Ruleset Update Summary - 2026/03/16 - v11149

rulesbot · March 16, 2026, 9:27pm

Summary:

51 new OPEN, 137 new PRO (51 + 86)

Added rules:

Open:

2068229 - ET HUNTING Dropbox Hosted PDF with an Encoded Filename (hunting.rules)
2068230 - ET PHISHING UNK_NightOwl Domain in DNS Lookup (1drvms .store) (phishing.rules)
2068231 - ET PHISHING UNK_NightOwl Domain in TLS SNI (1drvms .store) (phishing.rules)
2068232 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mexicwc .biz) (malware.rules)
2068233 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mexicwc .biz) in TLS SNI (malware.rules)
2068234 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oxceansounds .digital) (malware.rules)
2068235 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oxceansounds .digital) in TLS SNI (malware.rules)
2068236 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bytecloudasa .website) (malware.rules)
2068237 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bytecloudasa .website) in TLS SNI (malware.rules)
2068238 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (casioblue .pw) (malware.rules)
2068239 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (casioblue .pw) in TLS SNI (malware.rules)
2068240 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (choserowboatfly .fun) (malware.rules)
2068241 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (choserowboatfly .fun) in TLS SNI (malware.rules)
2068242 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (doonwload .fun) (malware.rules)
2068243 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (doonwload .fun) in TLS SNI (malware.rules)
2068244 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (firearmsfe .live) (malware.rules)
2068245 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (firearmsfe .live) in TLS SNI (malware.rules)
2068246 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fxreshideas .tech) (malware.rules)
2068247 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fxreshideas .tech) in TLS SNI (malware.rules)
2068248 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hawsteamjoak .fun) (malware.rules)
2068249 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hawsteamjoak .fun) in TLS SNI (malware.rules)
2068250 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ironproe .live) (malware.rules)
2068251 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ironproe .live) in TLS SNI (malware.rules)
2068252 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mafnufacut .cyou) (malware.rules)
2068253 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mafnufacut .cyou) in TLS SNI (malware.rules)
2068254 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (makeexpectentrypon .pw) (malware.rules)
2068255 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (makeexpectentrypon .pw) in TLS SNI (malware.rules)
2068256 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mambergame .fun) (malware.rules)
2068257 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mambergame .fun) in TLS SNI (malware.rules)
2068258 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mazerah .fun) (malware.rules)
2068259 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mazerah .fun) in TLS SNI (malware.rules)
2068260 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mouseblock .pw) (malware.rules)
2068261 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mouseblock .pw) in TLS SNI (malware.rules)
2068262 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (netovrema .pw) (malware.rules)
2068263 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (netovrema .pw) in TLS SNI (malware.rules)
2068264 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (temoolda .pw) (malware.rules)
2068265 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (temoolda .pw) in TLS SNI (malware.rules)
2068266 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thuspulllig .fun) (malware.rules)
2068267 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thuspulllig .fun) in TLS SNI (malware.rules)
2068268 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weaselplacerif .fun) (malware.rules)
2068269 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (weaselplacerif .fun) in TLS SNI (malware.rules)
2068270 - ET INFO DYNAMIC_DNS Query to a *.oglesbypm .com domain (info.rules)
2068271 - ET INFO DYNAMIC_DNS HTTP Request to a *.oglesbypm .com domain (info.rules)
2068272 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allcentrlizeqweq .fun) (malware.rules)
2068273 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (allcentrlizeqweq .fun) in TLS SNI (malware.rules)
2068274 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (followw .cyou) (malware.rules)
2068275 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (followw .cyou) in TLS SNI (malware.rules)
2068276 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ussbtv .com) (exploit_kit.rules)
2068277 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ussbtv .com) (exploit_kit.rules)
2068278 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (js-pre .letsgoautomotive .com) (malware.rules)
2068279 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (js-pre .letsgoautomotive .com) (malware.rules)

Pro:

