Ruleset Update Summary - 2026/04/27 - v11180

Summary:

54 new OPEN, 78 new PRO (54 + 24)

Thanks @goldenjackel12

Added rules:

Open:

• 2068977 - ET INFO Observed TA Abused Free Hosting Domain in DNS Lookup (*. yzz .me) (info.rules)
• 2068978 - ET INFO Observed TA Abused Free Hosting Domain in TLS SNI (*. yzz .me) (info.rules)
• 2068979 - ET INFO DYNAMIC_DNS Query to a *.thehor .com domain (info.rules)
• 2068980 - ET INFO DYNAMIC_DNS HTTP Request to a *.thehor .com domain (info.rules)
• 2068981 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bactergy .cyou) (malware.rules)
• 2068982 - ET INFO DYNAMIC_DNS Query to a *.roxa .org domain (info.rules)
• 2068983 - ET INFO DYNAMIC_DNS HTTP Request to a *.roxa .org domain (info.rules)
• 2068984 - ET INFO DYNAMIC_DNS Query to a *.dynu .org (info.rules)
• 2068985 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynu .org (info.rules)
• 2068986 - ET INFO DYNAMIC_DNS Query to a *.opik .net domain (info.rules)
• 2068987 - ET INFO DYNAMIC_DNS HTTP Request to a *.opik .net domain (info.rules)
• 2068988 - ET INFO DYNAMIC_DNS Query to a *.ezgateway .net domain (info.rules)
• 2068989 - ET INFO DYNAMIC_DNS HTTP Request to a *.ezgateway .net domain (info.rules)
• 2068990 - ET INFO DYNAMIC_DNS Query to a *.xubi .org domain (info.rules)
• 2068991 - ET INFO DYNAMIC_DNS HTTP Request to a *.xubi .org domain (info.rules)
• 2068992 - ET INFO DYNAMIC_DNS Query to a *.dynu .net (info.rules)
• 2068993 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynu .net (info.rules)
• 2068994 - ET INFO DYNAMIC_DNS Query to a *.yyuyy .com domain (info.rules)
• 2068995 - ET INFO DYNAMIC_DNS HTTP Request to a *.yyuyy .com domain (info.rules)
• 2068996 - ET INFO DYNAMIC_DNS Query to a *.starnightimport .com domain (info.rules)
• 2068997 - ET INFO DYNAMIC_DNS HTTP Request to a *.starnightimport .com domain (info.rules)
• 2068998 - ET INFO DYNAMIC_DNS Query to a *.rabsacca .com domain (info.rules)
• 2068999 - ET INFO DYNAMIC_DNS HTTP Request to a *.rabsacca .com domain (info.rules)
• 2069000 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resingationnnsd .shop) (malware.rules)
• 2069001 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resingationnnsd .shop) in TLS SNI (malware.rules)
• 2069002 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (straigxo .cyou) (malware.rules)
• 2069003 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (straigxo .cyou) in TLS SNI (malware.rules)
• 2069004 - ET PHISHING Observed DNS Query to DeviceCode Phishing Domain (ms365-team .com) (phishing.rules)
• 2069005 - ET PHISHING Observed DNS Query to DeviceCode Phishing Domain (team-ms365 .com) (phishing.rules)
• 2069006 - ET PHISHING Observed DNS Query to DeviceCode Phishing Domain (team-m365 .com) (phishing.rules)
• 2069007 - ET PHISHING Observed DNS Query to DeviceCode Phishing Domain (support-ms365 .com) (phishing.rules)
• 2069008 - ET PHISHING Observed DNS Query to DeviceCode Phishing Domain (sender-365 .com) (phishing.rules)
• 2069009 - ET PHISHING Observed DNS Query to DeviceCode Phishing Domain (365-sender .com) (phishing.rules)
• 2069010 - ET PHISHING Observed DeviceCode Phishing Domain (ms365-team .com in TLS SNI) (phishing.rules)
• 2069011 - ET PHISHING Observed DeviceCode Phishing Domain (team-ms365 .com in TLS SNI) (phishing.rules)
• 2069012 - ET PHISHING Observed DeviceCode Phishing Domain (team-m365 .com in TLS SNI) (phishing.rules)
• 2069013 - ET PHISHING Observed DeviceCode Phishing Domain (support-ms365 .com in TLS SNI) (phishing.rules)
• 2069014 - ET PHISHING Observed DeviceCode Phishing Domain (sender-365 .com in TLS SNI) (phishing.rules)
• 2069015 - ET PHISHING Observed DeviceCode Phishing Domain (365-sender .com in TLS SNI) (phishing.rules)
• 2069016 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (datanexlab .top) (exploit_kit.rules)
• 2069017 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (zentav .top) (exploit_kit.rules)
• 2069018 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (datanexlab .top) (exploit_kit.rules)
• 2069019 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (zentav .top) (exploit_kit.rules)
• 2069020 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (hegmaen .com) (exploit_kit.rules)
• 2069021 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (quiglgy .com) (exploit_kit.rules)
• 2069022 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (sigmatauethifarma .com) (exploit_kit.rules)
• 2069023 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (hegmaen .com) (exploit_kit.rules)
• 2069024 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (quiglgy .com) (exploit_kit.rules)
• 2069025 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (sigmatauethifarma .com) (exploit_kit.rules)
• 2069026 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (auto-update .tx-wealth .com) (malware.rules)
• 2069027 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .california-wealth .com) (malware.rules)
• 2069028 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (auto-update .tx-wealth .com) (malware.rules)
• 2069029 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .california-wealth .com) (malware.rules)
• 2069030 - ET PHISHING DeviceCode Phishing Landing Page Observed (phishing.rules)

Pro:

• 2867314 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2867315 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2867316 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2867317 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - INFO Outbound (malware.rules)
• 2867318 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
• 2867319 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
• 2867320 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - RD- Outbound (malware.rules)
• 2867321 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
• 2867322 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2867323 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
• 2867324 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2867325 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
• 2867326 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2867327 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2867328 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2867329 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2867330 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2867331 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2867332 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2867333 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2867334 - ETPRO CURRENT_EVENTS elementary-data (0.23.3) Compromise Exfiltration Request (current_events.rules)
• 2867335 - ETPRO MALWARE HTTP Request to Payload Embedded Within Image (malware.rules)
• 2867336 - ETPRO MALWARE REMUS CnC Domain in DNS Lookup (malware.rules)
• 2867337 - ETPRO MALWARE Observed REMUS Domain in TLS SNI (malware.rules)

Disabled and modified rules:

• 2006579 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – okvalannonce.php idannonce SELECT (web_specific_apps.rules)
• 2006580 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – okvalannonce.php idannonce UNION SELECT (web_specific_apps.rules)
• 2006581 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – okvalannonce.php idannonce INSERT (web_specific_apps.rules)
• 2006582 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – okvalannonce.php idannonce DELETE (web_specific_apps.rules)
• 2006584 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – okvalannonce.php idannonce UPDATE (web_specific_apps.rules)