Ruleset Update Summary - 2026/03/26 - v11158

Ruleset Updates
1

Summary:

16 new OPEN, 22 new PRO (16 + 6)

Added rules:

Open:

  • 2068436 - ET HUNTING Fortigate Forticlient EMS Multi-Tennant Fingerprinting Attempt (hunting.rules)
  • 2068437 - ET INFO DYNAMIC_DNS Query to a *.divvyboard .com domain (info.rules)
  • 2068438 - ET INFO DYNAMIC_DNS HTTP Request to a *.divvyboard .com domain (info.rules)
  • 2068439 - ET INFO DYNAMIC_DNS Query to a *.vigorpm .com domain (info.rules)
  • 2068440 - ET INFO DYNAMIC_DNS HTTP Request to a *.vigorpm .com domain (info.rules)
  • 2068441 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effect-shake .cyou) (malware.rules)
  • 2068442 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (effect-shake .cyou) in TLS SNI (malware.rules)
  • 2068443 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fileforex .xyz) (malware.rules)
  • 2068444 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fileforex .xyz) in TLS SNI (malware.rules)
  • 2068445 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (horsvyz .cyou) (malware.rules)
  • 2068446 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (horsvyz .cyou) in TLS SNI (malware.rules)
  • 2068447 - ET WEB_SPECIFIC_APPS Fortigate Forticlient EMS HTTP Site Header SQL injection attempt (CVE-2026-21643) (web_specific_apps.rules)
  • 2068448 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (api-gw .nycwealth .com) (malware.rules)
  • 2068449 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (events .wealth-london .com) (malware.rules)
  • 2068450 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (api-gw .nycwealth .com) (malware.rules)
  • 2068451 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (events .wealth-london .com) (malware.rules)

Pro:

  • 2866769 - ETPRO PHISHING Observed DNS Query to TA4903 Domain (phishing.rules)
  • 2866770 - ETPRO PHISHING Observed DNS Query to TA4903 Domain (phishing.rules)
  • 2866771 - ETPRO PHISHING Observed DNS Query to TA4903 Domain (phishing.rules)
  • 2866772 - ETPRO PHISHING Observed TA4903 Domain in TLS SNI (phishing.rules)
  • 2866773 - ETPRO PHISHING Observed TA4903 Domain in TLS SNI (phishing.rules)
  • 2866774 - ETPRO PHISHING Observed TA4903 Domain in TLS SNI (phishing.rules)