Ruleset Update Summary - 2026/03/25 - v11157

rulesbot · March 25, 2026, 8:27pm

Summary:

24 new OPEN, 72 new PRO (24 + 48)

Thanks @anyrun_app, @PushSecurity

Added rules:

Open:

2068412 - ET MALWARE TA416 PlugX CnC Activity (GET) (malware.rules)
2068413 - ET MALWARE TA416 PlugX CnC Activity (GET) (malware.rules)
2068414 - ET MALWARE TA416 PlugX CnC Activity (POST) (malware.rules)
2068415 - ET EXPLOIT Telnet SLC Option Data Buffer Overflow Attempt (CVE-2026-32746) (exploit.rules)
2068416 - ET INFO DYNAMIC_DNS Query to a *.shankillweather .com domain (info.rules)
2068417 - ET INFO DYNAMIC_DNS HTTP Request to a *.shankillweather .com domain (info.rules)
2068418 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (batdunya .com) (exploit_kit.rules)
2068419 - ET EXPLOIT_KIT LandUpdate808 Domain (batdunya .com) in TLS SNI (exploit_kit.rules)
2068420 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (corruptioncrackywosp .shop) (malware.rules)
2068421 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (corruptioncrackywosp .shop) in TLS SNI (malware.rules)
2068422 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (equilmm .click) (malware.rules)
2068423 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (equilmm .click) in TLS SNI (malware.rules)
2068424 - ET INFO Networking Tunneling Service Domain (gsocket .io) in DNS Lookup (info.rules)
2068425 - ET INFO Observed Networking Tunneling Service Domain (gsocket .io in TLS SNI) (info.rules)
2068426 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (posertret .top) (exploit_kit.rules)
2068427 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vcdggsfw .top) (exploit_kit.rules)
2068428 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vorqeni .top) (exploit_kit.rules)
2068429 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (posertret .top) (exploit_kit.rules)
2068430 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vcdggsfw .top) (exploit_kit.rules)
2068431 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vorqeni .top) (exploit_kit.rules)
2068432 - ET MALWARE InstallFix MacOS CnC Activity M1 (malware.rules)
2068433 - ET MALWARE InstallFix MacOS CnC Activity M2 (malware.rules)
2068434 - ET MALWARE InstallFix MacOS CnC Activity M3 (malware.rules)
2068435 - ET ATTACK_RESPONSE InstallFix MacOS Payload Inbound (attack_response.rules)

Pro:

2866721 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866722 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866723 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866724 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866725 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866726 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866727 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866728 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866729 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866730 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866731 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866732 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866733 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866734 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866735 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866736 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866737 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866738 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866739 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866740 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866741 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866742 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866743 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866744 - ETPRO PHISHING UNK_SmokeScreen Domain in DNS Lookup (phishing.rules)
2866745 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866746 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866747 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866748 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866749 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866750 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866751 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866752 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866753 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866754 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866755 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866756 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866757 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866758 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866759 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866760 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866761 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866762 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866763 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866764 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866765 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866766 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866767 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)
2866768 - ETPRO PHISHING Observed UNK_SmokeScreen Domain in TLS SNI (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2026/03/11 - v11144 Ruleset Updates	57	March 11, 2026
Ruleset Update Summary - 2026/03/20 - v11154 Ruleset Updates	80	March 20, 2026
Ruleset Update Summary - 2026/02/25 - v11134 Ruleset Updates	95	February 25, 2026
Ruleset Update Summary - 2026/02/13 - v11125 Ruleset Updates	105	February 13, 2026
Ruleset Update Summary - 2026/02/03 - v11117 Ruleset Updates	80	February 3, 2026

Ruleset Update Summary - 2026/03/25 - v11157

Summary:

Added rules:

Open:

Pro:

Related topics