2866525 - ETPRO MALWARE DoHDoor Backdoor GET Request for Loader (malware.rules)
2866526 - ETPRO MALWARE DoHDoor Backdoor CnC Checkin (malware.rules)
2866527 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866528 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866529 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866530 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866531 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866532 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866533 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866534 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866535 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866536 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866537 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866538 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866539 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866540 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866541 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866542 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866543 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866544 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866545 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866546 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866547 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866548 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866549 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866550 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866551 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866552 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866553 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866554 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866555 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866556 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866557 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866558 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866559 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866560 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866561 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866562 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866563 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866564 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866565 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866566 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866567 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866568 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866569 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866570 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866571 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866572 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866573 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866574 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866575 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
2866576 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
2866577 - ETPRO MALWARE Observed DNS Query to TA2726 Domain (malware.rules)
2866578 - ETPRO MALWARE Observed DNS Query to TA2726 Domain (malware.rules)
2866579 - ETPRO MALWARE Observed DNS Query to TA2726 Domain (malware.rules)
2866580 - ETPRO MALWARE Observed DNS Query to TA2726 Domain (malware.rules)
2866581 - ETPRO MALWARE Observed DNS Query to TA2726 Domain (malware.rules)
2866582 - ETPRO MALWARE Observed DNS Query to TA2726 Domain (malware.rules)
2866583 - ETPRO MALWARE Observed DNS Query to TA2726 Domain (malware.rules)
2866584 - ETPRO MALWARE Observed DNS Query to TA2726 Domain (malware.rules)
2866585 - ETPRO MALWARE Observed DNS Query to TA2726 Domain (malware.rules)
2866586 - ETPRO MALWARE Observed TA2726 Domain in TLS SNI (malware.rules)
2866587 - ETPRO MALWARE Observed TA2726 Domain in TLS SNI (malware.rules)
2866588 - ETPRO MALWARE Observed TA2726 Domain in TLS SNI (malware.rules)
2866589 - ETPRO MALWARE Observed TA2726 Domain in TLS SNI (malware.rules)
2866590 - ETPRO MALWARE Observed TA2726 Domain in TLS SNI (malware.rules)
2866591 - ETPRO MALWARE Observed TA2726 Domain in TLS SNI (malware.rules)
2866592 - ETPRO MALWARE Observed TA2726 Domain in TLS SNI (malware.rules)
2866593 - ETPRO MALWARE Observed TA2726 Domain in TLS SNI (malware.rules)
2866594 - ETPRO MALWARE Observed TA2726 Domain in TLS SNI (malware.rules)
2866595 - ETPRO MALWARE LOTUSLITE CnC Connectivity Check (POST) M2 (malware.rules)
2866596 - ETPRO EXPLOIT Windows Shell Link Processing Spoofing (CVE-2026-25185) M1 (exploit.rules)
2866597 - ETPRO EXPLOIT Windows Shell Link Processing Spoofing (CVE-2026-25185) M2 (exploit.rules)
2866598 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866599 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866600 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866601 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866602 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866603 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866604 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866605 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2866606 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2866607 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2866608 - ETPRO PHISHING Obfuscated Generic Javascript Loader (phishing.rules)
2866609 - ETPRO EXPLOIT Malformed ZIP headers (Zombie ZIP) File Inbound (exploit.rules)
2866610 - ETPRO PHISHING Successful Generic Credential Exfil 2026-03-16 (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/06/02 - v10938 Ruleset Updates	152	June 2, 2025
Ruleset Update Summary - 2025/05/27 - v10934 Ruleset Updates	137	May 27, 2025
Ruleset Update Summary - 2024/11/18 - v10744 Ruleset Updates	118	November 18, 2024
Ruleset Update Summary - 2026/02/16 - v11126 Ruleset Updates	147	February 16, 2026
Ruleset Update Summary - 2025/09/22 - v11021 Ruleset Updates	180	September 22, 2025

Ruleset Update Summary - 2026/03/16 - v11149

Summary:

Added rules:

Open:

Pro:

Related topics