Ruleset Update Summary - 2026/03/04 - v11139

Ruleset Updates
1

Summary:

9 new OPEN, 24 new PRO (9 + 15)

Thanks @kevross33

Added rules:

Open:

  • 2068001 - ET MALWARE TA450 CnC Victim Checkin (malware.rules)
  • 2068002 - ET MALWARE TA450 CnC Victim Checkin (malware.rules)
  • 2068003 - ET INFO DYNAMIC_DNS Query to a *.protelecon .com domain (info.rules)
  • 2068004 - ET INFO DYNAMIC_DNS HTTP Request to a *.protelecon .com domain (info.rules)
  • 2068005 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sanicue .cyou) (malware.rules)
  • 2068006 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sanicue .cyou) in TLS SNI (malware.rules)
  • 2068007 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (disk .grovecitykitchenremodeling .com) (malware.rules)
  • 2068008 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (disk .grovecitykitchenremodeling .com) (malware.rules)
  • 2068009 - ET MALWARE Observed Coruna User-Agent (Outbound) (malware.rules)

Pro:

  • 2866425 - ETPRO WEB_SERVER Cisco Catalyst SD-WAN Manager Authenticated DCA Credential Disclosure (CVE-2026-20128) (web_server.rules)
  • 2866426 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866427 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866428 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866429 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866430 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866431 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866432 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866433 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866434 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2866435 - ETPRO PHISHING Observed DNS Query to UNK_NeedleSalt Domain (phishing.rules)
  • 2866436 - ETPRO PHISHING Observed DNS Query to UNK_NeedleSalt Domain (phishing.rules)
  • 2866437 - ETPRO PHISHING Observed UNK_NeedleSalt Domain in TLS SNI (phishing.rules)
  • 2866438 - ETPRO PHISHING Observed UNK_NeedleSalt Domain in TLS SNI (phishing.rules)
  • 2866439 - ETPRO WEB_SERVER Cisco Catalyst SD-WAN Manager Authenticated Arbitrary File Creation (CVE-2025-20187) (web_server.rules)

Removed rules:

  • 2866180 - ETPRO MALWARE TA450 CnC Victim Checkin (malware.rules)
  • 2866181 - ETPRO MALWARE TA450 CnC Victim Checkin (malware.rules)