Ruleset Update Summary - 2026/02/24 - v11133

Ruleset Updates
1

Summary:

38 new OPEN, 67 new PRO (38 + 29)

Added rules:

Open:

  • 2067881 - ET INFO DYNAMIC_DNS Query to a *.unleashedvr .com domain (info.rules)
  • 2067882 - ET INFO DYNAMIC_DNS HTTP Request to a *.unleashedvr .com domain (info.rules)
  • 2067883 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bowlina .cyou) (malware.rules)
  • 2067884 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bowlina .cyou) in TLS SNI (malware.rules)
  • 2067885 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (canvasn .top) (malware.rules)
  • 2067886 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (canvasn .top) in TLS SNI (malware.rules)
  • 2067887 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (convexm .top) (malware.rules)
  • 2067888 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (convexm .top) in TLS SNI (malware.rules)
  • 2067889 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ectrodm .cyou) (malware.rules)
  • 2067890 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ectrodm .cyou) in TLS SNI (malware.rules)
  • 2067891 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (executrixfinav .pw) (malware.rules)
  • 2067892 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (executrixfinav .pw) in TLS SNI (malware.rules)
  • 2067893 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genetiz .shop) (malware.rules)
  • 2067894 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genetiz .shop) in TLS SNI (malware.rules)
  • 2067895 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gratefulheartx .tech) (malware.rules)
  • 2067896 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gratefulheartx .tech) in TLS SNI (malware.rules)
  • 2067897 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingraiv .cyou) (malware.rules)
  • 2067898 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ingraiv .cyou) in TLS SNI (malware.rules)
  • 2067899 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (integri .top) (malware.rules)
  • 2067900 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (integri .top) in TLS SNI (malware.rules)
  • 2067901 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mensare .top) (malware.rules)
  • 2067902 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mensare .top) in TLS SNI (malware.rules)
  • 2067903 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (parabg .club) (malware.rules)
  • 2067904 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (parabg .club) in TLS SNI (malware.rules)
  • 2067905 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thinlpr .buzz) (malware.rules)
  • 2067906 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thinlpr .buzz) in TLS SNI (malware.rules)
  • 2067907 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (touchfh .shop) (malware.rules)
  • 2067908 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (touchfh .shop) in TLS SNI (malware.rules)
  • 2067909 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unrepax .top) (malware.rules)
  • 2067910 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unrepax .top) in TLS SNI (malware.rules)
  • 2067911 - ET WEB_SPECIFIC_APPS UTT formReConnect Isp_Name Parameter Command Injection Attempt (CVE-2026-2847) (web_specific_apps.rules)
  • 2067912 - ET WEB_SPECIFIC_APPS UTT formPdbUpConfig policyNames Parameter Command Injection Attempt (CVE-2026-2846) (web_specific_apps.rules)
  • 2067913 - ET WEB_SPECIFIC_APPS HummerRisk Cloud Compliance Scan proxyIp Parameter Command Injection Attempt (CVE-2026-3066) (web_specific_apps.rules)
  • 2067914 - ET WEB_SPECIFIC_APPS HummerRisk dryRun filename Parameter Command Injection Attempt (CVE-2026-3065) (web_specific_apps.rules)
  • 2067915 - ET WEB_SPECIFIC_APPS HummerRisk Task Create regions Parameter Command Injection Attempt (CVE-2026-3064) (web_specific_apps.rules)
  • 2067916 - ET WEB_SPECIFIC_APPS Dinky Git Project name Parameter Directory Traversal Attempt (CVE-2026-3051) (web_specific_apps.rules)
  • 2067917 - ET INFO Observed DNS Query to Frequently Abused Online Tool Domain (klclick3 .com) (info.rules)
  • 2067918 - ET INFO Observed Frequently Abused Online Tool Domain (klclick3 .com in TLS SNI) (info.rules)

Pro:

  • 2866294 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866295 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866296 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866297 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866298 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866299 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866300 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866301 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866302 - ETPRO MALWARE CarnivalHeist Victim Checkin (malware.rules)
  • 2866303 - ETPRO MALWARE CarnivalHeist Payload Inbound (malware.rules)
  • 2866304 - ETPRO MALWARE Observed DNS Query to CarnivalHeist Domain (malware.rules)
  • 2866305 - ETPRO MALWARE Observed CarnivalHeist Domain in TLS SNI (malware.rules)
  • 2866306 - ETPRO MALWARE Fake Microsoft Teams Payload Delivery Landing Page (malware.rules)
  • 2866307 - ETPRO MALWARE Fake Adobe Document Payload Delivery Landing Page (malware.rules)
  • 2866308 - ETPRO MALWARE Common Payload Delivery Landing Page Detection Evasion M1 (malware.rules)
  • 2866309 - ETPRO MALWARE Common Payload Delivery Landing Page Detection Evasion M2 (malware.rules)
  • 2866310 - ETPRO MALWARE Common Payload Delivery Landing Page Detection Evasion M3 (malware.rules)
  • 2866311 - ETPRO MALWARE Observed DNS Query to Compromised Domain (malware.rules)
  • 2866312 - ETPRO MALWARE Observed DNS Query to Compromised Domain (malware.rules)
  • 2866313 - ETPRO MALWARE Observed DNS Query to Compromised Domain (malware.rules)
  • 2866314 - ETPRO MALWARE Observed Comrpomised Domain in TLS SNI (malware.rules)
  • 2866315 - ETPRO MALWARE Observed Comrpomised Domain in TLS SNI (malware.rules)
  • 2866316 - ETPRO MALWARE Observed Comrpomised Domain in TLS SNI (malware.rules)
  • 2866317 - ETPRO MALWARE Observed DNS Query to Payload Delivery Domain (malware.rules)
  • 2866318 - ETPRO MALWARE Observed DNS Query to Payload Delivery Domain (malware.rules)
  • 2866319 - ETPRO MALWARE Observed DNS Query to Payload Delivery Domain (malware.rules)
  • 2866320 - ETPRO MALWARE Observed Payload Delivery Domain in TLS SNI (malware.rules)
  • 2866321 - ETPRO MALWARE Observed Payload Delivery Domain in TLS SNI (malware.rules)
  • 2866322 - ETPRO MALWARE Observed Payload Delivery Domain in TLS SNI (malware.rules)