Ruleset Update Summary - 2026/04/08 - v11167

Ruleset Updates
1

Summary:

35 new OPEN, 45 new PRO (35 + 10)

Added rules:

Open:

  • 2068628 - ET PHISHING Generic Device Code Landing Page 2026-04-07 (phishing.rules)
  • 2068629 - ET PHISHING EvilTokens Fetch Valid user_code from Microsoft API (phishing.rules)
  • 2068630 - ET PHISHING EvilTokens Poll for user_code Authentication Status (phishing.rules)
  • 2068631 - ET WEB_SPECIFIC_APPS Citrix Netscaler SAML IDP Memory Overread (CVE-2026-3055) M1 (web_specific_apps.rules)
  • 2068632 - ET WEB_SPECIFIC_APPS Citrix Netscaler SAML IDP Memory Overread (CVE-2026-3055) M2 (web_specific_apps.rules)
  • 2068633 - ET WEB_SPECIFIC_APPS Citrix Netscaler SAML IDP Memory Overread - NSC_TASS Cookie Response (CVE-2026-3055) (web_specific_apps.rules)
  • 2068634 - ET WEB_SPECIFIC_APPS Apace ActiveMQ Jolokia addNetworkConnector Remote Code Execution Attempt (CVE-2026-34197) (web_specific_apps.rules)
  • 2068635 - ET HUNTING MethodInvokingFactoryBean java.lang.Runtime getRuntime exec method XML Payload Request - Possible Remote Code Execution Attempt (hunting.rules)
  • 2068636 - ET INFO Free Hosting Domain in DNS Lookup (leapcell .dev) (info.rules)
  • 2068637 - ET INFO Free Hosting Domain in DNS Lookup (b4a .io) (info.rules)
  • 2068638 - ET INFO Free Hosting Domain in DNS Lookup (b4a .app) (info.rules)
  • 2068639 - ET INFO Free Hosting Domain in DNS Lookup (leapcell .app) (info.rules)
  • 2068640 - ET INFO Observed Free Hosting Domain Domain (leapcell .dev in TLS SNI) (info.rules)
  • 2068641 - ET INFO Observed Free Hosting Domain Domain (b4a .io in TLS SNI) (info.rules)
  • 2068642 - ET INFO Observed Free Hosting Domain Domain (b4a .app in TLS SNI) (info.rules)
  • 2068643 - ET INFO Observed Free Hosting Domain Domain (leapcell .app in TLS SNI) (info.rules)
  • 2068644 - ET INFO DYNAMIC_DNS Query to a *.modburypress .com .au domain (info.rules)
  • 2068645 - ET INFO DYNAMIC_DNS HTTP Request to a *.modburypress .com .au domain (info.rules)
  • 2068646 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (certif .cyou) (malware.rules)
  • 2068647 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (certif .cyou) in TLS SNI (malware.rules)
  • 2068648 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navalc .cyou) (malware.rules)
  • 2068649 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (navalc .cyou) in TLS SNI (malware.rules)
  • 2068650 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pashtu .cyou) (malware.rules)
  • 2068651 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pashtu .cyou) in TLS SNI (malware.rules)
  • 2068652 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (polecy .cyou) (malware.rules)
  • 2068653 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (polecy .cyou) in TLS SNI (malware.rules)
  • 2068654 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (smeltd .cyou) (malware.rules)
  • 2068655 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (smeltd .cyou) in TLS SNI (malware.rules)
  • 2068656 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (zixxalor .top) (exploit_kit.rules)
  • 2068657 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (zixxalor .top) (exploit_kit.rules)
  • 2068658 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (compat .plenarykcg .com) (malware.rules)
  • 2068659 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (compat .plenarykcg .com) (malware.rules)
  • 2068660 - ET MALWARE TORG Grabber User-Agent Observed (grabber/1.0) (malware.rules)
  • 2068661 - ET MALWARE Observed DNS Query to TORG Grabber Domain (attackzombie .com) (malware.rules)
  • 2068662 - ET MALWARE Observed TORG Grabber Domain (attackzombie .com in TLS SNI) (malware.rules)

Pro:

  • 2867016 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2867017 - ETPRO MALWARE TORG Grabber CnC Activity (Ping) (malware.rules)
  • 2867018 - ETPRO MALWARE TORG Grabber CnC Activity (Auth) (malware.rules)
  • 2867019 - ETPRO MALWARE TORG Grabber Initialize Victim Exfil (malware.rules)
  • 2867020 - ETPRO MALWARE TORG Grabber Exfil Confirmation from C2 Server (malware.rules)
  • 2867021 - ETPRO MALWARE TORG Grabber Victim Chunk Exfil (malware.rules)
  • 2867022 - ETPRO MALWARE TORG Grabber Next Chunk Instruction (malware.rules)
  • 2867023 - ETPRO MALWARE TORG Grabber Victim Exfil Complete (malware.rules)
  • 2867024 - ETPRO WEB_SPECIFIC_APPS FreeScout Mail2Shell Zero-Click Unauthenticated Remote Code Execution (CVE-2026-28289) (web_specific_apps.rules)
  • 2867025 - ETPRO HUNTING Web Configuration .htaccess Email Attachment Inbound (hunting.rules)