Ruleset Update Summary - 2026/03/06 - v11141

rulesbot · March 6, 2026, 9:42pm

Summary:

33 new OPEN, 49 new PRO (33 + 16)

Thanks @Bitdefender_Ent

Added rules:

Open:

2068027 - ET INFO DYNAMIC_DNS Query to a *.vinoniv .net domain (info.rules)
2068028 - ET INFO DYNAMIC_DNS HTTP Request to a *.vinoniv .net domain (info.rules)
2068029 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bearboll .fun) (malware.rules)
2068030 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bearboll .fun) in TLS SNI (malware.rules)
2068031 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (capacif .cyou) (malware.rules)
2068032 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (capacif .cyou) in TLS SNI (malware.rules)
2068033 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cybgerlaunch .digital) (malware.rules)
2068034 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cybgerlaunch .digital) in TLS SNI (malware.rules)
2068035 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drownthinsaltroutese .pw) (malware.rules)
2068036 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drownthinsaltroutese .pw) in TLS SNI (malware.rules)
2068037 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slimtvsocico .fun) (malware.rules)
2068038 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (slimtvsocico .fun) in TLS SNI (malware.rules)
2068039 - ET MALWARE Observed DNS Query to APT36 Domain (hcidoc .in) (malware.rules)
2068040 - ET MALWARE Observed DNS Query to APT36 Domain (coadelhi .in) (malware.rules)
2068041 - ET MALWARE Observed APT36 Domain (hcidoc .in in TLS SNI) (malware.rules)
2068042 - ET MALWARE Observed APT36 Domain (coadelhi .in in TLS SNI) (malware.rules)
2068043 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .grovecityhvacservices .com) (malware.rules)
2068044 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (login .craftyinkymagic .com) (malware.rules)
2068045 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (trofedi .top) (exploit_kit.rules)
2068046 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (trofedi .top) (exploit_kit.rules)
2068047 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ewar4pres .com) (exploit_kit.rules)
2068048 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (oriana84 .com) (exploit_kit.rules)
2068049 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ewar4pres .com) (exploit_kit.rules)
2068050 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (oriana84 .com) (exploit_kit.rules)
2068051 - ET HUNTING SupaServ Legitimate Traffic Impersonation (hunting.rules)
2068052 - ET HUNTING LuminousStealer Legitimate Traffic Impersonation (hunting.rules)
2068053 - ET INFO Email API Domain (resend .dev) in DNS Lookup (info.rules)
2068054 - ET INFO Observed Email API Domain (resend .dev in TLS SNI) (info.rules)
2068055 - ET MALWARE Observed DNS Query to DefendNot Domain (dnot .sh) (malware.rules)
2068056 - ET MALWARE Observed DefendNot Domain (dnot .sh in TLS SNI) (malware.rules)
2068057 - ET MALWARE DefendNot Installer User-Agent Observed (malware.rules)
2068058 - ET MALWARE DefendNot Installer Payload Request (malware.rules)
2068059 - ET MALWARE DefendNot Installer Script Inbound (malware.rules)

Pro:

2866474 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866475 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866476 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866477 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866478 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866479 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866480 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866481 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866482 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2866483 - ETPRO PHISHING Generic Dashboard Landing Page (phishing.rules)
2866484 - ETPRO MALWARE Observed DNS Query to UNK_TransparentTribe Payload Delivery Domain (malware.rules)
2866485 - ETPRO MALWARE Observed UNK_TransparentTribe Payload Delivery Domain in TLS SNI (malware.rules)
2866486 - ETPRO MALWARE UNK_TransparentTribe CnC Domain in DNS Lookup (malware.rules)
2866487 - ETPRO MALWARE Observed UNK_TransparentTribe CnC Domain in TLS SNI (malware.rules)
2866488 - ETPRO MALWARE UNK_TransparentTribe Payload Request (malware.rules)
2866489 - ETPRO HUNTING Javascript Obfuscation CharCode Loop Reconstruction (hunting.rules)

Modified inactive rules:

2044185 - ET PHISHING AWS Phishing Domain (aws1-console-login .us) in DNS Lookup (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/10/16 - v10721 Ruleset Updates	107	October 16, 2024
Ruleset Update Summary - 2026/03/09 - v11142 Ruleset Updates	46	March 9, 2026
Ruleset Update Summary - 2026/02/24 - v11133 Ruleset Updates	50	February 24, 2026
Ruleset Update Summary - 2025/08/04 - v10985 Ruleset Updates	88	August 4, 2025
Ruleset Update Summary - 2024/09/12 - v10688 Ruleset Updates	52	September 12, 2024

Ruleset Update Summary - 2026/03/06 - v11141

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics