Ruleset Update Summary - 2026/03/17 - v11150

Ruleset Updates
1

Summary:

35 new OPEN, 66 new PRO (35 + 31)

Added rules:

Open:

  • 2068280 - ET MALWARE Katana Botnet CnC Domain in DNS Lookup (imsowiwiwiwiwi .com) (malware.rules)
  • 2068281 - ET MALWARE Katana Botnet CnC Domain in DNS Lookup (iloveyourweewee .bz) (malware.rules)
  • 2068282 - ET MALWARE Katana Botnet CnC Domain in DNS Lookup (okiloveyoupleasedonttouchme .net) (malware.rules)
  • 2068283 - ET MALWARE Katana Botnet CnC Domain in DNS Lookup (satyr .wtf) (malware.rules)
  • 2068284 - ET MALWARE Katana Botnet CnC Domain in DNS Lookup (thespacemachines .st) (malware.rules)
  • 2068285 - ET MALWARE Observed Katana Botnet Domain (imsowiwiwiwiwi .com in TLS SNI) (malware.rules)
  • 2068286 - ET MALWARE Observed Katana Botnet Domain (iloveyourweewee .bz in TLS SNI) (malware.rules)
  • 2068287 - ET MALWARE Observed Katana Botnet Domain (okiloveyoupleasedonttouchme .net in TLS SNI) (malware.rules)
  • 2068288 - ET MALWARE Observed Katana Botnet Domain (satyr .wtf in TLS SNI) (malware.rules)
  • 2068289 - ET MALWARE Observed Katana Botnet Domain (thespacemachines .st in TLS SNI) (malware.rules)
  • 2068290 - ET WEB_SPECIFIC_APPS Wing FTP Server Information Disclosure Attempt (CVE-2025-47813) (web_specific_apps.rules)
  • 2068291 - ET WEB_SPECIFIC_APPS Qwik Unauthenticated RCE via server$ Deserialization (CVE-2026-27971) (web_specific_apps.rules)
  • 2068292 - ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M1 (web_specific_apps.rules)
  • 2068293 - ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M2 (web_specific_apps.rules)
  • 2068294 - ET MALWARE Observed ACR Stealer Domain (playtogga .com in TLS SNI) (malware.rules)
  • 2068295 - ET WEB_SPECIFIC_APPS TP-Link services-sync dev_name Parameter Command Injection Attempt (CVE-2026-0652) (web_specific_apps.rules)
  • 2068296 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ussbtv .com) (exploit_kit.rules)
  • 2068297 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ussbtv .com) (exploit_kit.rules)
  • 2068298 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (corp-ai .alifsemi .com) (malware.rules)
  • 2068299 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (ext-api .housedec .com) (malware.rules)
  • 2068300 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (corp-ai .alifsemi .com) (malware.rules)
  • 2068301 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (ext-api .housedec .com) (malware.rules)
  • 2068302 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (flatheadcat .com) (exploit_kit.rules)
  • 2068303 - ET EXPLOIT_KIT LandUpdate808 Domain (flatheadcat .com) in TLS SNI (exploit_kit.rules)
  • 2068304 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bulletforx .fun) (malware.rules)
  • 2068305 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bulletforx .fun) in TLS SNI (malware.rules)
  • 2068306 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (doooldues .pw) (malware.rules)
  • 2068307 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (doooldues .pw) in TLS SNI (malware.rules)
  • 2068308 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (labourcakefrt .fun) (malware.rules)
  • 2068309 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (labourcakefrt .fun) in TLS SNI (malware.rules)
  • 2068310 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (whangeeeerodpz .shop) (malware.rules)
  • 2068311 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (whangeeeerodpz .shop) in TLS SNI (malware.rules)
  • 2068312 - ET INFO Insecure Proxy Discovery via AWS Instance Metadata Retrieval M1 (info.rules)
  • 2068313 - ET INFO Insecure Proxy Discovery via AWS Instance Metadata Retrieval M2 (info.rules)
  • 2068314 - ET WEB_SPECIFIC_APPS FreePBX Recordings.class.php file Parameter Command Injection Attempt (CVE-2026-28287) (web_specific_apps.rules)

Pro:

  • 2866611 - ETPRO WEB_SPECIFIC_APPS Nginx-ui Key Disclosure via X-Backup-Security (CVE-2026-27944) (web_specific_apps.rules)
  • 2866612 - ETPRO PHISHING Observed DNS Query to Phishing Domain (phishing.rules)
  • 2866613 - ETPRO PHISHING Observed DNS Query to Phishing Domain (phishing.rules)
  • 2866614 - ETPRO PHISHING Observed Phishing Domain in TLS SNI (phishing.rules)
  • 2866615 - ETPRO PHISHING Observed Phishing Domain in TLS SNI (phishing.rules)
  • 2866616 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866617 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866618 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866619 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866620 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866621 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2866622 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2866623 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2866624 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2866625 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866626 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2866627 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866628 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2866629 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866630 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866631 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2866632 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866633 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2866634 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2866635 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2866636 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2866637 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2866638 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2866639 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2866640 - ETPRO WEB_SPECIFIC_APPS Microsoft Exchange ProxyNotFound Pre-Auth SSRF/ACL Bypass (CVE-2021-28481) (web_specific_apps.rules)
  • 2866641 - ETPRO WEB_SPECIFIC_APPS Microsoft Exchange ProxyNotFound Pre-Auth SSRF/ACL Bypass (CVE-2021-28480) (web_specific_apps.rules)

Modified inactive rules:

  • 2017488 - ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass (exploit_kit.rules)
  • 2018623 - ET MALWARE Downloader.Win32.Tesch.A Bot Command (Proxy command) (malware.rules)
  • 2807155 - ETPRO MALWARE Win32/Spy.Banker.YSS sending data via SMTP (malware.rules)

Disabled and modified rules:

  • 2068173 - ET MALWARE Observed DNS Query to DemonHavoc Domain (bongsebing .com) (malware.rules)
  • 2862291 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)