Ruleset Update Summary - 2026/02/17 - v11127

rulesbot · February 17, 2026, 10:19pm

Summary:

77 new OPEN, 107 new PRO (77 + 30)

Thanks @skocherhan, @Huntresslabs, @censysio

Added rules:

Open:

2033900 - ET INFO Observed Riskware/Proxyware Domain (api .honeygain .com in TLS SNI) (info.rules)
2038602 - ET INFO Observed Riskware/Proxyware SSL/TLS Certificate (HoneyGain) (info.rules)
2067732 - ET INFO Powershell Repo Domain (powershellgallery .com in DNS Lookup) (info.rules)
2067733 - ET INFO Observed Powershell Repo Domain (powershellgallery .com in TLS SNI) (info.rules)
2067734 - ET MALWARE AstarionRAT CnC Checkin (malware.rules)
2067735 - ET MALWARE ClickFix Payload Delivery Domain in DNS Lookup (binclloudapp .com) (malware.rules)
2067736 - ET MALWARE Observed ClickFix Payload Delivery Domain (binclloudapp .com in TLS SNI) (malware.rules)
2067737 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (activitydmy .icu) (malware.rules)
2067738 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (activitydmy .icu) in TLS SNI (malware.rules)
2067739 - ET MALWARE Matanbuchus CnC Domain in DNS Lookup (marle .io) (malware.rules)
2067740 - ET MALWARE Observed Matanbuchus CnC Domain (marle .io in TLS SNI) (malware.rules)
2067741 - ET MALWARE AstarionRAT CnC Domain in DNS Lookup (www .ndibstersoft .com) (malware.rules)
2067742 - ET MALWARE Observed AstarionRAT CnC Domain (www .ndibstersoft .com in TLS SNI) (malware.rules)
2067743 - ET MALWARE Odyssey Stealer CnC Checkin (malware.rules)
2067744 - ET MALWARE Odyssey Stealer Tasking Request (malware.rules)
2067745 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cryaesa .cyou) (malware.rules)
2067746 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cryaesa .cyou) in TLS SNI (malware.rules)
2067747 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (emageuv .fun) (malware.rules)
2067748 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (emageuv .fun) in TLS SNI (malware.rules)
2067749 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (emapsho .fun) (malware.rules)
2067750 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (emapsho .fun) in TLS SNI (malware.rules)
2067751 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (firiaer .fun) (malware.rules)
2067752 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (firiaer .fun) in TLS SNI (malware.rules)
2067753 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (littlep .top) (malware.rules)
2067754 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (littlep .top) in TLS SNI (malware.rules)
2067755 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mnvgp .click) (malware.rules)
2067756 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mnvgp .click) in TLS SNI (malware.rules)
2067757 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (orekcee .fun) (malware.rules)
2067758 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (orekcee .fun) in TLS SNI (malware.rules)
2067759 - ET MALWARE Odyssey Stealer Repeat Request (malware.rules)
2067760 - ET MALWARE Odyssey Stealer Data Exfiltration Attempt (malware.rules)
2067761 - ET MALWARE Odyssey Stealer CnC Domain in DNS Lookup (sdojifsfiudgigfiv .to) (malware.rules)
2067762 - ET MALWARE Odyssey Stealer CnC Domain in DNS Lookup (something0x .at) (malware.rules)
2067763 - ET MALWARE Odyssey Stealer CnC Domain in DNS Lookup (charge0x .at) (malware.rules)
2067764 - ET MALWARE Observed Odyssey Stealer CnC Domain (sdojifsfiudgigfiv .to in TLS SNI) (malware.rules)
2067765 - ET MALWARE Observed Odyssey Stealer CnC Domain (something0x .at in TLS SNI) (malware.rules)
2067766 - ET MALWARE Observed Odyssey Stealer CnC Domain (charge0x .at in TLS SNI) (malware.rules)
2067767 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (rompompomsigma .com) (malware.rules)
2067768 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (th6969 .top) (malware.rules)
2067769 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (binance .comtr-katilim .com) (malware.rules)
2067770 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (bchat .cc) (malware.rules)
2067771 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (beetongame .com) (malware.rules)
2067772 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (tribusadao .com) (malware.rules)
2067773 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (siriustimes .rocks) (malware.rules)
2067774 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (siriustimes .info) (malware.rules)
2067775 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (chiebi .com) (malware.rules)
2067776 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (red-letter .org) (malware.rules)
2067777 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (diamondpickaxeforge .com) (malware.rules)
2067778 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (cekrovnyshim .com) (malware.rules)
2067779 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (flowerskitty .com) (malware.rules)
2067780 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (ironswordzombiekiller .com) (malware.rules)
2067781 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (ebemvsextiho .com) (malware.rules)
2067782 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (yourwrongwayz .com) (malware.rules)
2067783 - ET MALWARE Digit Stealer CnC Domain in DNS Lookup (theinvestcofund .com) (malware.rules)
2067784 - ET MALWARE Observed Digit Stealer CnC Domain (rompompomsigma .com in TLS SNI) (malware.rules)
2067785 - ET MALWARE Observed Digit Stealer CnC Domain (th6969 .top in TLS SNI) (malware.rules)
2067786 - ET MALWARE Observed Digit Stealer CnC Domain (binance .comtr-katilim .com in TLS SNI) (malware.rules)
2067787 - ET MALWARE Observed Digit Stealer CnC Domain (bchat .cc in TLS SNI) (malware.rules)
2067788 - ET MALWARE Observed Digit Stealer CnC Domain (beetongame .com in TLS SNI) (malware.rules)
2067789 - ET MALWARE Observed Digit Stealer CnC Domain (tribusadao .com in TLS SNI) (malware.rules)
2067790 - ET MALWARE Observed Digit Stealer CnC Domain (siriustimes .rocks in TLS SNI) (malware.rules)
2067791 - ET MALWARE Observed Digit Stealer CnC Domain (siriustimes .info in TLS SNI) (malware.rules)
2067792 - ET MALWARE Observed Digit Stealer CnC Domain (chiebi .com in TLS SNI) (malware.rules)
2067793 - ET MALWARE Observed Digit Stealer CnC Domain (red-letter .org in TLS SNI) (malware.rules)
2067794 - ET MALWARE Observed Digit Stealer CnC Domain (diamondpickaxeforge .com in TLS SNI) (malware.rules)
2067795 - ET MALWARE Observed Digit Stealer CnC Domain (cekrovnyshim .com in TLS SNI) (malware.rules)
2067796 - ET MALWARE Observed Digit Stealer CnC Domain (flowerskitty .com in TLS SNI) (malware.rules)
2067797 - ET MALWARE Observed Digit Stealer CnC Domain (ironswordzombiekiller .com in TLS SNI) (malware.rules)
2067798 - ET MALWARE Observed Digit Stealer CnC Domain (ebemvsextiho .com in TLS SNI) (malware.rules)
2067799 - ET MALWARE Observed Digit Stealer CnC Domain (yourwrongwayz .com in TLS SNI) (malware.rules)
2067800 - ET MALWARE Observed Digit Stealer CnC Domain (theinvestcofund .com in TLS SNI) (malware.rules)
2067801 - ET MALWARE TrustConnect RAT CnC Domain in DNS Lookup (networkservice .cyou) (malware.rules)
2067802 - ET MALWARE Observed TrustConnect RAT Domain (networkservice .cyou in TLS SNI) (malware.rules)
2067803 - ET MALWARE TrustConnect RAT CnC Activity (Agent Registration) (malware.rules)
2067804 - ET MALWARE TrustConnect RAT CnC Activity (Failed Registration) (malware.rules)
2067805 - ET MALWARE TrustConnect RAT CnC Activity (Files Pending) (malware.rules)
2067806 - ET MALWARE TrustConnect RAT CnC Activity (GET Commands) (malware.rules)

