Ruleset Update Summary - 2026/05/08 - v11189

Ruleset Updates
1

Summary:

29 new OPEN, 55 new PRO (29 + 26)

Added rules:

Open:

  • 2069208 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (calmvector .top) (exploit_kit.rules)
  • 2069209 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (calmvector .top) (exploit_kit.rules)
  • 2069210 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (files .dsbaux .com) (malware.rules)
  • 2069211 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (files .dsbaux .com) (malware.rules)
  • 2069212 - ET INFO DYNAMIC_DNS Query to a *.cowher .net domain (info.rules)
  • 2069213 - ET INFO DYNAMIC_DNS HTTP Request to a *.cowher .net domain (info.rules)
  • 2069214 - ET INFO DYNAMIC_DNS Query to a *.cowin-eng .com domain (info.rules)
  • 2069215 - ET INFO DYNAMIC_DNS HTTP Request to a *.cowin-eng .com domain (info.rules)
  • 2069216 - ET INFO DYNAMIC_DNS Query to a *.dapit .net domain (info.rules)
  • 2069217 - ET INFO DYNAMIC_DNS HTTP Request to a *.dapit .net domain (info.rules)
  • 2069218 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069219 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069220 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069221 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069222 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069223 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (balvlqts .cyou) (malware.rules)
  • 2069224 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (balvlqts .cyou) in TLS SNI (malware.rules)
  • 2069225 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069226 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069227 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069228 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069229 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069230 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069231 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069232 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069233 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069234 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069235 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)
  • 2069236 - ET MALWARE Observed StealC_V2 Secondary Payload Request (GET) (malware.rules)

Pro:

  • 2867456 - ETPRO EXPLOIT Observed SQLi/Command Injection Attempt via FTP STOR Filename (exploit.rules)
  • 2867457 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867458 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867459 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867460 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867461 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867462 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867463 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867464 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867465 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867466 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867467 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867468 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867469 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867470 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867471 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867472 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867473 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867474 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867475 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867476 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867477 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867478 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867479 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867480 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867481 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2069172 - ET MALWARE BPFDoor ICMP Echo Request (malware.rules)
  • 2069173 - ET MALWARE BPFDoor ICMP Echo Reply (malware.rules)
  • 2801609 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic UNION SELECT (web_specific_apps.rules)
  • 2801610 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic INSERT (web_specific_apps.rules)
  • 2801611 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic DELETE (web_specific_apps.rules)
  • 2801612 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic ASCII (web_specific_apps.rules)
  • 2801613 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic UPDATE (web_specific_apps.rules)