Ruleset Update Summary - 2026/04/28 - v11181

rulesbot · April 28, 2026, 7:32pm

Summary:

21 new OPEN, 29 new PRO (21 + 8)

Added rules:

Open:

2069031 - ET MALWARE Nexcorium Payload Retrieval Attempt (malware.rules)
2069033 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vtcircuits .com) (exploit_kit.rules)
2069034 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (gccsinc .com) (exploit_kit.rules)
2069035 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (vtcircuits .com) (exploit_kit.rules)
2069036 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (office .australia-wealth .com) (malware.rules)
2069037 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (office .australia-wealth .com) (malware.rules)
2069038 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (rapidforge .top) (exploit_kit.rules)
2069040 - ET MALWARE PhantomPulse RAT Loader Checkin Attempt (malware.rules)
2069041 - ET MALWARE PhantomPulse RAT Payload Update Attempt (malware.rules)
2069042 - ET INFO IKEv2 SA_INIT with Microsoft Security Realm Vendor ID (info.rules)
2069043 - ET EXPLOIT IKEv2 Invalid Fragmented IKE_AUTH (CVE-2026-33824) (exploit.rules)
2069044 - ET INFO DYNAMIC_DNS Query to a *.mytunnel .org domain (info.rules)
2069045 - ET INFO DYNAMIC_DNS HTTP Request to a *.mytunnel .org domain (info.rules)
2069046 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pricelou .cyou) (malware.rules)
2069047 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pricelou .cyou) in TLS SNI (malware.rules)
2069048 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (springvc .cyou) (malware.rules)
2069049 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (springvc .cyou) in TLS SNI (malware.rules)
2069050 - ET MALWARE PhantomPulse RAT CnC Checkin Attempt (malware.rules)
2069051 - ET MALWARE PhantomPulse RAT Tasking Request (malware.rules)
2069052 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (gccsinc .com) (exploit_kit.rules)
2069053 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (rapidforge .top) (exploit_kit.rules)

Pro:

2867338 - ETPRO MALWARE Remus CnC Victim Checkin (Debug) (malware.rules)
2867339 - ETPRO MALWARE Remus CnC Exfil (POST) (malware.rules)
2867340 - ETPRO MALWARE Remus CnC Victim Checkin (malware.rules)
2867341 - ETPRO MALWARE Observed DNS Query to UNK_OrangeCurls Domain (malware.rules)
2867342 - ETPRO MALWARE Observed DNS Query to UNK_OrangeCurls Domain (malware.rules)
2867343 - ETPRO MALWARE Observed UNK_OrangeCurls Domain in TLS SNI (malware.rules)
2867344 - ETPRO MALWARE Observed UNK_OrangeCurls Domain in TLS SNI (malware.rules)
2867346 - ETPRO HUNTING Generic URI Path/Directory Traversal Check (hunting.rules)

Disabled and modified rules:

2069020 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (hegmaen .com) (exploit_kit.rules)
2069023 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (hegmaen .com) (exploit_kit.rules)
2069027 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .california-wealth .com) (malware.rules)
2069029 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .california-wealth .com) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2026/04/16 - v11173 Ruleset Updates	87	April 16, 2026
Ruleset Update Summary - 2026/03/11 - v11144 Ruleset Updates	79	March 11, 2026
Ruleset Update Summary - 2026/01/30 - v11115 Ruleset Updates	91	January 30, 2026
Ruleset Update Summary - 2026/05/12 - v11191 Ruleset Updates	36	May 12, 2026
Ruleset Update Summary - 2026/03/20 - v11154 Ruleset Updates	95	March 20, 2026

Ruleset Update Summary - 2026/04/28 - v11181

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics