Ruleset Update Summary - 2026/04/03 - v11164

rulesbot · April 3, 2026, 8:22pm

Summary:

38 new OPEN, 40 new PRO (38 + 2)

Thanks SonnyYeung

Added rules:

Open:

2068548 - ET INFO Observed Tactical RMM in DNS Lookup (icanhazip .tacticalrmm .io) (info.rules)
2068549 - ET INFO Observed Tactical RMM in TLS SNI (icanhazip .tacticalrmm .io) (info.rules)
2068550 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (qerunvax .top) (exploit_kit.rules)
2068551 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (qerunvax .top) (exploit_kit.rules)
2068552 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (present .pcohenlaw .com) (malware.rules)
2068553 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (present .pcohenlaw .com) (malware.rules)
2068554 - ET INFO DYNAMIC_DNS Query to a *.banghers .com domain (info.rules)
2068555 - ET INFO DYNAMIC_DNS HTTP Request to a *.banghers .com domain (info.rules)
2068556 - ET INFO DYNAMIC_DNS Query to a *.ortonavarro .com domain (info.rules)
2068557 - ET INFO DYNAMIC_DNS HTTP Request to a *.ortonavarro .com domain (info.rules)
2068558 - ET INFO DYNAMIC_DNS Query to a *.fgandur .com domain (info.rules)
2068559 - ET INFO DYNAMIC_DNS HTTP Request to a *.fgandur .com domain (info.rules)
2068560 - ET INFO DYNAMIC_DNS Query to a *.sphericjourney .com domain (info.rules)
2068561 - ET INFO DYNAMIC_DNS HTTP Request to a *.sphericjourney .com domain (info.rules)
2068562 - ET INFO DYNAMIC_DNS Query to a *.suburbanprecision .com domain (info.rules)
2068563 - ET INFO DYNAMIC_DNS HTTP Request to a *.suburbanprecision .com domain (info.rules)
2068564 - ET INFO DYNAMIC_DNS Query to a *.krazycraig .com domain (info.rules)
2068565 - ET INFO DYNAMIC_DNS HTTP Request to a *.krazycraig .com domain (info.rules)
2068566 - ET INFO DYNAMIC_DNS Query to a *.armeniaincentives .com domain (info.rules)
2068567 - ET INFO DYNAMIC_DNS HTTP Request to a *.armeniaincentives .com domain (info.rules)
2068568 - ET INFO DYNAMIC_DNS Query to a *.whitesmurf .com domain (info.rules)
2068569 - ET INFO DYNAMIC_DNS HTTP Request to a *.whitesmurf .com domain (info.rules)
2068570 - ET INFO DYNAMIC_DNS Query to a *.kwgranitecountertops .com domain (info.rules)
2068571 - ET INFO DYNAMIC_DNS HTTP Request to a *.kwgranitecountertops .com domain (info.rules)
2068572 - ET INFO DYNAMIC_DNS Query to a *.rusticrivergear .com domain (info.rules)
2068573 - ET INFO DYNAMIC_DNS HTTP Request to a *.rusticrivergear .com domain (info.rules)
2068574 - ET INFO DYNAMIC_DNS Query to a *.onesouthbeach .com domain (info.rules)
2068575 - ET INFO DYNAMIC_DNS HTTP Request to a *.onesouthbeach .com domain (info.rules)
2068576 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (centegn .cyou) (malware.rules)
2068577 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (centegn .cyou) in TLS SNI (malware.rules)
2068578 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightef .cyou) (malware.rules)
2068579 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lightef .cyou) in TLS SNI (malware.rules)
2068580 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (magnificwo .store) (malware.rules)
2068581 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (magnificwo .store) in TLS SNI (malware.rules)
2068582 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Domain (clou-dprotect .com) (exploit_kit.rules)
2068583 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Domain (dcdivas .com) (exploit_kit.rules)
2068584 - ET EXPLOIT_KIT Observed ClickFix Domain (clou-dprotect .com in TLS SNI) (exploit_kit.rules)
2068585 - ET EXPLOIT_KIT Observed ClickFix Domain (dcdivas .com in TLS SNI) (exploit_kit.rules)

Pro:

2866930 - ETPRO EXPLOIT_KIT Observed ClickFix Landing Page (exploit_kit.rules)
2866931 - ETPRO EXPLOIT_KIT Observed ClickFix Landing Page JavaScript Resource (exploit_kit.rules)

Disabled and modified rules:

2866810 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2866814 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2866819 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2866824 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2866826 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/12/24 - v10816 Ruleset Updates	93	December 24, 2024
Ruleset Update Summary - 2024/08/12 - v10664 Ruleset Updates	95	August 12, 2024
Ruleset Update Summary - 2026/02/12 - v11124 Ruleset Updates	43	February 12, 2026
Ruleset Update Summary - 2026/03/06 - v11141 Ruleset Updates	99	March 6, 2026
Ruleset Update Summary - 2026/04/13 - v11170 Ruleset Updates	37	April 13, 2026

Ruleset Update Summary - 2026/04/03 - v11164

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics