Ruleset Update Summary - 2026/03/12 - v11145

rulesbot · March 12, 2026, 8:23pm

Summary:

34 new OPEN, 57 new PRO (34 + 23)

Thanks @HuntressLabs, @James_inthe_box

Added rules:

Open:

2068160 - ET EXPLOIT_KIT Coruna Stage 2 Implant Activity (exploit_kit.rules)
2068161 - ET EXPLOIT_KIT Coruna Stage 3 Implant Activity M1 (exploit_kit.rules)
2068162 - ET EXPLOIT_KIT Coruna Stage 3 Implant Activity M2 (exploit_kit.rules)
2068163 - ET MALWARE DemonHavoc CnC Activity (POST) M1 (malware.rules)
2068164 - ET MALWARE DemonHavoc CnC Activity (POST) M2 (malware.rules)
2068165 - ET MALWARE DemonHavoc CnC Activity (POST) M3 (malware.rules)
2068166 - ET MALWARE DemonHavoc CnC Activity (POST) M4 (malware.rules)
2068167 - ET MALWARE DemonHavoc CnC Activity (POST) M5 (malware.rules)
2068168 - ET MALWARE Observed DNS Query to DemonHavoc Domain (bongsebing .com) (malware.rules)
2068169 - ET MALWARE Observed DNS Query to DemonHavoc Domain (alatastro .com) (malware.rules)
2068170 - ET MALWARE Observed DNS Query to DemonHavoc Domain (egravy .com) (malware.rules)
2068171 - ET MALWARE Observed DNS Query to DemonHavoc Domain (arcupondepago .com) (malware.rules)
2068172 - ET MALWARE Observed DNS Query to DemonHavoc Domain (agricularly .com) (malware.rules)
2068173 - ET MALWARE Observed DNS Query to DemonHavoc Domain (bongsebing .com) (malware.rules)
2068174 - ET MALWARE Observed DNS Query to DemonHavoc Domain (afzarkara .com) (malware.rules)
2068175 - ET MALWARE Observed DemonHavoc Domain (alatastro .com in TLS SNI) (malware.rules)
2068176 - ET MALWARE Observed DemonHavoc Domain (egravy .com in TLS SNI) (malware.rules)
2068177 - ET MALWARE Observed DemonHavoc Domain (arcupondepago .com in TLS SNI) (malware.rules)
2068178 - ET MALWARE Observed DemonHavoc Domain (agricularly .com in TLS SNI) (malware.rules)
2068179 - ET MALWARE Observed DemonHavoc Domain (bongsebing .com in TLS SNI) (malware.rules)
2068180 - ET MALWARE Observed DemonHavoc Domain (afzarkara .com in TLS SNI) (malware.rules)
2068181 - ET MALWARE Sentinel Stealer Data Exfiltration Attempt (malware.rules)
2068182 - ET MALWARE Sentinel Stealer CnC Domain in DNS Lookup (teal-goat-784716 .hostingersite .com) (malware.rules)
2068183 - ET MALWARE Observed Sentinel Stealer Domain (teal-goat-784716 .hostingersite .com in TLS SNI) (malware.rules)
2068184 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (elenviel .com) (exploit_kit.rules)
2068185 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (elenviel .com) (exploit_kit.rules)
2068186 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (htypoer .top) (exploit_kit.rules)
2068187 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (htypoer .top) (exploit_kit.rules)
2068188 - ET INFO DYNAMIC_DNS Query to a *.gandurlog .com domain (info.rules)
2068189 - ET INFO DYNAMIC_DNS HTTP Request to a *.gandurlog .com domain (info.rules)
2068190 - ET INFO DYNAMIC_DNS Query to a *.muskaengsarl .com domain (info.rules)
2068191 - ET INFO DYNAMIC_DNS HTTP Request to a *.muskaengsarl .com domain (info.rules)
2068192 - ET INFO DYNAMIC_DNS Query to a *.polatoglumimarlik .com domain (info.rules)
2068193 - ET INFO DYNAMIC_DNS HTTP Request to a *.polatoglumimarlik .com domain (info.rules)

Pro:

2866498 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866499 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866500 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866501 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866502 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866503 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866504 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866505 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866506 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866507 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866508 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866509 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866510 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866511 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866512 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866513 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866514 - ETPRO MALWARE Observed DNS Query to TA395 Domain (malware.rules)
2866515 - ETPRO MALWARE Observed DNS Query to TA395 Domain (malware.rules)
2866516 - ETPRO MALWARE Observed TA395 Domain in TLS SNI (malware.rules)
2866517 - ETPRO MALWARE Observed TA395 Domain in TLS SNI (malware.rules)
2866518 - ETPRO PHISHING TA395 CnC Activity (POST) (phishing.rules)
2866519 - ETPRO PHISHING Observed TA395 Landing Page (phishing.rules)
2866520 - ETPRO PHISHING Observed TA395 Landing Page (phishing.rules)

Modified inactive rules:

2013059 - ET POLICY BitCoin (policy.rules)
2013318 - ET MALWARE Google Warning Infected Local User (malware.rules)
2802160 - ETPRO MALWARE Delf/Hupigon/PWS.Banker.54377 Checkin Response from Client (malware.rules)
2802913 - ETPRO MALWARE Backdoor.Nervos.A Response from Server (malware.rules)
2804040 - ETPRO MALWARE Trojan-Banker.Win32.Banbra Reporting via SMTP (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/08/21 - v10671 Ruleset Updates	156	August 21, 2024
Ruleset Update Summary - 2024/09/04 - v10681 Ruleset Updates	96	September 4, 2024
Ruleset Update Summary - 2025/11/05 - v11056 Ruleset Updates	175	November 5, 2025
Ruleset Update Summary - 2026/03/20 - v11154 Ruleset Updates	86	March 20, 2026
Ruleset Update Summary - 2026/03/11 - v11144 Ruleset Updates	63	March 11, 2026

Ruleset Update Summary - 2026/03/12 - v11145

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics