Ruleset Update Summary - 2026/03/19 - v11153

rulesbot · March 19, 2026, 9:11pm

Summary:

25 new OPEN, 42 new PRO (25 + 17)

Added rules:

Open:

2068334 - ET ADWARE_PUP Activity Monitoring/Keylogger Software Domain in DNS Lookup (refog .com) (adware_pup.rules)
2068335 - ET ADWARE_PUP Activity Monitoring/Keylogger Software Domain in DNS Lookup (mipko .ru) (adware_pup.rules)
2068336 - ET ADWARE_PUP Observed Activity Monitoring/Keylogger Domain (refog .com in TLS SNI) (adware_pup.rules)
2068337 - ET ADWARE_PUP Observed Activity Monitoring/Keylogger Domain (mipko .ru in TLS SNI) (adware_pup.rules)
2068338 - ET MALWARE UNK_MonkeyWrench CnC Domain in DNS Lookup (aviator-check .online) (malware.rules)
2068339 - ET MALWARE Observed UNK_MonkeyWrench Domain (aviator-check .online in TLS SNI) (malware.rules)
2068340 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (treidoveir .top) (exploit_kit.rules)
2068341 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (treidoveir .top) (exploit_kit.rules)
2068342 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (aawbi .com) (exploit_kit.rules)
2068343 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (aawbi .com) (exploit_kit.rules)
2068344 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .baeinevand .eu .org) (malware.rules)
2068345 - ET MALWARE UNK_MonkeyWrench Payload Retrieval attempt (malware.rules)
2068346 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .baeinevand .eu .org) (malware.rules)
2068347 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .baeinevand .eu .org) (malware.rules)
2068348 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .baeinevand .eu .org) (malware.rules)
2068349 - ET INFO DYNAMIC_DNS Query to a *.anthonythompson .net domain (info.rules)
2068350 - ET INFO DYNAMIC_DNS HTTP Request to a *.anthonythompson .net domain (info.rules)
2068351 - ET INFO DYNAMIC_DNS Query to a *.casepractice .com domain (info.rules)
2068352 - ET INFO DYNAMIC_DNS HTTP Request to a *.casepractice .com domain (info.rules)
2068353 - ET INFO DYNAMIC_DNS Query to a *.s4r4 .com domain (info.rules)
2068354 - ET INFO DYNAMIC_DNS HTTP Request to a *.s4r4 .com domain (info.rules)
2068355 - ET INFO DYNAMIC_DNS Query to a *.sotna .org domain (info.rules)
2068356 - ET INFO DYNAMIC_DNS HTTP Request to a *.sotna .org domain (info.rules)
2068357 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genuscs .cyou) (malware.rules)
2068358 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genuscs .cyou) in TLS SNI (malware.rules)

Pro:

2866653 - ETPRO MALWARE Observed DNS Query to TA569 Gholoader Landing Page Domain (malware.rules)
2866654 - ETPRO MALWARE Observed TA569 Gholoader Landing Page Domain in TLS SNI (malware.rules)
2866655 - ETPRO MALWARE Observed DNS Query to TA569 Gholoader Domain (malware.rules)
2866656 - ETPRO MALWARE Observed TA569 Gholoader Domain in TLS SNI (malware.rules)
2866657 - ETPRO MALWARE TA569 Gholoader CnC Activity (POST) (malware.rules)
2866658 - ETPRO MALWARE TA569 Gholoader CnC Activity (POST) (malware.rules)
2866659 - ETPRO MALWARE TA569 Gholoader Javascript Payload Inbound (malware.rules)
2866660 - ETPRO MALWARE TA569 Gholoader Javascript Payload Inbound (malware.rules)
2866661 - ETPRO MALWARE TA569 Gholoader Javascript Payload Inbound (malware.rules)
2866662 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866663 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2866664 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866665 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866666 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2866667 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2866668 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866669 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

2068296 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ussbtv .com) (exploit_kit.rules)
2068297 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ussbtv .com) (exploit_kit.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/03/25 - v10559 Ruleset Updates	356	March 25, 2024
Ruleset Update Summary - 2025/11/12 - v11061 Ruleset Updates	96	November 12, 2025
Ruleset Update Summary - 2025/09/24 - v11023 Ruleset Updates	74	September 24, 2025
Ruleset Update Summary - 2025/08/06 - v10987 Ruleset Updates	95	August 6, 2025
Ruleset Update Summary - 2026/03/11 - v11144 Ruleset Updates	63	March 11, 2026

Ruleset Update Summary - 2026/03/19 - v11153

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics