Ruleset Update Summary - 2026/05/14 - v11193

rulesbot · May 14, 2026, 9:42pm

Summary:

28 new OPEN, 28 new PRO (28 + 0)

Thanks @PB22

Added rules:

Open:

2069280 - ET MALWARE Observed DNS Query to Sainbox Domain (malware.rules)
2069281 - ET MALWARE Observed Sainbox Domain in TLS SNI (malware.rules)
2069282 - ET MALWARE SainboxRAT CnC Config Request (malware.rules)
2069283 - ET MALWARE SainboxRAT CnC Config Inbound (malware.rules)
2069284 - ET MALWARE SainboxRAT CnC Checkin (malware.rules)
2069285 - ET INFO DYNAMIC_DNS Query to a *.thongthaitextile .com domain (info.rules)
2069286 - ET INFO DYNAMIC_DNS HTTP Request to a *.thongthaitextile .com domain (info.rules)
2069287 - ET INFO DYNAMIC_DNS Query to a *.colloky .com .pe domain (info.rules)
2069288 - ET INFO DYNAMIC_DNS HTTP Request to a *.colloky .com .pe domain (info.rules)
2069289 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (markzsa .cyou) (malware.rules)
2069290 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (markzsa .cyou) in TLS SNI (malware.rules)
2069291 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (correia .lol) (exploit_kit.rules)
2069292 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (correia .lol) (exploit_kit.rules)
2069293 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (static .alfreshup .com) (malware.rules)
2069294 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (static .alfreshup .com) (malware.rules)
2069295 - ET MALWARE Observed DNS Query to ClickFix Attack Chain Domain (dynamiclanternsystem .com) (malware.rules)
2069296 - ET MALWARE Observed DNS Query to ClickFix Attack Chain Domain (api .wigetticks .com) (malware.rules)
2069297 - ET MALWARE Observed DNS Query to ClickFix Attack Chain Domain (netdeveloper .app) (malware.rules)
2069298 - ET MALWARE Observed ClickFix Attack Chain Domain (dynamiclanternsystem .com in TLS SNI) (malware.rules)
2069299 - ET MALWARE Observed ClickFix Attack Chain Domain (api .wigetticks .com in TLS SNI) (malware.rules)
2069300 - ET MALWARE Observed ClickFix Attack Chain Domain (netdeveloper .app in TLS SNI) (malware.rules)
2069301 - ET MALWARE Observed ClickFix Loader Inbound (malware.rules)
2069302 - ET MALWARE EARTHWORM SOCKS Reverse Proxy Initial Setup Request (malware.rules)
2069303 - ET MALWARE EARTHWORM SOCKS Reverse Proxy Server Response (malware.rules)
2069304 - ET MALWARE EARTHWORM SOCKS Reverse Proxy Assign Pool Number Request (malware.rules)
2069305 - ET MALWARE EARTHWORM SOCKS Reverse Proxy Tunnel Request (malware.rules)
2069306 - ET MALWARE EARTHWORM SOCKS Proxy Tunnel Response (malware.rules)
2069307 - ET MALWARE EARTHWORM SOCKS Proxy Tunnel Post Setup Request (malware.rules)

Modified inactive rules:

2069172 - ET MALWARE BPFDoor ICMP Echo Request (malware.rules)
2069173 - ET MALWARE BPFDoor ICMP Echo Reply (malware.rules)
2069174 - ET MALWARE BPFDoor ICMP Echo Reply, Heartbeat (Outbound) (malware.rules)
2069175 - ET MALWARE BPFDoor ICMP Echo Request, X:[COMMAND] (Inbound) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2026/03/06 - v11141 Ruleset Updates	118	March 6, 2026
Ruleset Update Summary - 2026/04/13 - v11170 Ruleset Updates	77	April 13, 2026
Ruleset Update Summary - 2024/03/25 - v10559 Ruleset Updates	358	March 25, 2024
Ruleset Update Summary - 2025/09/24 - v11023 Ruleset Updates	75	September 24, 2025
Ruleset Update Summary - 2026/03/23 - v11155 Ruleset Updates	83	March 23, 2026

Ruleset Update Summary - 2026/05/14 - v11193

Summary:

Added rules:

Open:

Modified inactive rules:

Related topics