Ruleset Update Summary - 2026/05/04 - v11185

Ruleset Updates
1

Summary:

55 new OPEN, 58 new PRO (55 + 3)

Added rules:

Open:

  • 2069110 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (americoq .cyou) (malware.rules)
  • 2069111 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (americoq .cyou) in TLS SNI (malware.rules)
  • 2069112 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragmentyperspowp .shop) (malware.rules)
  • 2069113 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragmentyperspowp .shop) in TLS SNI (malware.rules)
  • 2069114 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opimendu .digital) (malware.rules)
  • 2069115 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (opimendu .digital) in TLS SNI (malware.rules)
  • 2069116 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opsonm .cyou) (malware.rules)
  • 2069117 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (opsonm .cyou) in TLS SNI (malware.rules)
  • 2069118 - ET PHISHING Observed DNS Query to DeviceCode Phishing Domain (microsoft .customers-365 .com) (phishing.rules)
  • 2069119 - ET PHISHING Observed DNS Query to DeviceCode Phishing Domain (customers-365-login .com) (phishing.rules)
  • 2069120 - ET PHISHING Observed DeviceCode Phishing Domain (microsoft .customers-365 .com in TLS SNI) (phishing.rules)
  • 2069121 - ET PHISHING Observed DeviceCode Phishing Domain (customers-365-login .com in TLS SNI) (phishing.rules)
  • 2069122 - ET INFO Observed Microsoft Dev Tunnels Domain (devtunnels .ms in TLS SNI) (info.rules)
  • 2069123 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (canvasdriftzone .top) (exploit_kit.rules)
  • 2069124 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vividlayerlab .top) (exploit_kit.rules)
  • 2069125 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (canvasdriftzone .top) (exploit_kit.rules)
  • 2069126 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vividlayerlab .top) (exploit_kit.rules)
  • 2069127 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (exoosito .com) (exploit_kit.rules)
  • 2069128 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (willimsen .com) (exploit_kit.rules)
  • 2069129 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (exoosito .com) (exploit_kit.rules)
  • 2069130 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genusal .lat) (malware.rules)
  • 2069131 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genusal .lat) in TLS SNI (malware.rules)
  • 2069132 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gojeourney .life) (malware.rules)
  • 2069133 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gojeourney .life) in TLS SNI (malware.rules)
  • 2069134 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (willimsen .com) (exploit_kit.rules)
  • 2069135 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .ladytress .com) (malware.rules)
  • 2069136 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .ladytress .com) (malware.rules)
  • 2069137 - ET MALWARE BPFDoor CnC Domain in DNS Lookup (ntpussl .instanthq .com) (malware.rules)
  • 2069138 - ET MALWARE BPFDoor CnC Domain in DNS Lookup (ntpupdate .ddnsgeek .com) (malware.rules)
  • 2069139 - ET MALWARE BPFDoor CnC Domain in DNS Lookup (ntpussl .instanthq .com) (malware.rules)
  • 2069140 - ET MALWARE BPFDoor CnC Domain in DNS Lookup (ntpupdate .ddnsgeek .com) (malware.rules)
  • 2069141 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069142 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069143 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069144 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069145 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069146 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069147 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069148 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069149 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069150 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069151 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069152 - ET INFO Transportation Cargo Theft Domain in DNS Lookup (info.rules)
  • 2069153 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069154 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069155 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069156 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069157 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069158 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069159 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069160 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069161 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069162 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069163 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)
  • 2069164 - ET INFO Observed Transportation Cargo Theft Domain in TLS SNI (info.rules)

Pro:

  • 2867424 - ETPRO EXPLOIT Veeam Backup & Replication Unauthenticated Remote Code Execution (CVE202440711) (exploit.rules)
  • 2867425 - ETPRO WEB_SPECIFIC_APPS Node.js samlify SAML Signature Wrapping SSO Bypass (CVE-2025-47949) (web_specific_apps.rules)
  • 2867426 - ETPRO WEB_SPECIFIC_APPS Salesforce Aura Framework Action SOQL Injection (web_specific_apps.rules)