Ruleset Update Summary - 2026/01/30 - v11115

Ruleset Updates
1

Summary:

34 new OPEN, 36 new PRO (34 + 2)

Added rules:

Open:

  • 2067196 - ET MALWARE VoidLink C2 API Requests Outbound (malware.rules)
  • 2067197 - ET WEB_SPECIFIC_APPS Citrix Netscaler Console Authenticated Arbitrary File Write (CVE-2024-12284) (web_specific_apps.rules)
  • 2067198 - ET WEB_SPECIFIC_APPS Citrix NetScaler Console Authenticated Arbitrary File Read (CVE-2025-4365) (web_specific_apps.rules)
  • 2067199 - ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Authentication Bypass via Spoofing (CVE-2025-59501) (web_specific_apps.rules)
  • 2067200 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (backsan .cyou) (malware.rules)
  • 2067201 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (backsan .cyou) in TLS SNI (malware.rules)
  • 2067202 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (braxttp .cyou) (malware.rules)
  • 2067203 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (braxttp .cyou) in TLS SNI (malware.rules)
  • 2067204 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (interrg .cyou) (malware.rules)
  • 2067205 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (interrg .cyou) in TLS SNI (malware.rules)
  • 2067206 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (menopjc .cyou) (malware.rules)
  • 2067207 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (menopjc .cyou) in TLS SNI (malware.rules)
  • 2067208 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (parrisrohy .digital) (malware.rules)
  • 2067209 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (parrisrohy .digital) in TLS SNI (malware.rules)
  • 2067210 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pattyruralk .click) (malware.rules)
  • 2067211 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pattyruralk .click) in TLS SNI (malware.rules)
  • 2067212 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (potashbx .cyou) (malware.rules)
  • 2067213 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (potashbx .cyou) in TLS SNI (malware.rules)
  • 2067214 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stathas .cyou) (malware.rules)
  • 2067215 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stathas .cyou) in TLS SNI (malware.rules)
  • 2067216 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (simplehelp .io) (info.rules)
  • 2067217 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (simplehelp .io) (info.rules)
  • 2067218 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (simple-help .com) (info.rules)
  • 2067219 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (simple-help .com) (info.rules)
  • 2067220 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (jenmartini .com) (exploit_kit.rules)
  • 2067221 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (rickscribner .com) (exploit_kit.rules)
  • 2067222 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (jenmartini .com) (exploit_kit.rules)
  • 2067223 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (rickscribner .com) (exploit_kit.rules)
  • 2067224 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .mvsea-usa .com) (malware.rules)
  • 2067225 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (files .sandtagency .org) (malware.rules)
  • 2067226 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .mvsea-usa .com) (malware.rules)
  • 2067227 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (files .sandtagency .org) (malware.rules)
  • 2067228 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (www .ski-snowboardvancouver .ca) (exploit_kit.rules)
  • 2067229 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (www .ski-snowboardvancouver .ca) (exploit_kit.rules)

Pro:

  • 2865856 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2865857 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)