Ruleset Update Summary - 2026/01/23 - v11110

Ruleset Updates
1

Summary:

84 new OPEN, 93 new PRO (84 + 9)

Added rules:

Open:

  • 2066991 - ET WEB_SPECIFIC_APPS D-Link gena.cgi service Parameter Command Injection Attempt (CVE-2025-13562, CVE-2024-23624, CVE-2019-17621) (web_specific_apps.rules)
  • 2066992 - ET INFO Pastebin-like Service Domain in DNS Lookup (fragbin .com) (info.rules)
  • 2066993 - ET INFO Pastebin-like Service Domain in DNS Lookup (pasteshare .ninja) (info.rules)
  • 2066994 - ET INFO Pastebin-like Service Domain in DNS Lookup (pythonmorsels .com) (info.rules)
  • 2066995 - ET INFO Pastebin-like Service Domain in DNS Lookup (codebin .cc) (info.rules)
  • 2066996 - ET INFO Pastebin-like Service Domain in DNS Lookup (pastefy .app) (info.rules)
  • 2066997 - ET INFO Pastebin-like Service Domain in DNS Lookup (ctrlv .codes) (info.rules)
  • 2066998 - ET INFO Pastebin-like Service Domain in DNS Lookup (coderstool .com) (info.rules)
  • 2066999 - ET INFO Pastebin-like Service Domain in DNS Lookup (devbeaver .com) (info.rules)
  • 2067000 - ET INFO Pastebin-like Service Domain in DNS Lookup (pastepool .com) (info.rules)
  • 2067001 - ET INFO Pastebin-like Service Domain in DNS Lookup (mypaste .dev) (info.rules)
  • 2067002 - ET INFO Pastebin-like Service Domain in DNS Lookup (pastevoid .com) (info.rules)
  • 2067003 - ET INFO Pastebin-like Service Domain in DNS Lookup (copyandshare .com) (info.rules)
  • 2067004 - ET INFO Pastebin-like Service Domain in DNS Lookup (pastezen .com) (info.rules)
  • 2067005 - ET INFO Pastebin-like Service Domain in DNS Lookup (ctxt .io) (info.rules)
  • 2067006 - ET INFO Observed Pastebin-like Service (fragbin .com) in TLS SNI (info.rules)
  • 2067007 - ET INFO Observed Pastebin-like Service (pasteshare .ninja) in TLS SNI (info.rules)
  • 2067008 - ET INFO Observed Pastebin-like Service (pythonmorsels .com) in TLS SNI (info.rules)
  • 2067009 - ET INFO Observed Pastebin-like Service (codebin .cc) in TLS SNI (info.rules)
  • 2067010 - ET INFO Observed Pastebin-like Service (pastefy .app) in TLS SNI (info.rules)
  • 2067011 - ET INFO Observed Pastebin-like Service (ctrlv .codes) in TLS SNI (info.rules)
  • 2067012 - ET INFO Observed Pastebin-like Service (coderstool .com) in TLS SNI (info.rules)
  • 2067013 - ET INFO Observed Pastebin-like Service (devbeaver .com) in TLS SNI (info.rules)
  • 2067014 - ET INFO Observed Pastebin-like Service (pastepool .com) in TLS SNI (info.rules)
  • 2067015 - ET INFO Observed Pastebin-like Service (mypaste .dev) in TLS SNI (info.rules)
  • 2067016 - ET INFO Observed Pastebin-like Service (pastevoid .com) in TLS SNI (info.rules)
  • 2067017 - ET INFO Observed Pastebin-like Service (copyandshare .com) in TLS SNI (info.rules)
  • 2067018 - ET INFO Observed Pastebin-like Service (pastezen .com) in TLS SNI (info.rules)
  • 2067019 - ET INFO Observed Pastebin-like Service (ctxt .io) in TLS SNI (info.rules)
  • 2067020 - ET MALWARE GET Request to Common Payload Delivery Source (Multiple Stealers) (malware.rules)
  • 2067021 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (palacecirwoos .shop) (malware.rules)
  • 2067022 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (palacecirwoos .shop) in TLS SNI (malware.rules)
  • 2067023 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (yarddrq .cyou) (malware.rules)
  • 2067024 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yarddrq .cyou) in TLS SNI (malware.rules)
  • 2067025 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (webhookinbox .com) (info.rules)
  • 2067026 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (hookdeck .com) (info.rules)
  • 2067027 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (requestcatcher .com) (info.rules)
  • 2067028 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (webhookrelay .com) (info.rules)
  • 2067029 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (mockly .me) (info.rules)
  • 2067030 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (emailhook .site) (info.rules)
  • 2067031 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (postb .in) (info.rules)
  • 2067032 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (dnshook .site) (info.rules)
  • 2067033 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (webhook .cool) (info.rules)
  • 2067034 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (putsreq .com) (info.rules)
  • 2067035 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (webhooklistener .cloud) (info.rules)
  • 2067036 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (pipedream .com) (info.rules)
  • 2067037 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (webhookcatcher .com) (info.rules)
  • 2067038 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (webhook-test .com) (info.rules)
  • 2067039 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (mockoon .app) (info.rules)
  • 2067040 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (webhook .site) (info.rules)
  • 2067041 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (svix .com) (info.rules)
  • 2067042 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (wiremock .cloud) (info.rules)
  • 2067043 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (webhookapp .dev) (info.rules)
  • 2067044 - ET INFO DNS Query for Webhook/HTTP Request Inspection Service (hookbin .com) (info.rules)
  • 2067045 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (webhookinbox .com) in TLS SNI (info.rules)
  • 2067046 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (hookdeck .com) in TLS SNI (info.rules)
  • 2067047 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (requestcatcher .com) in TLS SNI (info.rules)
  • 2067048 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (webhookrelay .com) in TLS SNI (info.rules)
  • 2067049 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (mockly .me) in TLS SNI (info.rules)
  • 2067050 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (emailhook .site) in TLS SNI (info.rules)
  • 2067051 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (postb .in) in TLS SNI (info.rules)
  • 2067052 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (dnshook .site) in TLS SNI (info.rules)
  • 2067053 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (webhook .cool) in TLS SNI (info.rules)
  • 2067054 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (putsreq .com) in TLS SNI (info.rules)
  • 2067055 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (webhooklistener .cloud) in TLS SNI (info.rules)
  • 2067056 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (pipedream .com) in TLS SNI (info.rules)
  • 2067057 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (webhookcatcher .com) in TLS SNI (info.rules)
  • 2067058 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (webhook-test .com) in TLS SNI (info.rules)
  • 2067059 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (mockoon .app) in TLS SNI (info.rules)
  • 2067060 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (webhook .site) in TLS SNI (info.rules)
  • 2067061 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (svix .com) in TLS SNI (info.rules)
  • 2067062 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (wiremock .cloud) in TLS SNI (info.rules)
  • 2067063 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (webhookapp .dev) in TLS SNI (info.rules)
  • 2067064 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (hookbin .com) in TLS SNI (info.rules)
  • 2067065 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (jaskolkki .com) (exploit_kit.rules)
  • 2067066 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (jaskolkki .com) (exploit_kit.rules)
  • 2067067 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (app .tatatech .co) (malware.rules)
  • 2067068 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (app .tatatech .co) (malware.rules)
  • 2067069 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (helsibreak .com) (exploit_kit.rules)
  • 2067070 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (helsibreak .com) (exploit_kit.rules)
  • 2067071 - ET INFO URL Shortener Service Domain in DNS Lookup (shorter .me) (info.rules)
  • 2067072 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (msp360 .com) (info.rules)
  • 2067073 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (msp360 .com) (info.rules)
  • 2067074 - ET INFO Observed URL Shortener Service Domain (shorter .me in TLS SNI) (info.rules)

