Ruleset Update Summary - 2026/02/09 - v11121

Ruleset Updates
1

Summary:

72 new OPEN, 91 new PRO (72 + 19)

Added rules:

Open:

  • 2067368 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (247ithelp .net) (info.rules)
  • 2067369 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (247ithelp .net) (info.rules)
  • 2067370 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (247ithelp .com) (info.rules)
  • 2067371 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (247ithelp .net) (info.rules)
  • 2067372 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (247ithelp .org) (info.rules)
  • 2067373 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (247ithelp .com) (info.rules)
  • 2067374 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (namequery .com) (info.rules)
  • 2067375 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (namequery .com) (info.rules)
  • 2067376 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (remotix .com) (info.rules)
  • 2067377 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (remotix .com) (info.rules)
  • 2067378 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (remotixcloud .com) (info.rules)
  • 2067379 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (remotixcloud .com) (info.rules)
  • 2067380 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (rxtunnel1 .koreacentral .cloudapp .azure .com) (info.rules)
  • 2067381 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (rxtunnel1 .koreacentral .cloudapp .azure .com) (info.rules)
  • 2067382 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (rxtunnel1 .australiasoutheast .cloudapp .azure .com) (info.rules)
  • 2067383 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (rxtunnel1 .australiasoutheast .cloudapp .azure .com) (info.rules)
  • 2067384 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (prod .addigy .com) (info.rules)
  • 2067385 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (prod .addigy .com) (info.rules)
  • 2067386 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (agents .addigy .com) (info.rules)
  • 2067387 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (agents .addigy .com) (info.rules)
  • 2067388 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (grtmprod .addigy .com) (info.rules)
  • 2067389 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (grtmprod .addigy .com) (info.rules)
  • 2067390 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (adobeconnect .com) (info.rules)
  • 2067391 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (adobeconnect .com) (info.rules)
  • 2067392 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (aeroadmin .com) (info.rules)
  • 2067393 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (aeroadmin .com) (info.rules)
  • 2067394 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (alpemix .com) (info.rules)
  • 2067395 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (alpemix .com) (info.rules)
  • 2067396 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (teknopars .com) (info.rules)
  • 2067397 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (teknopars .com) (info.rules)
  • 2067398 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (ammyy .com) (info.rules)
  • 2067399 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (ammyy .com) (info.rules)
  • 2067400 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (anysupport .net) (info.rules)
  • 2067401 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (anysupport .net) (info.rules)
  • 2067402 - ET INFO DYNAMIC_DNS Query to a *.manica .org domain (info.rules)
  • 2067403 - ET INFO DYNAMIC_DNS HTTP Request to a *.manica .org domain (info.rules)
  • 2067404 - ET INFO DYNAMIC_DNS Query to a *.null-t .org domain (info.rules)
  • 2067405 - ET INFO DYNAMIC_DNS HTTP Request to a *.null-t .org domain (info.rules)
  • 2067406 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (belloww .cyou) (malware.rules)
  • 2067407 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (belloww .cyou) in TLS SNI (malware.rules)
  • 2067408 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impoliterenei .click) (malware.rules)
  • 2067409 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (impoliterenei .click) in TLS SNI (malware.rules)
  • 2067410 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manufao .cyou) (malware.rules)
  • 2067411 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (manufao .cyou) in TLS SNI (malware.rules)
  • 2067412 - ET INFO DYNAMIC_DNS Query to a *.infotechnology .com domain (info.rules)
  • 2067413 - ET INFO DYNAMIC_DNS HTTP Request to a *.infotechnology .com domain (info.rules)
  • 2067414 - ET INFO DYNAMIC_DNS Query to a *.thepresenttraveller .com domain (info.rules)
  • 2067415 - ET INFO DYNAMIC_DNS HTTP Request to a *.thepresenttraveller .com domain (info.rules)
  • 2067416 - ET INFO Quest KACE Desktop Authority Server SMB Named Pipe Create (info.rules)
  • 2067417 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe AdminExec Operation (CVE-2025-67813) (info.rules)
  • 2067418 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe DllInjection Operation (CVE-2025-67813) (info.rules)
  • 2067419 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe Credentials Operation (CVE-2025-67813) (info.rules)
  • 2067420 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe ImpersonateAdmin Operation (CVE-2025-67813) (info.rules)
  • 2067421 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe InvokeCOM Operation (CVE-2025-67813) (info.rules)
  • 2067422 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (tefalle .com) (exploit_kit.rules)
  • 2067423 - ET EXPLOIT_KIT LandUpdate808 Domain (tefalle .com) in TLS SNI (exploit_kit.rules)
  • 2067424 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enjoyag .cyou) (malware.rules)
  • 2067425 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enjoyag .cyou) in TLS SNI (malware.rules)
  • 2067426 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genusgp .cyou) (malware.rules)
  • 2067427 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genusgp .cyou) in TLS SNI (malware.rules)
  • 2067428 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oculusr .cyou) (malware.rules)
  • 2067429 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oculusr .cyou) in TLS SNI (malware.rules)
  • 2067430 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (old .fijitravel .com) (malware.rules)
  • 2067431 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (old .fijitravel .com) (malware.rules)
  • 2067432 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (tefalle .com) (exploit_kit.rules)
  • 2067433 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (tefalle .com) (exploit_kit.rules)
  • 2067434 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (heywl .com) (exploit_kit.rules)
  • 2067435 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (thesnackbee .com) (exploit_kit.rules)
  • 2067436 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (socialiteration .com) (exploit_kit.rules)
  • 2067437 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (heywl .com) (exploit_kit.rules)
  • 2067438 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (thesnackbee .com) (exploit_kit.rules)
  • 2067439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (socialiteration .com) (exploit_kit.rules)

