Ruleset Update Summary - 2026/01/14 - v11103

Ruleset Updates
1

Summary:

14 new OPEN, 57 new PRO (14 + 43)

Please be aware next Monday (Jan 19) is a US holiday. There will be no rule releases on this day. Daily rule releases will recommence afterwards.

Added rules:

Open:

  • 2066744 - ET PHISHING Exfil to FormSpark Form from Netlify (phishing.rules)
  • 2066745 - ET INFO Exfil to FormSpark Form (info.rules)
  • 2066746 - ET EXPLOIT Fortinet FortiSIEM phMonitor Unauthenticated Argument Injection (CVE-2025-64155) (exploit.rules)
  • 2066747 - ET WEB_SPECIFIC_APPS TrendNet wizardset WizardConfigured Parameter Command Injection Attempt (CVE-2025-15136) (web_specific_apps.rules)
  • 2066748 - ET WEB_SPECIFIC_APPS TrendNet NTPSyncWithHost.cgi Command Injection Attempt (CVE-2025-15137) (web_specific_apps.rules)
  • 2066749 - ET WEB_SPECIFIC_APPS TrendNet formSystemCheck Multiple Parameters Command Injection Attempt (CVE-2024-37642, CVE-2023-51835) (web_specific_apps.rules)
  • 2066750 - ET WEB_SPECIFIC_APPS TrendNet formWsc peerPin Parameter Command Injection Attempt (CVE-2025-15139) (web_specific_apps.rules)
  • 2066751 - ET WEB_SPECIFIC_APPS jsPDF Arbitrary File Read via Path Traversal PDF File Outbound (CVE-2025-68428) (web_specific_apps.rules)
  • 2066752 - ET WEB_SPECIFIC_APPS TrendNet formFSrvX SZCMD Parameter Command Injection Attempt (CVE-2025-15471) (web_specific_apps.rules)
  • 2066753 - ET WEB_SPECIFIC_APPS MindsDB Unauthenticated File Upload API Path Traversal (CVE-2025-68472) (web_specific_apps.rules)
  • 2066754 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inconzy .cyou) (malware.rules)
  • 2066755 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (inconzy .cyou) in TLS SNI (malware.rules)
  • 2066756 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (possuhb .cyou) (malware.rules)
  • 2066757 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (possuhb .cyou) in TLS SNI (malware.rules)

Pro:

  • 2865625 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865626 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865627 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865628 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865629 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865630 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865631 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865632 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865633 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865634 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865635 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865636 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865637 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865638 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865639 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865640 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865641 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865642 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865643 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865644 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865645 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865646 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2865647 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2865648 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2865649 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2865650 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865651 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2865652 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865653 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2865654 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865655 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865656 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2865657 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865658 - ETPRO HUNTING Common Tycoon 2FA Fake Captcha Landing Page Title (hunting.rules)
  • 2865659 - ETPRO PHISHING Tycoon 2FA Fake Captcha Landing Page (phishing.rules)
  • 2865660 - ETPRO PHISHING Tycoon 2FA Fake Captcha Landing Page (Press and Hold) (phishing.rules)
  • 2865661 - ETPRO PHISHING Tycoon 2FA Fake Captcha Landing Page (Drag and Drop) (phishing.rules)
  • 2865662 - ETPRO PHISHING Observed DNS Query to Tycoon2FA Domain (phishing.rules)
  • 2865663 - ETPRO PHISHING Observed Tycoon 2FA Domain in TLS SNI (phishing.rules)
  • 2865664 - ETPRO MALWARE Observed DNS Query to Wadworth Bot Domain (malware.rules)
  • 2865665 - ETPRO MALWARE Observed Wadworth Bot Domain in TLS SNI (malware.rules)
  • 2865666 - ETPRO MALWARE Wadworth Bot CnC Activity (GET) (malware.rules)
  • 2865667 - ETPRO MALWARE PLUGGYAPE.V2 Backdoor MQTT Payload Staging (malware.rules)

Modified inactive rules:

  • 2021937 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2021980 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022023 - ET VOIP Q.931 Call Setup - Inbound (voip.rules)
  • 2023554 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Flokibot CnC) (malware.rules)
  • 2024076 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM) (malware.rules)
  • 2813032 - ETPRO MALWARE Rovnix DNS Lookup (beliypoyas.ru) (malware.rules)
  • 2816001 - ETPRO MALWARE Win32/iSpySoft PWS Exfil via SMTP (malware.rules)

Disabled and modified rules:

  • 2065248 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (grossepointechamber .com) (malware.rules)
  • 2065255 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (grossepointechamber .com) (malware.rules)