Ruleset Update Summary - 2026/04/29 - v11182

rulesbot · April 29, 2026, 8:32pm

Summary:

25 new OPEN, 53 new PRO (25 + 28)

Added rules:

Open:

2069054 - ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET) (malware.rules)
2069055 - ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET) (malware.rules)
2069056 - ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET) (malware.rules)
2069057 - ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET) (malware.rules)
2069058 - ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET) (malware.rules)
2069059 - ET HUNTING Amazon Cloudfront Geoblock Landing Page (hunting.rules)
2069060 - ET WEB_SPECIFIC_APPS Apache HTTP Server Unauthenticated Arbitrary File Read via mod_rewrite (CVE-2024-38475) (web_specific_apps.rules)
2069061 - ET INFO DYNAMIC_DNS Query to a *.remotewire .net domain (info.rules)
2069062 - ET INFO DYNAMIC_DNS HTTP Request to a *.remotewire .net domain (info.rules)
2069063 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lyingapy .cyou) (malware.rules)
2069064 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lyingapy .cyou) in TLS SNI (malware.rules)
2069065 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trotskxt .cyou) (malware.rules)
2069066 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (trotskxt .cyou) in TLS SNI (malware.rules)
2069067 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (rapidlogiclab .top) (exploit_kit.rules)
2069068 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (rapidlogiclab .top) (exploit_kit.rules)
2069069 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (kovkcek .com) (exploit_kit.rules)
2069070 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (barsows .com) (exploit_kit.rules)
2069071 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (kovkcek .com) (exploit_kit.rules)
2069072 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (barsows .com) (exploit_kit.rules)
2069073 - ET MALWARE Observed DNS Query to Common Payload Delivery Domain (joyeriatauro .com) (malware.rules)
2069074 - ET MALWARE Observed DNS Query to Common Payload Delivery Domain (mevetlab .cl) (malware.rules)
2069075 - ET MALWARE Observed DNS Query to Common Payload Delivery Domain (bluebikinis .cl) (malware.rules)
2069076 - ET MALWARE Observed Common Payload Delivery Domain (joyeriatauro .com in TLS SNI) (malware.rules)
2069077 - ET MALWARE Observed Common Payload Delivery Domain (mevetlab .cl in TLS SNI) (malware.rules)
2069078 - ET MALWARE Observed Common Payload Delivery Domain (bluebikinis .cl in TLS SNI) (malware.rules)

Pro:

2867359 - ETPRO EXPLOIT llama.cpp RPC Remote Code Execution via rpce_tensor (CVE-2026-34159) (exploit.rules)
2867360 - ETPRO WEB_SPECIFIC_APPS Handlebars.js AST Injection Remote Code Execution (CVE-2026-33937) (web_specific_apps.rules)
2867361 - ETPRO WEB_SPECIFIC_APPS LiteLLM SQL Injection via Authentication Header (CVE-2026-42208) (web_specific_apps.rules)
2867362 - ETPRO WEB_SPECIFIC_APPS Spring Framework Path Traversal via Jetty URI Parsing (CVE-2025-41242) (web_specific_apps.rules)
2867363 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2867364 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2867365 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2867366 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2867367 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2867368 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2867369 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2867370 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2867371 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2867372 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2867373 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2867374 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2867375 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2867376 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2867377 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2867378 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2867379 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2867380 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2867381 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2867382 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2867383 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2867384 - ETPRO WEB_SPECIFIC_APPS Metabase Authenticated Arbitrary File Write (CVE-2026-33725) (web_specific_apps.rules)
2867385 - ETPRO MALWARE Arrhtymia Victim Heartbeat (POST) (malware.rules)
2867386 - ETPRO MALWARE Arrhtymia Victim Heartbeat Headers Observed (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2026/03/11 - v11144 Ruleset Updates	79	March 11, 2026
Ruleset Update Summary - 2026/04/22 - v11177 Ruleset Updates	71	April 22, 2026
Ruleset Update Summary - 2026/01/30 - v11115 Ruleset Updates	91	January 30, 2026
Ruleset Update Summary - 2026/02/03 - v11117 Ruleset Updates	92	February 3, 2026
Ruleset Update Summary - 2026/03/20 - v11154 Ruleset Updates	95	March 20, 2026

Ruleset Update Summary - 2026/04/29 - v11182

Summary:

Added rules:

Open:

Pro:

Related topics