Ruleset Update Summary - 2026/02/18 - v11128

Ruleset Updates
1

Summary:

24 new OPEN, 28 new PRO (24 + 4)

Thanks @fabo97662188

Added rules:

Open:

  • 2067807 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (greekcs .cyou) (malware.rules)
  • 2067808 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (greekcs .cyou) in TLS SNI (malware.rules)
  • 2067809 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (incmrvk .top) (malware.rules)
  • 2067810 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (incmrvk .top) in TLS SNI (malware.rules)
  • 2067811 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unaideg .cyou) (malware.rules)
  • 2067812 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unaideg .cyou) in TLS SNI (malware.rules)
  • 2067813 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
  • 2067814 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
  • 2067815 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
  • 2067816 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
  • 2067817 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
  • 2067818 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
  • 2067819 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
  • 2067820 - ET MALWARE Observed MacOS ClickFix Landing Page (malware.rules)
  • 2067821 - ET EXPLOIT_KIT Observed DNS Query to MacOS ClickFix Landing Page Domain (raytherrien .com) (exploit_kit.rules)
  • 2067822 - ET EXPLOIT_KIT Observed DNS Query to MacOS ClickFix Landing Page Domain (malext .com) (exploit_kit.rules)
  • 2067823 - ET EXPLOIT_KIT Observed DNS Query to MacOS ClickFix Landing Page Domain (mac-os-helper .com) (exploit_kit.rules)
  • 2067824 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (hodorit .com) (exploit_kit.rules)
  • 2067825 - ET EXPLOIT_KIT Observed MacOS ClickFix Landing Page Domain (raytherrien .com in TLS SNI) (exploit_kit.rules)
  • 2067826 - ET EXPLOIT_KIT Observed MacOS ClickFix Landing Page Domain (malext .com in TLS SNI) (exploit_kit.rules)
  • 2067827 - ET EXPLOIT_KIT Observed MacOS ClickFix Landing Page Domain (mac-os-helper .com in TLS SNI) (exploit_kit.rules)
  • 2067828 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (hodorit .com) (exploit_kit.rules)
  • 2067829 - ET HUNTING Deprecated Github URL Shortener Domain in DNS Lookup (git .io) (hunting.rules)
  • 2067830 - ET HUNTING Observed Deprecated Github URL Shortener Domain in TLS SNI (git .io) (hunting.rules)

Pro:

  • 2866183 - ETPRO MALWARE UNK_NoseDive Payload Retrieval Attempt (malware.rules)
  • 2866184 - ETPRO MALWARE UNK_NoseDive Payload Retrieval Response (malware.rules)
  • 2866185 - ETPRO MALWARE UNK_NoseDive Data Exfiltration Attempt M1 (malware.rules)
  • 2866186 - ETPRO MALWARE UNK_NoseDive Data Exfiltration Attempt M2 (malware.rules)