Ruleset Update Summary - 2026/04/22 - v11177

Ruleset Updates
1

Summary:

38 new OPEN, 66 new PRO (38 + 28)

Added rules:

Open:

  • 2068899 - ET MALWARE Xinference PyPI Supply Chain (TeamPCP) CnC Domain in DNS Lookup (malware.rules)
  • 2068900 - ET MALWARE Xinference PyPI Supply Chain (TeamPCP) CnC Domain in TLS SNI (malware.rules)
  • 2068901 - ET MALWARE Xinference PyPI Supply Chain (TeamPCP) Exfiltration over HTTP (malware.rules)
  • 2068902 - ET MALWARE LiteLLM & Telnyx Supply Chain (TeamPCP) Exfiltration (malware.rules)
  • 2068903 - ET HUNTING Internet Computer Domain Observed (dfinity .network) (hunting.rules)
  • 2068904 - ET INFO Observed slowAES Library To Generate Cookie Challenge Header (info.rules)
  • 2068905 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (additioniqqwu .shop) (malware.rules)
  • 2068906 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (additioniqqwu .shop) in TLS SNI (malware.rules)
  • 2068907 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coneogz .cyou) (malware.rules)
  • 2068908 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (coneogz .cyou) in TLS SNI (malware.rules)
  • 2068909 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannndjtaom .shop) (malware.rules)
  • 2068910 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannndjtaom .shop) in TLS SNI (malware.rules)
  • 2068911 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jhardwaredwi .buzz) (malware.rules)
  • 2068912 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jhardwaredwi .buzz) in TLS SNI (malware.rules)
  • 2068913 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leypuuq .cyou) (malware.rules)
  • 2068914 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (leypuuq .cyou) in TLS SNI (malware.rules)
  • 2068915 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (overwrougemny .shop) (malware.rules)
  • 2068916 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (overwrougemny .shop) in TLS SNI (malware.rules)
  • 2068917 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sep0 .filetip .shop) (malware.rules)
  • 2068918 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sep0 .filetip .shop) in TLS SNI (malware.rules)
  • 2068919 - ET WEB_SPECIFIC_APPS Totolink setVpnPassCfg pptpPassThru Parameter Command Injection Attempt (CVE-2026-5850, CVE-2026-5105) (web_specific_apps.rules)
  • 2068920 - ET WEB_SPECIFIC_APPS Totolink setUPnPCfg enable Parameter Command Injection Attempt (CVE-2026-5851, CVE-2026-5103) (web_specific_apps.rules)
  • 2068921 - ET WEB_SPECIFIC_APPS Totolink setIptvCfg igmpVer Parameter Command Injection Attempt (CVE-2026-5852, CVE-2026-5178) (web_specific_apps.rules)
  • 2068922 - ET WEB_SPECIFIC_APPS Totolink setIpv6LanCfg addrPrefixLen Parameter Command Injection Attempt (CVE-2026-5853) (web_specific_apps.rules)
  • 2068923 - ET MALWARE Observed DNS Query to RMM Payload Delivery Domain (fasterfunding .top) (malware.rules)
  • 2068924 - ET MALWARE Observed DNS Query to RMM Payload Delivery Domain (marassociate .cyou) (malware.rules)
  • 2068925 - ET MALWARE Observed DNS Query to RMM Payload Delivery Domain (doc-file .top) (malware.rules)
  • 2068926 - ET MALWARE Observed RMM Payload Delivery Domain (fasterfunding .top) Domain (fasterfunding .top in TLS SNI) (malware.rules)
  • 2068927 - ET WEB_SPECIFIC_APPS Totolink setWiFiEasyCfg merge Parameter Command Injection Attempt (CVE-2026-5854) (web_specific_apps.rules)
  • 2068928 - ET MALWARE Observed RMM Payload Delivery Domain (marassociate .cyou) Domain (marassociate .cyou in TLS SNI) (malware.rules)
  • 2068929 - ET MALWARE Observed RMM Payload Delivery Domain (doc-file .top) Domain (doc-file .top in TLS SNI) (malware.rules)
  • 2068930 - ET WEB_SPECIFIC_APPS Totolink setWiFiEasyCfg ssid/ssid5g Parameter Buffer Overflow Attempt (CVE-2026-1157, CVE-2025-45842) (web_specific_apps.rules)
  • 2068931 - ET INFO Free Hosting Domain (on-forge .com) in DNS Lookup (info.rules)
  • 2068932 - ET INFO Observed Free Hosting Domain (on-forge .com in TLS SNI) (info.rules)
  • 2068933 - ET INFO NoMachine Network RMM Domain (nomachine .com) in DNS Lookup (info.rules)
  • 2068934 - ET INFO Observed NoMachine Network RMM Domain (nomachine .com in TLS SNI) (info.rules)
  • 2068935 - ET WEB_SPECIFIC_APPS Fortinet FortiSandbox JRPC API Path Traversal Authentication Bypass (CVE-2026-39813) (web_specific_apps.rules)
  • 2068936 - ET INFO Initial Redirect to Landing Page with slowAES Cookie (info.rules)

Pro:

  • 2867147 - ETPRO MALWARE TA406 CnC Activity (Beacon) (malware.rules)
  • 2867148 - ETPRO MALWARE TA406 CnC (Download VBS Payload) (malware.rules)
  • 2867149 - ETPRO PHISHING DeviceCode Phishing Landing Page Observed (phishing.rules)
  • 2867150 - ETPRO PHISHING DeviceCode Phishing Landing Page Observed (phishing.rules)
  • 2867151 - ETPRO PHISHING DeviceCode Phishing Landing Page Observed (phishing.rules)
  • 2867152 - ETPRO PHISHING RMM Payload Delivery Page Observed (phishing.rules)
  • 2867153 - ETPRO PHISHING RMM Payload Delivery Page Observed (phishing.rules)
  • 2867154 - ETPRO PHISHING Observed DNS Query to Device Code Phishing Domain (phishing.rules)
  • 2867155 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867156 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867157 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867158 - ETPRO PHISHING Observed Device Code Phishing Domain in TLS SNI (phishing.rules)
  • 2867159 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867160 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2867161 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867162 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2867163 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867164 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2867165 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867166 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867167 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2867168 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867169 - ETPRO PHISHING DeviceCode Phishing API Activity (GET) (phishing.rules)
  • 2867170 - ETPRO PHISHING DeviceCode Phishing API Response (phishing.rules)
  • 2867171 - ETPRO MALWARE Observed DNS Query to LandUpdate808 Domain (malware.rules)
  • 2867172 - ETPRO MALWARE Observed LandUpdate808 Domain in TLS SNI (malware.rules)
  • 2867173 - ETPRO EXPLOIT Roundcube Server-Side Request Forgery via link HTML Tag (exploit.rules)
  • 2867174 - ETPRO WEB_SPECIFIC_APPS Beghelli Sicuro24/SicuroWeb AngularJS Template Injection and Sandbox Escape Primitive (CVE-2026-22191, CVE-2026-41468) (web_specific_apps.rules)

Disabled and modified rules:

  • 2067723 - ET WEB_SPECIFIC_APPS Django SQL Injection via raster lookups on PostGIS (CVE-2026-1207) (web_specific_apps.rules)