Ruleset Update Summary - 2026/01/15 - v11104

rulesbot · January 15, 2026, 9:56pm

Summary:

31 new OPEN, 31 new PRO (31 + 0)

Thanks @tetsuoai, @James_inthe_box, @sysdig

Please be aware next Monday (Jan 19) is a US holiday. There will be no rule releases on this day. Daily rule releases will recommence afterwards.

Added rules:

Open:

2066758 - ET PHISHING IPFS Resource Executing from Memory Defined Script Tag (phishing.rules)
2066759 - ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675) (web_specific_apps.rules)
2066760 - ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675) (web_specific_apps.rules)
2066761 - ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675) (web_specific_apps.rules)
2066762 - ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675) (web_specific_apps.rules)
2066763 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (cerkery .com) (exploit_kit.rules)
2066764 - ET EXPLOIT_KIT LandUpdate808 Domain (cerkery .com) in TLS SNI (exploit_kit.rules)
2066765 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coverxyzer .su) (malware.rules)
2066766 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (coverxyzer .su) in TLS SNI (malware.rules)
2066767 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (endoste .cyou) (malware.rules)
2066768 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (endoste .cyou) in TLS SNI (malware.rules)
2066769 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soupinterestoe .fun) (malware.rules)
2066770 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (soupinterestoe .fun) in TLS SNI (malware.rules)
2066771 - ET WEB_SPECIFIC_APPS Apache Struts2 XWork Component XML External Entity (XXE) injection (CVE-2025-68493) (web_specific_apps.rules)
2066772 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .diasporanexus .org) (malware.rules)
2066773 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (getinvolved .bukrilegacyfoundation .org) (malware.rules)
2066774 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .diasporanexus .org) (malware.rules)
2066775 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (getinvolved .bukrilegacyfoundation .org) (malware.rules)
2066776 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (meeller .com) (exploit_kit.rules)
2066777 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (bechtellr .com) (exploit_kit.rules)
2066778 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (meeller .com) (exploit_kit.rules)
2066779 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (bechtellr .com) (exploit_kit.rules)
2066780 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ebultras .com) (exploit_kit.rules)
2066781 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (baretteexpressions .com) (exploit_kit.rules)
2066782 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ebultras .com) (exploit_kit.rules)
2066783 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (baretteexpressions .com) (exploit_kit.rules)
2066784 - ET PHISHING Wallet Drainer CnC Domain in DNS Lookup (psyopanime .net) (phishing.rules)
2066785 - ET PHISHING Observed Wallet Drainer Domain (psyopanime .net in TLS SNI) (phishing.rules)
2066786 - ET MALWARE Observed DNS Query to ZeroTrace Domain (wittenhorst .eu) (malware.rules)
2066787 - ET MALWARE Observed ZeroTrace Domain (wittenhorst .eu in TLS SNI) (malware.rules)
2066788 - ET INFO Landing Page Executing Memory Defined Script Tag (info.rules)

Modified inactive rules:

2002065 - ET EXPLOIT Veritas backupexec_agent exploit (exploit.rules)
2003472 - ET ADWARE_PUP DelFin Project Spyware (setup-alt) (adware_pup.rules)
2003672 - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt – mod_image_index.php config pathMod (web_specific_apps.rules)
2003907 - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt – download.php id (web_specific_apps.rules)
2009553 - ET MALWARE FAKE/ROGUE AV Encoded data= HTTP POST (malware.rules)
2010224 - ET MALWARE Opachki Link Hijacker Traffic Redirection (malware.rules)
2101610 - GPL EXPLOIT formmail arbitrary command execution attempt (exploit.rules)
2800181 - ETPRO EXPLOIT CA Multiple Products DBASVR RPC Server Crafted Pointer Buffer Overflow 10 (exploit.rules)
2800435 - ETPRO EXPLOIT IBM Tivoli Storage Manager Express Backup Heap Corruption 3 (exploit.rules)

Disabled and modified rules:

2064095 - ET WEB_SPECIFIC_APPS UTT ConfigWirelessBase ssid Parameter Buffer Overflow Attempt (web_specific_apps.rules)

Topic	Replies	Views
Ruleset Update Summary - 2026/01/14 - v11103 Ruleset Updates	31	January 14, 2026
Ruleset Update Summary - 2025/11/26 - v11071 Ruleset Updates	69	November 26, 2025
Ruleset Update Summary - 2025/10/30 - v11052 Ruleset Updates	62	October 30, 2025
Ruleset Update Summary - 2025/05/22 - v10933 Ruleset Updates	156	May 22, 2025
Ruleset Update Summary - 2025/03/11 - v10876 Ruleset Updates	153	March 11, 2025

Ruleset Update Summary - 2026/01/15 - v11104

Summary:

Added rules:

Open:

Modified inactive rules:

Disabled and modified rules:

Related topics