Ruleset Update Summary - 2026/01/09 - v11100

Ruleset Updates
1

Summary:

40 new OPEN, 41 new PRO (40 + 1)

Added rules:

Open:

  • 2066636 - ET MALWARE WeyhroC2 Heartbeat (malware.rules)
  • 2066637 - ET INFO QR Generator Domain in DNS Lookup (qr-generator .ai) (info.rules)
  • 2066638 - ET INFO QR Generator Domain in DNS Lookup (qr .pro) (info.rules)
  • 2066639 - ET INFO QR Generator Domain in DNS Lookup (online-qr-generator .com) (info.rules)
  • 2066640 - ET INFO QR Generator Domain in DNS Lookup (scan .page) (info.rules)
  • 2066641 - ET INFO QR Generator Domain in DNS Lookup (view .page) (info.rules)
  • 2066642 - ET INFO QR Generator Domain in DNS Lookup (scanned .page) (info.rules)
  • 2066643 - ET INFO QR Generator Domain in DNS Lookup (qr-code .io) (info.rules)
  • 2066644 - ET INFO QR Generator Domain in DNS Lookup (qr-code .click) (info.rules)
  • 2066645 - ET INFO Observed QR Generator Domain (qr-generator .ai in TLS SNI) (info.rules)
  • 2066646 - ET INFO Observed QR Generator Domain (qr .pro in TLS SNI) (info.rules)
  • 2066647 - ET INFO Observed QR Generator Domain (online-qr-generator .com in TLS SNI) (info.rules)
  • 2066648 - ET INFO Observed QR Generator Domain (scan .page in TLS SNI) (info.rules)
  • 2066649 - ET INFO Observed QR Generator Domain (view .page in TLS SNI) (info.rules)
  • 2066650 - ET INFO Observed QR Generator Domain (scanned .page in TLS SNI) (info.rules)
  • 2066651 - ET INFO Observed QR Generator Domain (qr-code .io in TLS SNI) (info.rules)
  • 2066652 - ET INFO Observed QR Generator Domain (qr-code .click in TLS SNI) (info.rules)
  • 2066653 - ET INFO Teramind RMM Domain (teramind .co) in DNS Lookup (info.rules)
  • 2066654 - ET INFO Observed Teramind RMM Domain (teramind .co) in TLS SNI (info.rules)
  • 2066655 - ET ATTACK_RESPONSE GETA RAT Obfuscated Payload Inbound (attack_response.rules)
  • 2066656 - ET WEB_SPECIFIC_APPS CouchCMS gen_dump.php Arbitrary File Read Attempt (CVE-2025-67004) (web_specific_apps.rules)
  • 2066657 - ET MALWARE DeskRAT Victim HeartBeat Response (malware.rules)
  • 2066658 - ET MALWARE DeskRAT CnC HeartBeat Request (malware.rules)
  • 2066659 - ET MALWARE DeskRAT CnC Welcome Message (malware.rules)
  • 2066660 - ET MALWARE DeskRAT CnC Command Inbound (browse_files) (malware.rules)
  • 2066661 - ET WEB_SPECIFIC_APPS Edimax setWAN pptpUserName Parameter Command Injection Attempt (CVE-2025-70161) (web_specific_apps.rules)
  • 2066662 - ET MALWARE DeskRAT CnC Command Inbound (Upload_execute) (malware.rules)
  • 2066663 - ET MALWARE MaskGramStealer Common Victim C2 Response (POST) (malware.rules)
  • 2066664 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mercedesheritage .com) (exploit_kit.rules)
  • 2066665 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (obsidianmidnight .top) (exploit_kit.rules)
  • 2066666 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pippyheydguide .com) (exploit_kit.rules)
  • 2066667 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mercedesheritage .com) (exploit_kit.rules)
  • 2066668 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (obsidianmidnight .top) (exploit_kit.rules)
  • 2066669 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pippyheydguide .com) (exploit_kit.rules)
  • 2066670 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (frttsch .com) (exploit_kit.rules)
  • 2066671 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (winrler .com) (exploit_kit.rules)
  • 2066672 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (predovec .com) (exploit_kit.rules)
  • 2066673 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (frttsch .com) (exploit_kit.rules)
  • 2066674 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (winrler .com) (exploit_kit.rules)
  • 2066675 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (predovec .com) (exploit_kit.rules)

Pro:

  • 2865596 - ETPRO JA3 Hash - Possible Teramind RMM Traffic (ja3.rules)

Modified inactive rules:

  • 2001513 - ET ADWARE_PUP Smartpops.com Spyware Update (adware_pup.rules)
  • 2002816 - ET ADWARE_PUP DelFin Project Spyware (payload) (adware_pup.rules)
  • 2007656 - ET ATTACK_RESPONSE ALBANIA id.php detected (attack_response.rules)
  • 2015818 - ET EXPLOIT_KIT g01pack Exploit Kit .homeip. Landing Page (exploit_kit.rules)
  • 2017638 - ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure (current_events.rules)
  • 2019151 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2022021 - ET MALWARE Malicious SSL certificate detected (Spy.Shiz CnC) (malware.rules)
  • 2023476 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2024074 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM) (malware.rules)
  • 2805731 - ETPRO MALWARE Trojan-PSW.Win32.QQDragon.y Checkin (malware.rules)
  • 2805919 - ETPRO MALWARE CryptoWall Check-in M3 (malware.rules)
  • 2807047 - ETPRO MALWARE Backdoor.Win32.GF.13x.A Response (malware.rules)
  • 2807545 - ETPRO MALWARE Backdoor.Win32.Cmjspy.aw Checkin (malware.rules)
  • 2808260 - ETPRO MOBILE_MALWARE Android/SMSreg.GS Checkin 2 (mobile_malware.rules)
  • 2808513 - ETPRO MOBILE_MALWARE Android/SmsSpy.AS Checkin 2 (mobile_malware.rules)
  • 2809099 - ETPRO MALWARE Trojan.Win32.KillProc.dfwkin DNS TXT Checkin Response (malware.rules)
  • 2820840 - ETPRO EXPLOIT_KIT SunDown EK Flash Exploit M2 June 20 2016 (exploit_kit.rules)
  • 2821878 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2822228 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Agent.be Checkin (mobile_malware.rules)
  • 2823704 - ETPRO MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)
  • 2824743 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Sadpor.f Checkin (mobile_malware.rules)