Ruleset Update Summary - 2026/02/13 - v11125

Summary:

33 new OPEN, 49 new PRO (33 + 16)

Thanks @datadoghq, @suyog41, @watchtowrcyber

Added rules:

Open:

• 2067649 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
• 2067650 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
• 2067651 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
• 2067652 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
• 2067653 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
• 2067654 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (audioza .cyou) (malware.rules)
• 2067655 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (audioza .cyou) in TLS SNI (malware.rules)
• 2067656 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (notionz .qpon) (malware.rules)
• 2067657 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (notionz .qpon) in TLS SNI (malware.rules)
• 2067658 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (portuge .cyou) (malware.rules)
• 2067659 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (portuge .cyou) in TLS SNI (malware.rules)
• 2067660 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tothelo .cyou) (malware.rules)
• 2067661 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tothelo .cyou) in TLS SNI (malware.rules)
• 2067662 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (triniliu .cyou) (malware.rules)
• 2067663 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (triniliu .cyou) in TLS SNI (malware.rules)
• 2067664 - ET HUNTING Fake Github .com Html Footer (hunting.rules)
• 2067665 - ET WEB_SPECIFIC_APPS Ivanti RemoteControlAuth logintype Parameter Authentication Bypass Attempt (CVE-2026-1603) (web_specific_apps.rules)
• 2067666 - ET MALWARE Observed DNS Query to MacSync Stealer Domain (frozendoome .com) (malware.rules)
• 2067667 - ET MALWARE Observed DNS Query to MacSync Stealer Domain (airportsock .xyz) (malware.rules)
• 2067668 - ET MALWARE Observed DNS Query to MacSync Stealer Domain (securityfenceandwelding .com) (malware.rules)
• 2067669 - ET MALWARE Observed DNS Query to MacSync Stealer Domain (primedatahost4 .lol) (malware.rules)
• 2067670 - ET MALWARE Observed MacSync Stealer Domain (frozendoome .com in TLS SNI) (malware.rules)
• 2067671 - ET MALWARE Observed MacSync Stealer Domain (airportsock .xyz in TLS SNI) (malware.rules)
• 2067672 - ET MALWARE Observed MacSync Stealer Domain (securityfenceandwelding .com in TLS SNI) (malware.rules)
• 2067673 - ET MALWARE Observed MacSync Stealer Domain (primedatahost4 .lol in TLS SNI) (malware.rules)
• 2067674 - ET MALWARE MacSync Stage 1 Payload Request (malware.rules)
• 2067675 - ET MALWARE MacSync Stage 2 CnC Exfil (malware.rules)
• 2067676 - ET MALWARE SHubv2.0 CnC Heartbeat (malware.rules)
• 2067677 - ET MALWARE Observed DNS Query to SHubv2.0 Domain (imper-strlk5 .com) (malware.rules)
• 2067678 - ET MALWARE Observed SHubv2.0 Domain (imper-strlk5 .com in TLS SNI) (malware.rules)
• 2067679 - ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration (hunting.rules)
• 2067680 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (booking .lastminutebusinessclass .com) (malware.rules)
• 2067681 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (booking .lastminutebusinessclass .com) (malware.rules)

Pro:

• 2866040 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
• 2866041 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
• 2866042 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
• 2866043 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
• 2866044 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
• 2866045 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
• 2866046 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
• 2866047 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
• 2866048 - ETPRO PHISHING TA543 Phish Kit Fingerprinting User (phishing.rules)
• 2866049 - ETPRO PHISHING TA453 Phish Landing Page 2026-02-12 (phishing.rules)
• 2866050 - ETPRO PHISHING TA543 Phish Kit Checkin (phishing.rules)
• 2866051 - ETPRO PHISHING TA543 Phish Kit Find User (phishing.rules)
• 2866052 - ETPRO PHISHING TA543 Successful Credential Phish (phishing.rules)
• 2866053 - ETPRO PHISHING TA453 User Fingerprint Exfil (phishing.rules)
• 2866054 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
• 2866056 - ETPRO PHISHING TA453 Landing Page 2026-02-13 (phishing.rules)

Modified inactive rules:

• 2022078 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2022227 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC) (malware.rules)
• 2022512 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC) (malware.rules)
• 2022612 - ET MALWARE Scarlet Mimic DNS Lookup 47 (malware.rules)
• 2813035 - ETPRO MALWARE Rovnix DNS Lookup (zeleniypoyas.su) (malware.rules)
• 2815425 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif CnC) (malware.rules)
• 2815850 - ETPRO MOBILE_MALWARE Android.Trojan.Tefoni.A Checkin (mobile_malware.rules)

Disabled and modified rules:

• 2067642 - ET HUNTING HTTP Permissions-Policy Geolocation Directive (hunting.rules)