Ruleset Update Summary - 2026/05/11 - v11190

Ruleset Updates
1

Summary:

29 new OPEN, 31 new PRO (29 + 2)

Added rules:

Open:

  • 2069237 - ET INFO DYNAMIC_DNS Query to a *.redlight .li domain (info.rules)
  • 2069238 - ET INFO DYNAMIC_DNS HTTP Request to a *.redlight .li domain (info.rules)
  • 2069239 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (meiddlesrsnzop .shop) (malware.rules)
  • 2069240 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (meiddlesrsnzop .shop) in TLS SNI (malware.rules)
  • 2069241 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (milnleny .cyou) (malware.rules)
  • 2069242 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (milnleny .cyou) in TLS SNI (malware.rules)
  • 2069243 - ET INFO DYNAMIC_DNS Query to a *.choicharlie .com domain (info.rules)
  • 2069244 - ET INFO DYNAMIC_DNS HTTP Request to a *.choicharlie .com domain (info.rules)
  • 2069245 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (api-v2 .needlestich .com) (malware.rules)
  • 2069246 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (api-v2 .needlestich .com) (malware.rules)
  • 2069247 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (fontanf .lol) (exploit_kit.rules)
  • 2069248 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (bradtte .lol) (exploit_kit.rules)
  • 2069249 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (fontanf .lol) (exploit_kit.rules)
  • 2069250 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (bradtte .lol) (exploit_kit.rules)
  • 2069251 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (primegridhub .top) (exploit_kit.rules)
  • 2069252 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (primegridhub .top) (exploit_kit.rules)
  • 2069253 - ET MALWARE Italiano Stealerano CnC Instruction Request (GET) (malware.rules)
  • 2069254 - ET MALWARE HumanitarianBait Infostealer CnC File Exfil (malware.rules)
  • 2069255 - ET MALWARE Italiano Stealerano CnC Command Inbound (Powershell Command Permission Exclusion) (malware.rules)
  • 2069256 - ET MALWARE Observed DNS Query to RAT Delivery Domain (hiiighway .com) (malware.rules)
  • 2069257 - ET MALWARE Observed DNS Query to RAT Delivery Domain (download-tenderportal .com) (malware.rules)
  • 2069258 - ET MALWARE Observed DNS Query to RAT Delivery Domain (truckstoponboarding .com) (malware.rules)
  • 2069259 - ET MALWARE Observed DNS Query to RAT Delivery Domain (mytenderportal .com) (malware.rules)
  • 2069260 - ET MALWARE Observed RAT Delivery Domain (hiiighway .com in TLS SNI) (malware.rules)
  • 2069261 - ET MALWARE Observed RAT Delivery Domain (download-tenderportal .com in TLS SNI) (malware.rules)
  • 2069262 - ET MALWARE Observed RAT Delivery Domain (truckstoponboarding .com in TLS SNI) (malware.rules)
  • 2069263 - ET MALWARE Observed RAT Delivery Domain (mytenderportal .com in TLS SNI) (malware.rules)
  • 2069264 - ET MALWARE MagicG Stealer Exfil (POST) (malware.rules)
  • 2069265 - ET MALWARE MagicG Stealer CnC Exfil Confirmation (malware.rules)

Pro:

  • 2867482 - ETPRO EXPLOIT OpenAM Pre-Auth Deserialization RCE Attempt (CVE-2026-33439) (exploit.rules)
  • 2867483 - ETPRO EXPLOIT Apache ActiveMQ - Remote Code Execution via HTTP Discovery Transport Bypass (CVE-2026-40466) (exploit.rules)

Disabled and modified rules:

  • 2069174 - ET MALWARE BPFDoor ICMP Echo Reply, Heartbeat (Outbound) (malware.rules)
  • 2069175 - ET MALWARE BPFDoor ICMP Echo Request, X:[COMMAND] (Inbound) (malware.rules)