SY Checkin (mobile_malware.rules)
  • 2821046 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Agent.q Checkin (mobile_malware.rules)
  • 2826052 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)