Pro:

2866153 - ETPRO MALWARE Amatera C2 Initial Checkin (malware.rules)
2866154 - ETPRO MALWARE Amatera C2 Initial Response (malware.rules)
2866155 - ETPRO MALWARE ErrTraffic CaaS Config Request (malware.rules)
2866156 - ETPRO MALWARE ErrTraffic CaaS Config Inbound (malware.rules)
2866157 - ETPRO MALWARE ErrTraffic CaaS Payload Request (malware.rules)
2866158 - ETPRO MALWARE ErrTraffic CaaS Payload Inbound (malware.rules)
2866159 - ETPRO MALWARE ErrTraffic CaaS Execution Confirmation (malware.rules)
2866160 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866161 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866162 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866163 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866164 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866165 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866166 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866167 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866168 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
2866169 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
2866170 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
2866171 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
2866172 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
2866173 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
2866174 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
2866175 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
2866176 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
2866177 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
2866178 - ETPRO MALWARE Observed DNS Query to TA450 Domain (malware.rules)
2866179 - ETPRO MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
2866180 - ETPRO MALWARE TA450 CnC Victim Checkin (malware.rules)
2866181 - ETPRO MALWARE TA450 CnC Victim Checkin (malware.rules)
2866182 - ETPRO HUNTING TA450 User-Agent Observed (hunting.rules)

Disabled and modified rules:

2067353 - ET INFO Samba rsync Sender Mode Session Established (info.rules)

Removed rules:

2033900 - ET ADWARE_PUP Observed Honeygain Domain (api .honeygain .com in TLS SNI) (adware_pup.rules)
2038602 - ET ADWARE_PUP Observed PUA SSL/TLS Certificate (HoneyGain) (adware_pup.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/09/22 - v11021 Ruleset Updates	163	September 22, 2025
Ruleset Update Summary - 2025/09/04 - v11008 Ruleset Updates	144	September 4, 2025
Ruleset Update Summary - 2024/12/26 - v10817 Ruleset Updates	109	December 26, 2024
Ruleset Update Summary - 2024/05/17 - v10598 Ruleset Updates	261	May 17, 2024
Ruleset Update Summary - 2024/11/18 - v10744 Ruleset Updates	114	November 18, 2024

Ruleset Update Summary - 2026/02/17 - v11127

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics