Ruleset Update Summary - 2026/04/13 - v11170

rulesbot · April 13, 2026, 9:13pm

Summary:

29 new OPEN, 57 new PRO (29 + 28)

Added rules:

Open:

2068695 - ET INFO DYNAMIC_DNS Query to a *.tzhang .net domain (info.rules)
2068696 - ET INFO DYNAMIC_DNS HTTP Request to a *.tzhang .net domain (info.rules)
2068697 - ET INFO DYNAMIC_DNS Query to a *.runbsd .io domain (info.rules)
2068698 - ET INFO DYNAMIC_DNS HTTP Request to a *.runbsd .io domain (info.rules)
2068699 - ET INFO DYNAMIC_DNS Query to a *.truecircle .com domain (info.rules)
2068700 - ET INFO DYNAMIC_DNS HTTP Request to a *.truecircle .com domain (info.rules)
2068701 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decorhighsa .pw) (malware.rules)
2068702 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (decorhighsa .pw) in TLS SNI (malware.rules)
2068703 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (orgstekomnw .pw) (malware.rules)
2068704 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (orgstekomnw .pw) in TLS SNI (malware.rules)
2068705 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (poxzxin .cyou) (malware.rules)
2068706 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (poxzxin .cyou) in TLS SNI (malware.rules)
2068707 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scoredon .com) (malware.rules)
2068708 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (scoredon .com) in TLS SNI (malware.rules)
2068709 - ET INFO DYNAMIC_DNS Query to a *.dehme .com domain (info.rules)
2068710 - ET INFO DYNAMIC_DNS HTTP Request to a *.dehme .com domain (info.rules)
2068711 - ET MALWARE XorBee RAT CnC Domain in DNS Lookup (windlrr .com) (malware.rules)
2068712 - ET MALWARE XorBee RAT CnC Domain in DNS Lookup (plein-soleil .top) (malware.rules)
2068713 - ET MALWARE XorBee RAT CnC Domain in DNS Lookup (pcdcinc .com) (malware.rules)
2068714 - ET MALWARE XorBee RAT CnC Domain in DNS Lookup (updater-worelos .com) (malware.rules)
2068715 - ET MALWARE XorBee RAT CnC Domain in DNS Lookup (oeannon .com) (malware.rules)
2068716 - ET MALWARE XorBee RAT CNC Checkin M1 (malware.rules)
2068717 - ET INFO DYNAMIC_DNS Query to a *.shredsurf .com domain (info.rules)
2068718 - ET INFO DYNAMIC_DNS HTTP Request to a *.shredsurf .com domain (info.rules)
2068719 - ET INFO DYNAMIC_DNS Query to a *.mrlewburger .com domain (info.rules)
2068720 - ET INFO DYNAMIC_DNS HTTP Request to a *.mrlewburger .com domain (info.rules)
2068721 - ET INFO DYNAMIC_DNS Query to a *.albacetediario .com domain (info.rules)
2068722 - ET INFO DYNAMIC_DNS HTTP Request to a *.albacetediario .com domain (info.rules)
2068723 - ET MALWARE CripStealer Data Exfiltration Attempt (malware.rules)

Pro:

2867030 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2867031 - ETPRO EXPLOIT Windows Defender TOCTOU LPE via SAM Hive and VDM Access (BlueHammer) (exploit.rules)
2867032 - ETPRO HUNTING Adobe Reader User-Agent (non-Adobe) Outbound (hunting.rules)
2867033 - ETPRO HUNTING PDF JS-embedded contains JSF*ck Obfuscated Code (hunting.rules)
2867034 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867035 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867036 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867037 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867038 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867039 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867040 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867041 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867042 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867043 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
2867044 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867045 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867046 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867047 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867048 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867049 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867050 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867051 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867052 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867053 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
2867054 - ETPRO MALWARE LandUpdate808 Inject Observed (malware.rules)
2867055 - ETPRO MALWARE LandUpdate808 CnC Command Retrieval (malware.rules)
2867056 - ETPRO MALWARE LandUpdate808 Victim Fingerprint Exfil (malware.rules)
2867057 - ETPRO MALWARE LandUpdate808 Victim Click Tracking Activity (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/10/16 - v10721 Ruleset Updates	118	October 16, 2024
Ruleset Update Summary - 2026/03/23 - v11155 Ruleset Updates	83	March 23, 2026
Ruleset Update Summary - 2026/03/06 - v11141 Ruleset Updates	118	March 6, 2026
Ruleset Update Summary - 2026/03/09 - v11142 Ruleset Updates	64	March 9, 2026
Ruleset Update Summary - 2026/04/06 - v11165 Ruleset Updates	85	April 6, 2026

Ruleset Update Summary - 2026/04/13 - v11170

Summary:

Added rules:

Open:

Pro:

Related topics