Ruleset Update Summary - 2026/03/24 - v11156

Ruleset Updates
1

Summary:

22 new OPEN, 37 new PRO (22 + 15)

Thanks @netskope

Added rules:

Open:

  • 2068390 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (img3-se .exathomessellmyhometennessee .com) (malware.rules)
  • 2068391 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (img3-se .exathomessellmyhometennessee .com) (malware.rules)
  • 2068392 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (breitonghoul .top) (exploit_kit.rules)
  • 2068393 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (breitonghoul .top) (exploit_kit.rules)
  • 2068394 - ET INFO DYNAMIC_DNS Query to a *.zhunzi .com domain (info.rules)
  • 2068395 - ET INFO DYNAMIC_DNS HTTP Request to a *.zhunzi .com domain (info.rules)
  • 2068396 - ET INFO DYNAMIC_DNS Query to a *.evaandering .com domain (info.rules)
  • 2068397 - ET INFO DYNAMIC_DNS HTTP Request to a *.evaandering .com domain (info.rules)
  • 2068398 - ET INFO DYNAMIC_DNS Query to a *.alexanderthegreater .com domain (info.rules)
  • 2068399 - ET INFO DYNAMIC_DNS HTTP Request to a *.alexanderthegreater .com domain (info.rules)
  • 2068400 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (arrogantcatfishef .pw) (malware.rules)
  • 2068401 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (arrogantcatfishef .pw) in TLS SNI (malware.rules)
  • 2068402 - ET HUNTING Detect iPhone or MacOS Device and Force Safari Usage (hunting.rules)
  • 2068403 - ET MALWARE DarkSword C2 Landing Page (malware.rules)
  • 2068404 - ET MALWARE ScreenConnect Installer Request via PowerShell (malware.rules)
  • 2068405 - ET MALWARE Observed DNS Query to RMM Payload Delivery Domain (mail-srv .com) (malware.rules)
  • 2068406 - ET MALWARE Observed DNS Query to RMM Payload Delivery Domain (harnivo .cfd) (malware.rules)
  • 2068407 - ET MALWARE Observed RMM Payload Delivery Domain (mail-srv .com in TLS SNI) (malware.rules)
  • 2068408 - ET MALWARE Observed RMM Payload Delivery Domain (harnivo .cfd in TLS SNI) (malware.rules)
  • 2068409 - ET MALWARE RMM Payload Delivery Behvaior Observed in HTTP Cookies (malware.rules)
  • 2068410 - ET MALWARE Observed Fake Google Meet Page (malware.rules)
  • 2068411 - ET HUNTING VibeCoded MSI Installer VBS Script Inbound (hunting.rules)

Pro:

  • 2866706 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
  • 2866707 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
  • 2866708 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
  • 2866709 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
  • 2866710 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
  • 2866711 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
  • 2866712 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
  • 2866713 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
  • 2866714 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
  • 2866715 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
  • 2866716 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
  • 2866717 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
  • 2866718 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
  • 2866719 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
  • 2866720 - ETPRO EXPLOIT_KIT DarkSword iOS EK Worker Redirect (exploit_kit.rules)