Summary:
49 new OPEN, 79 new PRO (49 + 30)
Added rules:
Open:
- 2068850 - ET WEB_SPECIFIC_APPS nginx-ui MCP Module Authentication Bypass (CVE-2026-33032) (web_specific_apps.rules)
- 2068851 - ET INFO DYNAMIC_DNS Query to a *.sulekutlay .com domain (info.rules)
- 2068852 - ET INFO DYNAMIC_DNS HTTP Request to a *.sulekutlay .com domain (info.rules)
- 2068853 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aex .circledexj .cyou) (malware.rules)
- 2068854 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aex .circledexj .cyou) in TLS SNI (malware.rules)
- 2068855 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bammyanwjo .shop) (malware.rules)
- 2068856 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bammyanwjo .shop) in TLS SNI (malware.rules)
- 2068857 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (corushedk .store) (malware.rules)
- 2068858 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (corushedk .store) in TLS SNI (malware.rules)
- 2068859 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cucriousmt .click) (malware.rules)
- 2068860 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cucriousmt .click) in TLS SNI (malware.rules)
- 2068861 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (efficienndtyi .shop) (malware.rules)
- 2068862 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (efficienndtyi .shop) in TLS SNI (malware.rules)
- 2068863 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energybarreosp .shop) (malware.rules)
- 2068864 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (energybarreosp .shop) in TLS SNI (malware.rules)
- 2068865 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (judgemeenttiqio .shop) (malware.rules)
- 2068866 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (judgemeenttiqio .shop) in TLS SNI (malware.rules)
- 2068867 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lonelymqwj .shop) (malware.rules)
- 2068868 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lonelymqwj .shop) in TLS SNI (malware.rules)
- 2068869 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pitchelaboratemisese .site) (malware.rules)
- 2068870 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pitchelaboratemisese .site) in TLS SNI (malware.rules)
- 2068871 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (practicalykwwo .shop) (malware.rules)
- 2068872 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (practicalykwwo .shop) in TLS SNI (malware.rules)
- 2068873 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pyramidyjwu .biz) (malware.rules)
- 2068874 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pyramidyjwu .biz) in TLS SNI (malware.rules)
- 2068875 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spicywind .shop) (malware.rules)
- 2068876 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (spicywind .shop) in TLS SNI (malware.rules)
- 2068877 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starjetv .run) (malware.rules)
- 2068878 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (starjetv .run) in TLS SNI (malware.rules)
- 2068879 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tollactionancestorw .pw) (malware.rules)
- 2068880 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tollactionancestorw .pw) in TLS SNI (malware.rules)
- 2068881 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (whitmngx .lat) (malware.rules)
- 2068882 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (whitmngx .lat) in TLS SNI (malware.rules)
- 2068883 - ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE M2 (CVE-2024-4883) (web_specific_apps.rules)
- 2068884 - ET MALWARE Atemu RAT User-Agent Observed (CommandExecutor/1.0) (malware.rules)
- 2068885 - ET MALWARE Atemu RAT CnC Checkin Attempt (malware.rules)
- 2068886 - ET MALWARE Atemu RAT Tasking Request (malware.rules)
- 2068887 - ET MALWARE Atemu RAT CnC Domain in DNS Lookup (api .mynetwork .icu) (malware.rules)
- 2068888 - ET MALWARE Atemu RAT CnC Domain in DNS Lookup (conflrmsecurity .com) (malware.rules)
- 2068889 - ET MALWARE Observed Atemu RAT Domain (api .mynetwork .icu in TLS SNI) (malware.rules)
- 2068890 - ET MALWARE Observed Atemu RAT Domain (conflrmsecurity .com in TLS SNI) (malware.rules)
- 2068891 - ET MALWARE Atemu EDR Data Exfiltration Attempt (malware.rules)
- 2068892 - ET MALWARE Atemu Systeminfo Data Exfiltration Attempt (malware.rules)
- 2068893 - ET WEB_SPECIFIC_APPS Mailcow Second-Order SQL Injection via quarantine_category (CVE-2026-40871) (web_specific_apps.rules)
- 2068894 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (prototype3 .thefinancialdatabase .com) (malware.rules)
- 2068895 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (prototype3 .thefinancialdatabase .com) (malware.rules)
- 2068896 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (nitzschi .com) (exploit_kit.rules)
- 2068897 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (nitzschi .com) (exploit_kit.rules)
- 2068898 - ET WEB_SPECIFIC_APPS Fortinet FortiWeb Admin Creation via Path Traversal (CVE-2025-64446) (web_specific_apps.rules)
Pro:
- 2867117 - ETPRO WEB_SPECIFIC_APPS Apache Syncope Groovy Code Injection (CVE-2025-57738) (web_specific_apps.rules)
- 2867118 - ETPRO WEB_SPECIFIC_APPS Fortinet FortiClient EMS API Authentication Bypass (CVE-2026-35616) (web_specific_apps.rules)
- 2867119 - ETPRO WEB_SPECIFIC_APPS Django SQL Injection in RasterField lookup (CVE-2026-1207) (web_specific_apps.rules)
- 2867120 - ETPRO WEB_SPECIFIC_APPS Langflow CSV File Upload (CVE-2026-27966) (web_specific_apps.rules)
- 2867121 - ETPRO WEB_SPECIFIC_APPS Langflow Upload Flow JSON (CVE-2026-27966) (web_specific_apps.rules)
- 2867122 - ETPRO WEB_SPECIFIC_APPS Langflow Trigger Flow Execution (CVE-2026-27966) (web_specific_apps.rules)
- 2867123 - ETPRO WEB_SPECIFIC_APPS Microsoft playwright-mcp VM Sandbox Escape via Prototype Chain (web_specific_apps.rules)
- 2867124 - ETPRO MALWARE Observed DNS Query to GhoLoader CnC Domain (malware.rules)
- 2867125 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2867126 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2867127 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2867128 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2867129 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2867130 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2867131 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2867132 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2867133 - ETPRO MALWARE Observed GhoLoader CnC Domain in TLS SNI (malware.rules)
- 2867134 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
- 2867135 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
- 2867136 - ETPRO MALWARE Observed DNS Query to FakeUpdate Domain (malware.rules)
- 2867137 - ETPRO MALWARE Observed FakeUpdate Domain in TLS SNI (malware.rules)
- 2867138 - ETPRO HUNTING tempuri Request Contains Directory Traversal Pattern (hunting.rules)
- 2867139 - ETPRO MALWARE Parallax RAT CnC Initialization (malware.rules)
- 2867140 - ETPRO MALWARE Parallax RAT CnC Response (malware.rules)
- 2867141 - ETPRO MALWARE Observed DNS Query to Parallax RAT Domain (malware.rules)
- 2867142 - ETPRO MALWARE Observed DNS Query to Parallax RAT Domain (malware.rules)
- 2867143 - ETPRO MALWARE Observed DNS Query to Parallax RAT Domain (malware.rules)
- 2867144 - ETPRO MALWARE Observed Parallax Domain in TLS SNI (malware.rules)
- 2867145 - ETPRO MALWARE Observed Parallax Domain in TLS SNI (malware.rules)
- 2867146 - ETPRO MALWARE Observed Parallax Domain in TLS SNI (malware.rules)