Ruleset Update Summary - 2026/05/18 - v11195

Ruleset Updates
1

Summary:

19 new OPEN, 32 new PRO (19 + 13)

Added rules:

Open:

  • 2069316 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (silenttunnelzone .top) (exploit_kit.rules)
  • 2069317 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (whiteharvest .top) (exploit_kit.rules)
  • 2069318 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (silenttunnelzone .top) (exploit_kit.rules)
  • 2069319 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (whiteharvest .top) (exploit_kit.rules)
  • 2069320 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shenyac .cyou) (malware.rules)
  • 2069321 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shenyac .cyou) in TLS SNI (malware.rules)
  • 2069322 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (store .greendreamcannabis .com) (malware.rules)
  • 2069323 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (store .greendreamcannabis .com) (malware.rules)
  • 2069324 - ET WEB_SPECIFIC_APPS Sitecore Experience Manager & Platform Hardcoded Credentials (CVE-2025-34509) (web_specific_apps.rules)
  • 2069325 - ET WEB_SPECIFIC_APPS Kaseya VSA Authenticated Reflected Cross-site Scripting (CVE-2021-30119) M1 (web_specific_apps.rules)
  • 2069326 - ET WEB_SPECIFIC_APPS Kaseya VSA Authenticated Reflected Cross-site Scripting (CVE-2021-30119) M2 (web_specific_apps.rules)
  • 2069327 - ET WEB_SPECIFIC_APPS Kaseya VSA Unauthenticated XML External Entity Injection (CVE-2021-30201) (web_specific_apps.rules)
  • 2069328 - ET MALWARE Observed DNS Query to RMM Payload Delivery Domain (handyhank .net) (malware.rules)
  • 2069329 - ET MALWARE Observed DNS Query to RMM Payload Delivery Domain (salchipapaconmanjar .cl) (malware.rules)
  • 2069330 - ET MALWARE Observed RMM Payload Delivery Domain (handyhank .net in TLS SNI) (malware.rules)
  • 2069331 - ET MALWARE Observed RMM Payload Delivery Domain (salchipapaconmanjar .cl in TLS SNI) (malware.rules)
  • 2069332 - ET PHISHING Phish Link Click Confirmation via Telegram Bot (phishing.rules)
  • 2069333 - ET ATTACK_RESPONSE RMM Payload Delivery Page Observed (attack_response.rules)
  • 2069334 - ET ATTACK_RESPONSE ScreenConnect RMM Payload Delivered via Fake Docusign Page (attack_response.rules)

Pro:

  • 2867515 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867516 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867517 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867518 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867519 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867520 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867521 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867522 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867523 - ETPRO WEB_SPECIFIC_APPS Kaseya VSA Unauthenticated Arbitrary File Upload (CVE-2021-30118) (web_specific_apps.rules)
  • 2867524 - ETPRO PHISHING CoGUI Activity (POST) 2026-05-18 (phishing.rules)
  • 2867525 - ETPRO PHISHING CoGUI Activity (GET) M1 2026-05-18 (phishing.rules)
  • 2867526 - ETPRO PHISHING CoGUI Activity (GET) M2 2026-05-18 (phishing.rules)
  • 2867527 - ETPRO WEB_SPECIFIC_APPS Kaseya VSA Authenticated Local File Inclusion (CVE-2021-30121) (web_specific_apps.rules)