Ruleset Update Summary - 2026/01/21 - v11108

Summary:

54 new OPEN, 64 new PRO (54 + 10)

Added rules:

Open:

• 2066874 - ET INFO Free Hosting Domain (csb .app) in DNS Lookup (info.rules)
• 2066875 - ET INFO Observed Free Hosting Domain (csb .app) in TLS SNI (info.rules)
• 2066876 - ET INFO Free Hosting Domain (codesandbox .io) in DNS Lookup (info.rules)
• 2066877 - ET INFO Observed Free Hosting Domain (codesandbox .io) in TLS SNI (info.rules)
• 2066878 - ET PHISHING EvilNginx Fake Captcha Page Request (phishing.rules)
• 2066879 - ET PHISHING EvilGinX Fake Captcha JS Resource Request (phishing.rules)
• 2066880 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (medhrrst .com) (exploit_kit.rules)
• 2066881 - ET EXPLOIT_KIT LandUpdate808 Domain (medhrrst .com) in TLS SNI (exploit_kit.rules)
• 2066882 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (winnheiser .com) (exploit_kit.rules)
• 2066883 - ET EXPLOIT_KIT LandUpdate808 Domain (winnheiser .com) in TLS SNI (exploit_kit.rules)
• 2066884 - ET PHISHING EvilGinX Fake Captcha Landing Page (phishing.rules)
• 2066885 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (glot .io) (info.rules)
• 2066886 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (codeocean .com) (info.rules)
• 2066887 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (deepnote .com) (info.rules)
• 2066888 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (hex .tech) (info.rules)
• 2066889 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (onlinegdb .com) (info.rules)
• 2066890 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (slater .app) (info.rules)
• 2066891 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (codeanywhere .com) (info.rules)
• 2066892 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (shiftedit .net) (info.rules)
• 2066893 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (paiza .jp) (info.rules)
• 2066894 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (codio .com) (info.rules)
• 2066895 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (godbolt .org) (info.rules)
• 2066896 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (onecompiler .com) (info.rules)
• 2066897 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (paiza .io) (info.rules)
• 2066898 - ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (pythonanywhere .com) (info.rules)
• 2066899 - ET PHISHING EvilGinX Fake Captcha Landing Page (phishing.rules)
• 2066900 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (imbalanceposib .com) (exploit_kit.rules)
• 2066901 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (imbalanceposib .com) (exploit_kit.rules)
• 2066902 - ET INFO Observed Cloud IDE/Code Hosting Domain (glot .io) in TLS SNI (info.rules)
• 2066903 - ET INFO Observed Cloud IDE/Code Hosting Domain (codeocean .com) in TLS SNI (info.rules)
• 2066904 - ET INFO Observed Cloud IDE/Code Hosting Domain (deepnote .com) in TLS SNI (info.rules)
• 2066905 - ET INFO Observed Cloud IDE/Code Hosting Domain (hex .tech) in TLS SNI (info.rules)
• 2066906 - ET INFO Observed Cloud IDE/Code Hosting Domain (onlinegdb .com) in TLS SNI (info.rules)
• 2066907 - ET INFO Observed Cloud IDE/Code Hosting Domain (slater .app) in TLS SNI (info.rules)
• 2066908 - ET INFO Observed Cloud IDE/Code Hosting Domain (codeanywhere .com) in TLS SNI (info.rules)
• 2066909 - ET INFO Observed Cloud IDE/Code Hosting Domain (shiftedit .net) in TLS SNI (info.rules)
• 2066910 - ET INFO Observed Cloud IDE/Code Hosting Domain (paiza .jp) in TLS SNI (info.rules)
• 2066911 - ET INFO Observed Cloud IDE/Code Hosting Domain (codio .com) in TLS SNI (info.rules)
• 2066912 - ET INFO Observed Cloud IDE/Code Hosting Domain (godbolt .org) in TLS SNI (info.rules)
• 2066913 - ET INFO Observed Cloud IDE/Code Hosting Domain (onecompiler .com) in TLS SNI (info.rules)
• 2066914 - ET INFO Observed Cloud IDE/Code Hosting Domain (paiza .io) in TLS SNI (info.rules)
• 2066915 - ET INFO Observed Cloud IDE/Code Hosting Domain (pythonanywhere .com) in TLS SNI (info.rules)
• 2066916 - ET PHISHING Observed DNS Query to EvilGinX Domain (jungfraubahn .info) (phishing.rules)
• 2066917 - ET PHISHING Observed DNS Query to EvilGinX Domain (coaldale .info) (phishing.rules)
• 2066918 - ET PHISHING Observed DNS Query to EvilGinX Domain (shashin-haiku .info) (phishing.rules)
• 2066919 - ET PHISHING Observed DNS Query to EvilGinX Domain (sunsweet .info) (phishing.rules)
• 2066920 - ET PHISHING Observed DNS Query to EvilGinX Domain (geraeteverleih .info) (phishing.rules)
• 2066921 - ET PHISHING Observed DNS Query to EvilGinX Domain (in-bayern .info) (phishing.rules)
• 2066922 - ET PHISHING Observed EvilGinX Domain (jungfraubahn .info in TLS SNI) (phishing.rules)
• 2066923 - ET PHISHING Observed EvilGinX Domain (coaldale .info in TLS SNI) (phishing.rules)
• 2066924 - ET PHISHING Observed EvilGinX Domain (shashin-haiku .info in TLS SNI) (phishing.rules)
• 2066925 - ET PHISHING Observed EvilGinX Domain (sunsweet .info in TLS SNI) (phishing.rules)
• 2066926 - ET PHISHING Observed EvilGinX Domain (geraeteverleih .info in TLS SNI) (phishing.rules)
• 2066927 - ET PHISHING Observed EvilGinX Domain (in-bayern .info in TLS SNI) (phishing.rules)

Pro:

• 2865795 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2865796 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2865797 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2865798 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2865799 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2865800 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2865801 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2865802 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2865803 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
• 2865804 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)