Pro:

  • 2865963 - ETPRO WEB_SPECIFIC_APPS Progress Software Kemp LoadMaster Authenticated listapikeys OS Command Injection (CVE-2025-13447) (web_specific_apps.rules)
  • 2865964 - ETPRO WEB_SPECIFIC_APPS Progress Software Kemp LoadMaster Authenticated delcert OS Command Injection (CVE-2025-13447) (web_specific_apps.rules)
  • 2865965 - ETPRO WEB_SPECIFIC_APPS Progress Software Kemp LoadMaster Authenticated delapikey OS Command Injection (CVE-2025-13447) (web_specific_apps.rules)
  • 2865966 - ETPRO WEB_SPECIFIC_APPS Progress Software Kemp LoadMaster Authenticated addapikey OS Command Injection (CVE-2025-13447) (web_specific_apps.rules)
  • 2865967 - ETPRO WEB_SPECIFIC_APPS Progress Software Kemp LoadMaster Authenticated getcipherset OS Command Injection (CVE-2025-13444) (web_specific_apps.rules)
  • 2865968 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2865969 - ETPRO MALWARE Observed DNS Query to Web Inject Domain (malware.rules)
  • 2865970 - ETPRO MALWARE Observed DNS Query to Web Inject Domain (malware.rules)
  • 2865971 - ETPRO MALWARE Observed DNS Query to Web Inject Domain (malware.rules)
  • 2865972 - ETPRO MALWARE Observed DNS Query to Web Inject Domain (malware.rules)
  • 2865973 - ETPRO MALWARE Observed DNS Query to Web Inject Domain (malware.rules)
  • 2865974 - ETPRO MALWARE Observed Web Inject Domain in TLS SNI (malware.rules)
  • 2865975 - ETPRO MALWARE Observed Web Inject Domain in TLS SNI (malware.rules)
  • 2865976 - ETPRO MALWARE Observed Web Inject Domain in TLS SNI (malware.rules)
  • 2865977 - ETPRO MALWARE Observed Web Inject Domain in TLS SNI (malware.rules)
  • 2865978 - ETPRO MALWARE Observed Web Inject Domain in TLS SNI (malware.rules)
  • 2865979 - ETPRO MALWARE TA2626/TA2727 Style Webpage Inject Activity (POST) (malware.rules)
  • 2865980 - ETPRO MALWARE TA2626/TA2727 Style Webpage Inject Observed (malware.rules)
  • 2865981 - ETPRO MALWARE TA2626/TA2727 Style Webpage Inject Observed (malware.rules)

Modified inactive rules:

  • 2013794 - ET MALWARE Dropper.Win32.Npkon Server Responce (malware.rules)
  • 2014508 - ET INFO DNS Query to a *.slyip.net Dynamic DNS Domain (info.rules)
  • 2016252 - ET MALWARE Unknown POST of Windows PW Hashes to External Site (malware.rules)
  • 2016593 - ET EXPLOIT_KIT RedDotv2 Java Check-in (exploit_kit.rules)
  • 2017487 - ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass (exploit_kit.rules)
  • 2803438 - ETPRO MALWARE Win32.Puprlehzae.A Checkin (malware.rules)
  • 2803583 - ETPRO MALWARE Win32.Sality.At Checkin (malware.rules)
  • 2804039 - ETPRO MALWARE Win32/VBInject.CK Checkin (malware.rules)
  • 2807154 - ETPRO MALWARE Win32/Gapz CnC (malware.rules)