Ruleset Update Summary - 2026/03/02 - v11137

Ruleset Updates
1

Summary:

20 new OPEN, 38 new PRO (20 + 18)

Thanks @James_inthe_box

Added rules:

Open:

  • 2067949 - ET INFO DYNAMIC_DNS Query to a *.acconboy .com domain (info.rules)
  • 2067950 - ET INFO DYNAMIC_DNS HTTP Request to a *.acconboy .com domain (info.rules)
  • 2067951 - ET INFO DYNAMIC_DNS Query to a *.garethmusic .com domain (info.rules)
  • 2067952 - ET INFO DYNAMIC_DNS HTTP Request to a *.garethmusic .com domain (info.rules)
  • 2067953 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undimik .cyou) (malware.rules)
  • 2067954 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undimik .cyou) in TLS SNI (malware.rules)
  • 2067955 - ET INFO DYNAMIC_DNS Query to a *.383 .li domain (info.rules)
  • 2067956 - ET INFO DYNAMIC_DNS HTTP Request to a *.383 .li domain (info.rules)
  • 2067957 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (partyyeisdo .shop) (malware.rules)
  • 2067958 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (partyyeisdo .shop) in TLS SNI (malware.rules)
  • 2067959 - ET INFO Observed RMM Domain in DNS Lookup (dameware .com) (info.rules)
  • 2067960 - ET INFO Observed RMM Domain (dameware .com) in TLS SNI (info.rules)
  • 2067961 - ET INFO Observed RMM Domain in DNS Lookup (mspa .n-able .com) (info.rules)
  • 2067962 - ET INFO Observed RMM Domain in DNS Lookup (swi-dre .com) (info.rules)
  • 2067963 - ET INFO Observed RMM Domain (mspa .n-able .com) in TLS SNI (info.rules)
  • 2067964 - ET INFO Observed RMM Domain (swi-dre .com) in TLS SNI (info.rules)
  • 2067965 - ET INFO SimpleHelp RMM machine ping Request to Server (info.rules)
  • 2067966 - ET INFO SimpleHelp RMM lossyproc Request to Server (info.rules)
  • 2067967 - ET MALWARE Malicious SimpleHelp RMM Domain in DNS Lookup (funsunmexicobizz .top) (malware.rules)
  • 2067968 - ET MALWARE Observed Malicious SimpleHelp RMM Domain (funsunmexicobizz .top) in TLS SNI (malware.rules)

Pro:

  • 2866393 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866394 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866395 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866396 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866397 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866398 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866399 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866400 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866401 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2866402 - ETPRO WEB_SPECIFIC_APPS GrandStream GXP1600 Unauthenticated Remote Code Execution (CVE-2026-2329) (web_specific_apps.rules)
  • 2866403 - ETPRO MALWARE Observed DNS Query to TA569 Domain (malware.rules)
  • 2866404 - ETPRO WEB_SPECIFIC_APPS Tenda AC1206 formSetMacFilterCfg deviceList Parameter Buffer Overflow (CVE-2025-7544) (web_specific_apps.rules)
  • 2866405 - ETPRO MALWARE Observed ErrTraffic Admin Panel (malware.rules)
  • 2866406 - ETPRO MALWARE Observed ErrTraffic Admin Session Cookie (malware.rules)
  • 2866407 - ETPRO MALWARE Observed DNS Query to ErrTraffic Domain (malware.rules)
  • 2866408 - ETPRO MALWARE Observed ErrTraffic Domain in TLS SNI (malware.rules)
  • 2866409 - ETPRO MALWARE Observed TA569 Domain in TLS SNI (malware.rules)
  • 2866410 - ETPRO WEB_SPECIFIC_APPS Cisco Secure Email Gateway & Web Manager EUQ RPC Authentication Bypass (CVE-2025-20393) (web_specific_apps.rules)

Disabled and modified rules:

  • 2067912 - ET WEB_SPECIFIC_APPS UTT formPdbUpConfig policyNames Parameter Command Injection Attempt (CVE-2026-2846) (web_specific_apps.rules)