Ruleset Update Summary - 2026/02/16 - v11126

Ruleset Updates
1

Summary:

50 new OPEN, 146 new PRO (50 + 96)

Added rules:

Open:

  • 2067682 - ET MALWARE TrustConnect RAT CnC Activity (Files Browse) (malware.rules)
  • 2067683 - ET MALWARE TrustConnect RAT CnC Activity (GET Agent Commands) (malware.rules)
  • 2067684 - ET MALWARE TrustConnect RAT CnC Activity (POST Command Results) (malware.rules)
  • 2067685 - ET MALWARE TrustConnect RAT CnC Activity (Agent Heartbeat) (malware.rules)
  • 2067686 - ET MALWARE TrustConnect RAT CnC Activity (Heartbeat Response) (malware.rules)
  • 2067687 - ET MALWARE TrustConnect RAT CnC Activity (WebSocket Upgrade Request) (malware.rules)
  • 2067688 - ET MALWARE TrustConnect RAT CnC Activity (Agent Register) (malware.rules)
  • 2067689 - ET MALWARE TrustConnect RAT CnC Activity (Agent Update) (malware.rules)
  • 2067690 - ET MALWARE TrustConnect RAT CnC Activity (Files Pull) (malware.rules)
  • 2067691 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (anyviewer .com) (info.rules)
  • 2067692 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (anyviewer .com) (info.rules)
  • 2067693 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (anyplace-control .com) (info.rules)
  • 2067694 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (anyplace-control .com) (info.rules)
  • 2067695 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (aspia .org) (info.rules)
  • 2067696 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (aspia .org) (info.rules)
  • 2067697 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (atera .com) (info.rules)
  • 2067698 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (atera .com) (info.rules)
  • 2067699 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (atera .pubnubapi .com) (info.rules)
  • 2067700 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (atera .pubnubapi .com) (info.rules)
  • 2067701 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (atera-agent-heartbeat-cus .servicebus .windows .net) (info.rules)
  • 2067702 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (atera-agent-heartbeat-cus .servicebus .windows .net) (info.rules)
  • 2067703 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (atera-agent-heartbeat .servicebus .windows .net) (info.rules)
  • 2067704 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (atera-agent-heartbeat .servicebus .windows .net) (info.rules)
  • 2067705 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (auvik .com) (info.rules)
  • 2067706 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (auvik .com) (info.rules)
  • 2067707 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (aweray .net) (info.rules)
  • 2067708 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (aweray .net) (info.rules)
  • 2067709 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (aweray .com) (info.rules)
  • 2067710 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (aweray .com) (info.rules)
  • 2067711 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (islonline .net) (info.rules)
  • 2067712 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (islonline .net) (info.rules)
  • 2067713 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (barracudamsp .com) (info.rules)
  • 2067714 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (barracudamsp .com) (info.rules)
  • 2067715 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (basecamp .com) (info.rules)
  • 2067716 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (basecamp .com) (info.rules)
  • 2067717 - ET INFO DYNAMIC_DNS Query to a *.hotelconsuladoinn .com domain (info.rules)
  • 2067718 - ET INFO DYNAMIC_DNS HTTP Request to a *.hotelconsuladoinn .com domain (info.rules)
  • 2067719 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (conneci .cyou) (malware.rules)
  • 2067720 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (conneci .cyou) in TLS SNI (malware.rules)
  • 2067721 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ziziphe .cyou) (malware.rules)
  • 2067722 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ziziphe .cyou) in TLS SNI (malware.rules)
  • 2067723 - ET WEB_SPECIFIC_APPS Django SQL Injection via raster lookups on PostGIS (CVE-2026-1207) (web_specific_apps.rules)
  • 2067724 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bxattlepath .digital) (malware.rules)
  • 2067725 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bxattlepath .digital) in TLS SNI (malware.rules)
  • 2067726 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (swigddmb .top) (malware.rules)
  • 2067727 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (swigddmb .top) in TLS SNI (malware.rules)
  • 2067728 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .terriberrynj .com) (malware.rules)
  • 2067729 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (support .eztechnj .com) (malware.rules)
  • 2067730 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .terriberrynj .com) (malware.rules)
  • 2067731 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (support .eztechnj .com) (malware.rules)

