Ruleset Update Summary - 2026/04/20 - v11175

Ruleset Updates
1

Summary:

33 new OPEN, 56 new PRO (33 + 23)

Added rules:

Open:

  • 2068817 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (analipr .cyou) (malware.rules)
  • 2068818 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (analipr .cyou) in TLS SNI (malware.rules)
  • 2068819 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famiszp .cyou) (malware.rules)
  • 2068820 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (famiszp .cyou) in TLS SNI (malware.rules)
  • 2068821 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tramoqj .cyou) (malware.rules)
  • 2068822 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tramoqj .cyou) in TLS SNI (malware.rules)
  • 2068823 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (boillingyskop .shop) (malware.rules)
  • 2068824 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (boillingyskop .shop) in TLS SNI (malware.rules)
  • 2068825 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brorgma .cyou) (malware.rules)
  • 2068826 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brorgma .cyou) in TLS SNI (malware.rules)
  • 2068827 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cititezneowqp .shop) (malware.rules)
  • 2068828 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cititezneowqp .shop) in TLS SNI (malware.rules)
  • 2068829 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (firmmydivideow .shop) (malware.rules)
  • 2068830 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (firmmydivideow .shop) in TLS SNI (malware.rules)
  • 2068831 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (garagedpoczxzc .shop) (malware.rules)
  • 2068832 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (garagedpoczxzc .shop) in TLS SNI (malware.rules)
  • 2068833 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathematicisad .shop) (malware.rules)
  • 2068834 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathematicisad .shop) in TLS SNI (malware.rules)
  • 2068835 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (panelmaideus .click) (malware.rules)
  • 2068836 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (panelmaideus .click) in TLS SNI (malware.rules)
  • 2068837 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (publisheruqi .shop) (malware.rules)
  • 2068838 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (publisheruqi .shop) in TLS SNI (malware.rules)
  • 2068839 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thankyowmn .store) (malware.rules)
  • 2068840 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thankyowmn .store) in TLS SNI (malware.rules)
  • 2068841 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wollfsoaisvz .shop) (malware.rules)
  • 2068842 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wollfsoaisvz .shop) in TLS SNI (malware.rules)
  • 2068843 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordingyhwj .cyou) (malware.rules)
  • 2068844 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wordingyhwj .cyou) in TLS SNI (malware.rules)
  • 2068845 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (aws .uae-wealth .com) (malware.rules)
  • 2068846 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (aws .uae-wealth .com) (malware.rules)
  • 2068847 - ET WEB_SPECIFIC_APPS Wavlink addrouting Multiple Parameters Command Injection Attempt (CVE-2026-6483) (web_specific_apps.rules)
  • 2068848 - ET WEB_SPECIFIC_APPS LibreNMS WHOIS query Parameter Command Injection Attempt (CVE-2026-6204) (web_specific_apps.rules)
  • 2068849 - ET WEB_SPECIFIC_APPS Totolink setPasswordCfg admpass Parameter Command Injection Attempt (CVE-2026-6195) (web_specific_apps.rules)

Pro:

  • 2867094 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867095 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867096 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867097 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867098 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867099 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867100 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867101 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867102 - ETPRO MALWARE Observed DNS Query to Fake Tech Support Landing Page Domain (malware.rules)
  • 2867103 - ETPRO MALWARE Observed Fake Tech Support Landing Page Domain in TLS SNI (malware.rules)
  • 2867104 - ETPRO MALWARE StealC Payload Request (GET) (malware.rules)
  • 2867105 - ETPRO MALWARE Observed DNS Query to StealC Domain (malware.rules)
  • 2867106 - ETPRO MALWARE Observed DNS Query to StealC Domain (malware.rules)
  • 2867107 - ETPRO MALWARE Observed DNS Query to StealC Domain (malware.rules)
  • 2867108 - ETPRO MALWARE Observed DNS Query to StealC Domain (malware.rules)
  • 2867109 - ETPRO MALWARE Observed DNS Query to StealC Domain (malware.rules)
  • 2867110 - ETPRO MALWARE Observed DNS Query to StealC Domain (malware.rules)
  • 2867111 - ETPRO MALWARE Observed StealC Domain in TLS SNI (malware.rules)
  • 2867112 - ETPRO MALWARE Observed StealC Domain in TLS SNI (malware.rules)
  • 2867113 - ETPRO MALWARE Observed StealC Domain in TLS SNI (malware.rules)
  • 2867114 - ETPRO MALWARE Observed StealC Domain in TLS SNI (malware.rules)
  • 2867115 - ETPRO MALWARE Observed StealC Domain in TLS SNI (malware.rules)
  • 2867116 - ETPRO MALWARE Observed StealC Domain in TLS SNI (malware.rules)