Ruleset Update Summary - 2026/03/23 - v11155

Ruleset Updates
1

Summary:

14 new OPEN, 32 new PRO (14 + 18)

Added rules:

Open:

  • 2068376 - ET INFO DYNAMIC_DNS Query to a *.nigelross .com domain (info.rules)
  • 2068377 - ET INFO DYNAMIC_DNS HTTP Request to a *.nigelross .com domain (info.rules)
  • 2068378 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (accessibledpzp .shop) (malware.rules)
  • 2068379 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (accessibledpzp .shop) in TLS SNI (malware.rules)
  • 2068380 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shitrba .click) (malware.rules)
  • 2068381 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shitrba .click) in TLS SNI (malware.rules)
  • 2068382 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (js-static .myhomeworxhandyman .com) (malware.rules)
  • 2068383 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (js-static .myhomeworxhandyman .com) (malware.rules)
  • 2068384 - ET INFO DYNAMIC_DNS Query to a *.geocen .org domain (info.rules)
  • 2068385 - ET INFO DYNAMIC_DNS HTTP Request to a *.geocen .org domain (info.rules)
  • 2068386 - ET INFO DYNAMIC_DNS Query to a *.issurroundedbyidiots .net domain (info.rules)
  • 2068387 - ET INFO DYNAMIC_DNS HTTP Request to a *.issurroundedbyidiots .net domain (info.rules)
  • 2068388 - ET INFO DYNAMIC_DNS Query to a *.vsltech .net domain (info.rules)
  • 2068389 - ET INFO DYNAMIC_DNS HTTP Request to a *.vsltech .net domain (info.rules)

Pro:

  • 2866688 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2866689 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866690 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866691 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866692 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866693 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866694 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866695 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866696 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866697 - ETPRO MALWARE ErrTraffic Landing Page Observed (malware.rules)
  • 2866698 - ETPRO MALWARE Observed DNS Query to ErrTraffic Landing Page Domain (malware.rules)
  • 2866699 - ETPRO MALWARE Observed DNS Query to ErrTraffic Landing Page Domain (malware.rules)
  • 2866700 - ETPRO MALWARE Observed DNS Query to ErrTraffic Landing Page Domain (malware.rules)
  • 2866701 - ETPRO MALWARE Observed DNS Query to ErrTraffic Landing Page Domain (malware.rules)
  • 2866702 - ETPRO MALWARE Observed ErrTraffic Landing Page Domain in TLS SNI (malware.rules)
  • 2866703 - ETPRO MALWARE Observed ErrTraffic Landing Page Domain in TLS SNI (malware.rules)
  • 2866704 - ETPRO MALWARE Observed ErrTraffic Landing Page Domain in TLS SNI (malware.rules)
  • 2866705 - ETPRO MALWARE Observed ErrTraffic Landing Page Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2002723 - ET POLICY MP3 File Transfer Inbound (policy.rules)
  • 2002734 - ET EXPLOIT WMF Exploit (exploit.rules)
  • 2003324 - ET P2P Edonkey Server Status (p2p.rules)
  • 2003444 - ET ADWARE_PUP Deskwizz.com Spyware Install Code Download (adware_pup.rules)
  • 2003676 - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt – mod_texte_index.php config pathMod (web_specific_apps.rules)
  • 2003911 - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt – index.php form message (web_specific_apps.rules)
  • 2008743 - ET ADWARE_PUP User-Agent (bdsclk) - Possible Admoke Admware (adware_pup.rules)
  • 2008901 - ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2011160 - ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt (web_server.rules)

Disabled and modified rules:

  • 2068347 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .baeinevand .eu .org) (malware.rules)
  • 2068348 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .baeinevand .eu .org) (malware.rules)