Pro:

  • 2866057 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866058 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866059 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866060 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866061 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866062 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866063 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866064 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866065 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866066 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866067 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866068 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866069 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866070 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2866071 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2866072 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2866073 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2866074 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866075 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2866076 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866077 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2866078 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866079 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866080 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2866081 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866082 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866083 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866084 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866085 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866086 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866087 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866088 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866089 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866090 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866091 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866092 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866093 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866094 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2866095 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866096 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2866097 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866098 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2866099 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866100 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866101 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2866102 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866103 - ETPRO HUNTING Generic Command Injection Attempt via HTTP URI (hunting.rules)
  • 2866104 - ETPRO MALWARE AliveBeacon Domain in DNS Lookup (malware.rules)
  • 2866105 - ETPRO MALWARE Observed AliveBeacon Domain in TLS SNI (malware.rules)
  • 2866106 - ETPRO MALWARE AliveBeacon CnC Checkin (malware.rules)
  • 2866107 - ETPRO MALWARE AliveBeacon CnC Checkin Response (malware.rules)
  • 2866108 - ETPRO MALWARE AliveBeacon Persistence Request (malware.rules)
  • 2866109 - ETPRO MALWARE AliveBeacon CnC Persistence Response (malware.rules)
  • 2866110 - ETPRO MALWARE AliveBeacon Status Request (malware.rules)
  • 2866111 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866112 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866113 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866114 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866115 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866116 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866117 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866118 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866119 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866120 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866121 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866122 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866123 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866124 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866125 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866126 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866127 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866128 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866129 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866130 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866131 - ETPRO MALWARE ErrTraffic CaaS CnC Domain in DNS Lookup (malware.rules)
  • 2866132 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866133 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866134 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866135 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866136 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866137 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866138 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866139 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866140 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866141 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866142 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866143 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866144 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866145 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866146 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866147 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866148 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866149 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866150 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866151 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)
  • 2866152 - ETPRO MALWARE Observed ErrTraffic CaaS Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2034090 - ET POLICY External IP Lookup via ad4989 .co .kr (policy.rules)
  • 2039682 - ET INFO External IP Lookup Domain (peoplesearch .real .com) in DNS Lookup (info.rules)
  • 2054165 - ET INFO External IP Lookup Domain in DNS Lookup (ident .me) (info.rules)
  • 2054166 - ET INFO Observed External IP Lookup Domain (ident .me) in TLS SNI (info.rules)

Disabled and modified rules:

  • 2067680 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (booking .lastminutebusinessclass .com) (malware.rules)
  • 2067681 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (booking .lastminutebusinessclass .com) (malware.rules)

Removed rules:

  • 2865954 - ETPRO MALWARE TrustConnect RAT CnC Activity (Files Browse) (malware.rules)
  • 2865955 - ETPRO MALWARE TrustConnect RAT CnC Activity (GET Agent Commands) (malware.rules)
  • 2865956 - ETPRO MALWARE TrustConnect RAT CnC Activity (POST Command Results) (malware.rules)
  • 2865957 - ETPRO MALWARE TrustConnect RAT CnC Activity (Agent Heartbeat) (malware.rules)
  • 2865958 - ETPRO MALWARE TrustConnect RAT CnC Activity (Heartbeat Response) (malware.rules)
  • 2865959 - ETPRO MALWARE TrustConnect RAT CnC Activity (WebSocket Upgrade Request) (malware.rules)
  • 2865960 - ETPRO MALWARE TrustConnect RAT CnC Activity (Agent Register) (malware.rules)
  • 2865961 - ETPRO MALWARE TrustConnect RAT CnC Activity (Agent Update) (malware.rules)
  • 2865962 - ETPRO MALWARE TrustConnect RAT CnC Activity (Files Pull) (malware.rules)