Pro:

  • 2865806 - ETPRO MALWARE PLUGGYAPE.V2 Backdoor MQTT Remote Console Inbound (malware.rules)
  • 2865807 - ETPRO MALWARE PLUGGYAPE.V2 Backdoor MQTT Admin Request Inbound (malware.rules)
  • 2865808 - ETPRO MALWARE PLUGGYAPE.V2 Backdoor MQTT Browser Extract Inbound (malware.rules)
  • 2865809 - ETPRO MALWARE PLUGGYAPE.V2 Backdoor MQTT File Management Inbound (malware.rules)
  • 2865810 - ETPRO MALWARE PLUGGYAPE.V2 Backdoor MQTT Messager Extract Inbound (malware.rules)
  • 2865811 - ETPRO MALWARE PLUGGYAPE.V2 Backdoor MQTT Remote Screen Capture Inbound (malware.rules)
  • 2865812 - ETPRO MALWARE PLUGGYAPE.V2 Backdoor MQTT Remote Fake Desktop Inbound (malware.rules)
  • 2865813 - ETPRO MALWARE PLUGGYAPE.V2 Backdoor MQTT Client Update Inbound (malware.rules)
  • 2865814 - ETPRO WEB_SERVER GNU InetUtils Authentication Bypass via USER Environment Variable (CVE-2026-24061) (web_server.rules)

Modified inactive rules:

  • 2809536 - ETPRO MALWARE Backdoor.Linux.Mayday Checkin (malware.rules)

Disabled and modified rules:

  • 2066986 - ET INFO Observed Free Hosting Domain (my-board .org) in TLS SNI (info.rules)

Removed rules:

  • 2065887 - ET WEB_SPECIFIC_APPS D-Link gena.cgi service Parameter Command Injection Attempt (CVE-2025-13562) (web_specific_apps.rules)