Ruleset Update Summary - 2026/01/13 - v11102

Ruleset Updates
1

Summary:

30 new OPEN, 39 new PRO (30 + 9)

Added rules:

Open:

  • 2066714 - ET INFO Landing Page with Form Exfil to submit-form .com (info.rules)
  • 2066715 - ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Arbitrary File Upload Attempt (CVE-2025-52691) (web_specific_apps.rules)
  • 2066716 - ET INFO DYNAMIC_DNS Query to a *.brb .dj domain (info.rules)
  • 2066717 - ET INFO DYNAMIC_DNS HTTP Request to a *.brb .dj domain (info.rules)
  • 2066718 - ET INFO DYNAMIC_DNS Query to a *.psychology48 .com domain (info.rules)
  • 2066719 - ET INFO DYNAMIC_DNS HTTP Request to a *.psychology48 .com domain (info.rules)
  • 2066720 - ET INFO DYNAMIC_DNS Query to a *.ddos .im domain (info.rules)
  • 2066721 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddos .im domain (info.rules)
  • 2066722 - ET INFO DYNAMIC_DNS Query to a *.tvlinux .com domain (info.rules)
  • 2066723 - ET INFO DYNAMIC_DNS HTTP Request to a *.tvlinux .com domain (info.rules)
  • 2066724 - ET INFO DYNAMIC_DNS Query to a *.thenme .net domain (info.rules)
  • 2066725 - ET INFO DYNAMIC_DNS HTTP Request to a *.thenme .net domain (info.rules)
  • 2066726 - ET INFO DYNAMIC_DNS Query to a *.cvr .co .id domain (info.rules)
  • 2066727 - ET INFO DYNAMIC_DNS HTTP Request to a *.cvr .co .id domain (info.rules)
  • 2066728 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (concentrationbraggy .shop) (malware.rules)
  • 2066729 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (concentrationbraggy .shop) in TLS SNI (malware.rules)
  • 2066730 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (solfson .com) (exploit_kit.rules)
  • 2066731 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (remaxbemidji .com) (exploit_kit.rules)
  • 2066732 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (solfson .com) (exploit_kit.rules)
  • 2066733 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (remaxbemidji .com) (exploit_kit.rules)
  • 2066734 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (export .galmabuna .com) (malware.rules)
  • 2066735 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (docs .exitdriving .school) (malware.rules)
  • 2066736 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (gallery .lorellaparis .com) (malware.rules)
  • 2066737 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (export .galmabuna .com) (malware.rules)
  • 2066738 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (docs .exitdriving .school) (malware.rules)
  • 2066739 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (gallery .lorellaparis .com) (malware.rules)
  • 2066740 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (yepork .com) (exploit_kit.rules)
  • 2066741 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (portwinejoke .icu) (exploit_kit.rules)
  • 2066742 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (yepork .com) (exploit_kit.rules)
  • 2066743 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (portwinejoke .icu) (exploit_kit.rules)

Pro:

  • 2865616 - ETPRO MALWARE Observed DNS Query to Wadworth Bot Domain (malware.rules)
  • 2865617 - ETPRO MALWARE Observed DNS Query to Wadworth Bot Domain (malware.rules)
  • 2865618 - ETPRO MALWARE Observed DNS Query to Wadworth Bot Domain (malware.rules)
  • 2865619 - ETPRO MALWARE Observed DNS Query to Wadworth Bot Domain (malware.rules)
  • 2865620 - ETPRO MALWARE Observed Wadworth Bot Domain in TLS SNI (malware.rules)
  • 2865621 - ETPRO MALWARE Observed Wadworth Bot Domain in TLS SNI (malware.rules)
  • 2865622 - ETPRO MALWARE Observed Wadworth Bot Domain in TLS SNI (malware.rules)
  • 2865623 - ETPRO MALWARE Observed Wadworth Bot Domain in TLS SNI (malware.rules)
  • 2865624 - ETPRO MALWARE Wadworth Bot CnC Activity (POST) (malware.rules)

Modified inactive rules:

  • 2019153 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2809215 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Binv.a Checkin (mobile_malware.rules)