Ruleset Update Summary - 2026/03/11 - v11144

Ruleset Updates
1

Summary:

17 new OPEN, 23 new PRO (17 + 6)

Added rules:

Open:

  • 2068143 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .theuppercrafteroom .com) (malware.rules)
  • 2068144 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .theuppercrafteroom .com) (malware.rules)
  • 2068145 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (mantaina .com) (exploit_kit.rules)
  • 2068146 - ET EXPLOIT_KIT LandUpdate808 Domain (mantaina .com) in TLS SNI (exploit_kit.rules)
  • 2068147 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (skrumchus .com) (exploit_kit.rules)
  • 2068148 - ET EXPLOIT_KIT LandUpdate808 Domain (skrumchus .com) in TLS SNI (exploit_kit.rules)
  • 2068149 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brocaez .club) (malware.rules)
  • 2068150 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brocaez .club) in TLS SNI (malware.rules)
  • 2068151 - ET WEB_SPECIFIC_APPS H3C aaa_portal_auth_local_submit suffix Parameter Command Injection Attempt (CVE-2026-3943) (web_specific_apps.rules)
  • 2068152 - ET WEB_SPECIFIC_APPS ComFast mbox-config ping_config destination Parameter Command Injection Attempt (CVE-2026-3798, CVE-2026-2824) (web_specific_apps.rules)
  • 2068153 - ET WEB_SPECIFIC_APPS ComFast mbox-config ntp_timezone timestr Parameter Command Injection Attempt (CVE-2026-2823, CVE-2026-2537) (web_specific_apps.rules)
  • 2068154 - ET WEB_SPECIFIC_APPS ComFast mbox-config wireless_device_dissoc mac Parameter Command Injection Attempt (CVE-2025-9586) (web_specific_apps.rules)
  • 2068155 - ET WEB_SPECIFIC_APPS ComFast mbox-config update_interface_png Multiple Parameters Command Injection Attempt (CVE-2025-9584) (web_specific_apps.rules)
  • 2068156 - ET WEB_SPECIFIC_APPS ComFast mbox-config ptest_bandwidth bandwidth Parameter Command Injection Attempt (CVE-2026-2534) (web_specific_apps.rules)
  • 2068157 - ET WEB_SPECIFIC_APPS ComFast mbox-config ptest_channel channel Parameter Command Injection Attempt (CVE-2026-2535) (web_specific_apps.rules)
  • 2068158 - ET WEB_SPECIFIC_APPS Netgear unlock3G.cgi key Parameter Command Injection Attempt (web_specific_apps.rules)
  • 2068159 - ET WEB_SPECIFIC_APPS Totolink disconnectVPN pid Parameter Command Injection Attempt (CVE-2024-34921, CVE-2023-29803) (web_specific_apps.rules)

Pro:

  • 2866492 - ETPRO PHISHING TA453 GET Landing Page Resources (phishing.rules)
  • 2866493 - ETPRO MALWARE VEX Stealer New Victim Checkin via Telegram (malware.rules)
  • 2866494 - ETPRO MALWARE VEX Stealer CnC Response via Telegram (malware.rules)
  • 2866495 - ETPRO PHISHING Observed DNS Query to Tycoon 2FA Domain (phishing.rules)
  • 2866496 - ETPRO PHISHING Observed Tycoon2FA Domain in TLS SNI (phishing.rules)
  • 2866497 - ETPRO MALWARE Observed Tycoon2FA Landing Page (malware.rules)

Modified inactive rules:

  • 2012256 - ET SHELLCODE Common 0c0c0c0c Heap Spray String (shellcode.rules)
  • 2100259 - GPL DNS named overflow ADM (dns.rules)
  • 2800438 - ETPRO EXPLOIT IBM Director CIM Server Consumer Name Handling Denial of Service 2 (exploit.rules)
  • 2800869 - ETPRO EXPLOIT Microsoft Office PowerPoint Download Verification (exploit.rules)
  • 2801201 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x47 (exploit.rules)