Ruleset Update Summary - 2026/03/27 - v11159

Ruleset Updates
1

Summary:

22 new OPEN, 32 new PRO (22 + 10)

Thanks @IntCyberDigest

Added rules:

Open:

  • 2068452 - ET MALWARE Observed Python Stealer User-Agent (WhatsAppBackup/1.0) Outbound (malware.rules)
  • 2068453 - ET MALWARE Observed DNS Query to TeamPCP litellm Suppy Chain Attack Domain (litellm .cloud) (malware.rules)
  • 2068454 - ET MALWARE Observed DNS Query to TeamPCP litellm Suppy Chain Attack Domain (checkmarx .zone) (malware.rules)
  • 2068455 - ET MALWARE Observed TeamPCP litellm Suppy Chain Attack Domain (litellm .cloud in TLS SNI) (malware.rules)
  • 2068456 - ET MALWARE Observed TeamPCP litellm Suppy Chain Attack Domain (checkmarx .zone in TLS SNI) (malware.rules)
  • 2068457 - ET MALWARE TeamPCP CnC Activity Observed (malware.rules)
  • 2068458 - ET INFO DYNAMIC_DNS Query to a *.myers-usa .com domain (info.rules)
  • 2068459 - ET INFO DYNAMIC_DNS HTTP Request to a *.myers-usa .com domain (info.rules)
  • 2068460 - ET INFO DYNAMIC_DNS Query to a *.imagetemplate .com domain (info.rules)
  • 2068461 - ET INFO DYNAMIC_DNS HTTP Request to a *.imagetemplate .com domain (info.rules)
  • 2068462 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (flasrta .cyou) (malware.rules)
  • 2068463 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (flasrta .cyou) in TLS SNI (malware.rules)
  • 2068464 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (knittinprophec .pw) (malware.rules)
  • 2068465 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knittinprophec .pw) in TLS SNI (malware.rules)
  • 2068466 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undighh .cyou) (malware.rules)
  • 2068467 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undighh .cyou) in TLS SNI (malware.rules)
  • 2068468 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (qlorexa .top) (exploit_kit.rules)
  • 2068469 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (qlorexa .top) (exploit_kit.rules)
  • 2068470 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cl-api .israel-wealth .com) (malware.rules)
  • 2068471 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cl-api .israel-wealth .com) (malware.rules)
  • 2068472 - ET MALWARE TeamPCP litellm SuppyChain Attack Payload Request (Linux) (malware.rules)
  • 2068473 - ET MALWARE TeamPCP litellm SuppyChain Attack Payload Request (Windows) (malware.rules)

Pro:

  • 2866775 - ETPRO PHISHING Observed DNS Query Phishing Domain (phishing.rules)
  • 2866776 - ETPRO PHISHING Observed Phishing Domain (In TLS SNI) (phishing.rules)
  • 2866777 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866778 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866779 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866780 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866781 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866782 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866783 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866784 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

  • 2068392 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (breitonghoul .top) (exploit_kit.rules)
  • 2068393 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (breitonghoul .top) (exploit_kit.rules)