Ruleset Update Summary - 2026/01/26 - v11111

Ruleset Updates
1

Summary:

39 new OPEN, 40 new PRO (39 + 1)

Added rules:

Open:

  • 2067075 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (joblkessprosgeow .shop) (malware.rules)
  • 2067076 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (joblkessprosgeow .shop) in TLS SNI (malware.rules)
  • 2067077 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trichoi .cyou) (malware.rules)
  • 2067078 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (trichoi .cyou) in TLS SNI (malware.rules)
  • 2067079 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bemuseqy .cyou) (malware.rules)
  • 2067080 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bemuseqy .cyou) in TLS SNI (malware.rules)
  • 2067081 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lacevcnt .cyou) (malware.rules)
  • 2067082 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lacevcnt .cyou) in TLS SNI (malware.rules)
  • 2067083 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prezud .top) (malware.rules)
  • 2067084 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (prezud .top) in TLS SNI (malware.rules)
  • 2067085 - ET INFO NTLM Session Setup Request - Negotiate (info.rules)
  • 2067086 - ET INFO NTLMv1 Session Setup Response - Challenge (info.rules)
  • 2067087 - ET INFO NTLM Session Setup Request - Auth (info.rules)
  • 2067088 - ET WEB_SPECIFIC_APPS D-Link setDayNightMode LightSensorControl Parameter Command Injection Attempt (CVE-2026-1419) (web_specific_apps.rules)
  • 2067089 - ET WEB_SPECIFIC_APPS D-Link set_wifidog_settings wd_enable Parameter Command Injection Attempt (CVE-2026-1125) (web_specific_apps.rules)
  • 2067090 - ET WEB_SPECIFIC_APPS D-Link upgrade_filter.asp path Parameter Command Injection Attempt (CVE-2026-0732) (web_specific_apps.rules)
  • 2067091 - ET WEB_SPECIFIC_APPS D-Link version_upgrade.asp path Parameter Command Injection Attempt (web_specific_apps.rules)
  • 2067092 - ET WEB_SPECIFIC_APPS Netgear diag.cgi host_name Parameter Command Injection Attempt (CVE-2025-7407) (web_specific_apps.rules)
  • 2067093 - ET WEB_SPECIFIC_APPS Belkin formBSSetSitesurvey Multiple Parameters Command Injection Attempt (CVE-2025-7082) (web_specific_apps.rules)
  • 2067094 - ET WEB_SPECIFIC_APPS Belkin mp command Parameter Command Injection Attempt (CVE-2025-7083) (web_specific_apps.rules)
  • 2067095 - ET WEB_SPECIFIC_APPS Belkin formWpsStart pinCode Parameter Buffer Overflow Attempt (CVE-2025-7084) (web_specific_apps.rules)
  • 2067096 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (trebblay .com) (exploit_kit.rules)
  • 2067097 - ET EXPLOIT_KIT LandUpdate808 Domain (trebblay .com) in TLS SNI (exploit_kit.rules)
  • 2067098 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (airmcjr .top) (malware.rules)
  • 2067099 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (airmcjr .top) in TLS SNI (malware.rules)
  • 2067100 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (potosuz .fun) (malware.rules)
  • 2067101 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (potosuz .fun) in TLS SNI (malware.rules)
  • 2067102 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (taretories .live) (malware.rules)
  • 2067103 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (taretories .live) in TLS SNI (malware.rules)
  • 2067104 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wagnvp .fun) (malware.rules)
  • 2067105 - ET WEB_SPECIFIC_APPS Belkin formiNICWpsStart pinCode Parameter Buffer Overflow Attempt (CVE-2025-7085) (web_specific_apps.rules)
  • 2067106 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wagnvp .fun) in TLS SNI (malware.rules)
  • 2067107 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (heismanscholarship .com) (exploit_kit.rules)
  • 2067108 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (heismanscholarship .com) (exploit_kit.rules)
  • 2067109 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (special .blainrealtor .net) (malware.rules)
  • 2067110 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (special .blainrealtor .net) (malware.rules)
  • 2067111 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (trebblay .com) (exploit_kit.rules)
  • 2067112 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (trebblay .com) (exploit_kit.rules)
  • 2067113 - ET HUNTING Large non-DNS Packet on Port 53 (hunting.rules)

Pro:

  • 2865823 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2001884 - ET ADWARE_PUP DesktopTraffic Toolbar Spyware (adware_pup.rules)
  • 2002181 - ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt (exploit.rules)
  • 2002315 - ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit (exploit.rules)
  • 2003322 - ET P2P Edonkey Server List (p2p.rules)
  • 2003674 - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt – mod_liste_index.php config pathMod (web_specific_apps.rules)
  • 2003909 - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt – index.php form cat (web_specific_apps.rules)
  • 2009128 - ET MALWARE Bifrose Connect to Controller (PING PONG) (malware.rules)
  • 2010347 - ET MALWARE Fake/Rogue AV Landing Page Encountered (malware.rules)
  • 2020671 - ET MALWARE Win32/Rofin.A CnC traffic (OUTBOUND) (malware.rules)
  • 2021982 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC) (malware.rules)
  • 2022077 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu) (malware.rules)
  • 2022226 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022511 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC) (malware.rules)
  • 2022611 - ET MALWARE Scarlet Mimic DNS Lookup 46 (malware.rules)
  • 2023556 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2024078 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM) (malware.rules)
  • 2100258 - GPL DNS EXPLOIT named 8.2->8.2.1 (dns.rules)
  • 2810920 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.ABK Checkin (mobile_malware.rules)
  • 2813034 - ETPRO MALWARE Rovnix DNS Lookup (zeleniypoyas.ru) (malware.rules)
  • 2822694 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda) (malware.rules)
  • 2825848 - ETPRO EXPLOIT Windows Graphics Elevation of Privilege Vulnerability Inbound (CVE-2017-0155) (exploit.rules)