Ruleset Update Summary - 2026/04/24 - v11179

Ruleset Updates
1

Summary:

23 new OPEN, 24 new PRO (23 + 1)

Thanks @goldenjackel12

Added rules:

Open:

  • 2068948 - ET MALWARE GET Request to Remote Cloudflare Branding from wikimedia .org (Commonly ClickFix) (malware.rules)
  • 2068955 - ET INFO DYNAMIC_DNS Query to a *.auxgroup .com .au domain (info.rules)
  • 2068956 - ET INFO DYNAMIC_DNS HTTP Request to a *.auxgroup .com .au domain (info.rules)
  • 2068957 - ET INFO DYNAMIC_DNS Query to a *.ncknms .com domain (info.rules)
  • 2068958 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (hegmaen .com) (exploit_kit.rules)
  • 2068959 - ET INFO DYNAMIC_DNS HTTP Request to a *.ncknms .com domain (info.rules)
  • 2068960 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leafyrm .cyou) (malware.rules)
  • 2068961 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (leafyrm .cyou) in TLS SNI (malware.rules)
  • 2068962 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (hegmaen .com) (exploit_kit.rules)
  • 2068963 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .california-wealth .com) (malware.rules)
  • 2068964 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .california-wealth .com) (malware.rules)
  • 2068965 - ET MALWARE Observed DNS Query to APT36 Domain (esevasecurefile .store) (malware.rules)
  • 2068966 - ET MALWARE Observed DNS Query to APT36 Domain (monitorondomainwintgt .store) (malware.rules)
  • 2068967 - ET MALWARE Observed APT36 Domain (esevasecurefile .store in TLS SNI) (malware.rules)
  • 2068968 - ET MALWARE Observed APT36 Domain (monitorondomainwintgt .store in TLS SNI) (malware.rules)
  • 2068969 - ET EXPLOIT free5GC UDR Fail-Open Abuse - Empty Body (CVE-2026-40343) (exploit.rules)
  • 2068970 - ET EXPLOIT free5GC UDR Fail-Open Abuse - Truncated JSON (CVE-2026-40343) (exploit.rules)
  • 2068971 - ET EXPLOIT free5GC UDR Fail-Open Abuse - Invalid JSON (CVE-2026-40343) (exploit.rules)
  • 2068972 - ET WEB_SPECIFIC_APPS LMDeploy LLM Inference Engine Server-Side Request Forgery (CVE-2026-33626) (web_specific_apps.rules)
  • 2068973 - ET MALWARE APT36 Victim Registration (POST) (malware.rules)
  • 2068974 - ET MALWARE APT36 User-Agent Observed (FitnessTracker/) (malware.rules)
  • 2068975 - ET MALWARE APT36 Victim Beacon M1 (malware.rules)
  • 2068976 - ET MALWARE APT36 Victim Beacon M2 (malware.rules)

Pro:

  • 2867313 - ETPRO EXPLOIT Microsoft Windows Snipping Tool Spoofing (CVE-2026-33829) (exploit.rules)

Disabled and modified rules:

  • 2867032 - ETPRO HUNTING Adobe Reader User-Agent (non-Adobe) Outbound (hunting.rules)

Removed rules:

  • 2068948 - ET HUNTING GET Request to Remote Cloudflare Branding from wikimedia .org (Commonly ClickFix) (hunting.rules)