Ruleset Update Summary - 2026/04/01 - v11162

rulesbot · April 1, 2026, 9:13pm

Summary:

28 new OPEN, 29 new PRO (28 + 1)

Thanks @n0pth

Added rules:

Open:

2068501 - ET MALWARE Observed DNS Query to Crpx0 Ransomware Domain (malware.rules)
2068502 - ET MALWARE Observed Crpx0 Ransomware Domain in TLS SNI (malware.rules)
2068503 - ET MALWARE Crpx0 Ransomware Payload Request M1 (malware.rules)
2068504 - ET MALWARE Crpx0 Ransomware Payload Request M2 (malware.rules)
2068505 - ET MALWARE Crpx0 Ransomware Payload Request M3 (malware.rules)
2068506 - ET MALWARE Crpx0 Ransomware Payload Request M4 (malware.rules)
2068507 - ET MALWARE Crpx0 Ransomware Payload Inbound M1 (malware.rules)
2068508 - ET MALWARE Crpx0 Ransomware Payload Inbound M2 (malware.rules)
2068509 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drywabq .qpon) (malware.rules)
2068510 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drywabq .qpon) in TLS SNI (malware.rules)
2068511 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (idespeh .cyou) (malware.rules)
2068512 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (idespeh .cyou) in TLS SNI (malware.rules)
2068513 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surprql .cyou) (malware.rules)
2068514 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (surprql .cyou) in TLS SNI (malware.rules)
2068515 - ET MALWARE plain-crypto-js RAT C2 Domain in DNS Lookup (sfrclak .com) (malware.rules)
2068516 - ET MALWARE plain-crypto-js RAT C2 Domain in DNS Lookup (callnrwise .com) (malware.rules)
2068517 - ET MALWARE plain-crypto-js RAT C2 Domain in DNS Lookup (hwsrv-1320779.hostwindsdns .com) (malware.rules)
2068518 - ET MALWARE plain-crypto-js RAT Stage 2 C2 Outbound Request (malware.rules)
2068519 - ET MALWARE plain-crypto-js RAT Stage 1 C2 Outbound Request (malware.rules)
2068520 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (js-slide .gcforkcg .com) (malware.rules)
2068521 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (js-slide .gcforkcg .com) (malware.rules)
2068522 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tirqavem .top) (exploit_kit.rules)
2068523 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tirqavem .top) (exploit_kit.rules)
2068524 - ET MALWARE UNK_MonkeyWrench Payload Request (malware.rules)
2068525 - ET MALWARE Observed DNS Query to UNK_MonkeyWrench Domain (market-place .work) (malware.rules)
2068526 - ET MALWARE Observed UNK_MonkeyWrench Domain (market-place .work in TLS SNI) (malware.rules)
2068527 - ET MALWARE UNK_MonkeyWrench Exfil via SMTP (malware.rules)
2068528 - ET ADWARE_PUP Niagara Software Update Check (adware_pup.rules)

Pro:

2866905 - ETPRO MALWARE PhantomStealer Initial CnC Checkin via Telegram (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/05/03 - v10589 Ruleset Updates	282	May 3, 2024
Ruleset Update Summary - 2026/03/27 - v11159 Ruleset Updates	74	March 27, 2026
Ruleset Update Summary - 2024/05/15 - v10596 Ruleset Updates	198	May 15, 2024
Ruleset Update Summary - 2025/05/02 - v10919 Ruleset Updates	127	May 2, 2025
Ruleset Update Summary - 2023/12/01 - v10477 Ruleset Updates	305	December 1, 2023

Ruleset Update Summary - 2026/04/01 - v11162

Summary:

Added rules:

Open:

Pro:

Related topics