Ruleset Update Summary - 2026/02/19 - v11129

Ruleset Updates
1

Summary:

26 new OPEN, 35 new PRO (26 + 9)

Added rules:

Open:

  • 2067831 - ET INFO OneGet Windows Package Manager User-Agent Observed (Mozilla/5.0 PackageManagement) Outbound (info.rules)
  • 2067832 - ET INFO OneGet Windows Package Manager User-Agent Observed (Mozilla/5.0 NuGet) Outbound (info.rules)
  • 2067833 - ET HUNTING PowerShell Gallery Search for MSP360 (hunting.rules)
  • 2067834 - ET HUNTING Download MSP360 Package from PowerShell Gallery (hunting.rules)
  • 2067835 - ET HUNTING GET MSP360 .exe from AWS (hunting.rules)
  • 2067836 - ET INFO DYNAMIC_DNS Query to a *.fri67 .com domain (info.rules)
  • 2067837 - ET INFO DYNAMIC_DNS HTTP Request to a *.fri67 .com domain (info.rules)
  • 2067838 - ET INFO DYNAMIC_DNS Query to a *.theharrispad .com domain (info.rules)
  • 2067839 - ET INFO DYNAMIC_DNS HTTP Request to a *.theharrispad .com domain (info.rules)
  • 2067840 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weareriu .cyou) (malware.rules)
  • 2067841 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (weareriu .cyou) in TLS SNI (malware.rules)
  • 2067842 - ET MALWARE Observed DNS Query to BlackSanta Domain (thresumebuilder .com) (malware.rules)
  • 2067843 - ET MALWARE Observed DNS Query to BlackSanta Domain (resumebuilders .us) (malware.rules)
  • 2067844 - ET MALWARE Observed DNS Query to BlackSanta Domain (newresumebuilders .us) (malware.rules)
  • 2067845 - ET MALWARE Observed BlackSanta Domain (thresumebuilder .com in TLS SNI) (malware.rules)
  • 2067846 - ET MALWARE Observed BlackSanta Domain (resumebuilders .us in TLS SNI) (malware.rules)
  • 2067847 - ET MALWARE Observed BlackSanta Domain (newresumebuilders .us in TLS SNI) (malware.rules)
  • 2067848 - ET MALWARE BlackSanta CnC Activity (POST) (malware.rules)
  • 2067849 - ET MALWARE BlackSanta Payload Request (malware.rules)
  • 2067850 - ET MALWARE BlackSanta Payload Inbound (malware.rules)
  • 2067851 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ainttby .com) (exploit_kit.rules)
  • 2067852 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (mieyabi .com) (exploit_kit.rules)
  • 2067853 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ainttby .com) (exploit_kit.rules)
  • 2067854 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (mieyabi .com) (exploit_kit.rules)
  • 2067855 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (trofeyincs .top) (exploit_kit.rules)
  • 2067856 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (trofeyincs .top) (exploit_kit.rules)

Pro:

  • 2866187 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866188 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866189 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866190 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866191 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866192 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866193 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866194 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866195 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)