Ruleset Update Summary - 2026/05/20 - v11197

Ruleset Updates
1

Summary:

27 new OPEN, 34 new PRO (27 + 7)

Added rules:

Open:

  • 2069357 - ET INFO DNS Query to Online Application Hosting Domain (clickhouse .cloud) (info.rules)
  • 2069358 - ET INFO Observed Online Application Hosting Domain (clickhouse .cloud in TLS SNI) (info.rules)
  • 2069359 - ET MALWARE The Gentlemen Ransomware Campaign Domain in DNS Lookup (ep-lively-cherry-a80bmwii .eastus2 .azure .neon .tech) (malware.rules)
  • 2069360 - ET MALWARE The Gentlemen Ransomware Campaign Domain in DNS Lookup (vngz3ntdrb .us-east1 .gcp .clickhouse .cloud) (malware.rules)
  • 2069361 - ET MALWARE The Gentlemen Ransomware Campaign Domain in DNS Lookup (k135neflez .westus3 .azure .clickhouse .cloud) (malware.rules)
  • 2069362 - ET MALWARE The Gentlemen Ransomware Campaign Domain in DNS Lookup (vefbdzzuaadnascpeqcn .supabase .co) (malware.rules)
  • 2069363 - ET MALWARE The Gentlemen Ransomware Campaign Domain in DNS Lookup (muurfzqprzmdkzoibxaz .supabase .co) (malware.rules)
  • 2069364 - ET MALWARE The Gentlemen Ransomware Campaign Domain in DNS Lookup (borjumaniya .store) (malware.rules)
  • 2069365 - ET MALWARE Observed The Gentlemen Ransomware Campaign Domain (ep-lively-cherry-a80bmwii .eastus2 .azure .neon .tech in TLS SNI) (malware.rules)
  • 2069366 - ET MALWARE Observed The Gentlemen Ransomware Campaign Domain (vngz3ntdrb .us-east1 .gcp .clickhouse .cloud in TLS SNI) (malware.rules)
  • 2069367 - ET MALWARE Observed The Gentlemen Ransomware Campaign Domain (k135neflez .westus3 .azure .clickhouse .cloud in TLS SNI) (malware.rules)
  • 2069368 - ET MALWARE Observed The Gentlemen Ransomware Campaign Domain (vefbdzzuaadnascpeqcn .supabase .co in TLS SNI) (malware.rules)
  • 2069369 - ET MALWARE Observed The Gentlemen Ransomware Campaign Domain (muurfzqprzmdkzoibxaz .supabase .co in TLS SNI) (malware.rules)
  • 2069370 - ET MALWARE Observed The Gentlemen Ransomware Campaign Domain (borjumaniya .store in TLS SNI) (malware.rules)
  • 2069371 - ET INFO DNS Query to Online Application Hosting Domain (neon .tech) (info.rules)
  • 2069372 - ET INFO Observed Online Application Hosting Domain (neon .tech in TLS SNI) (info.rules)
  • 2069373 - ET WEB_SPECIFIC_APPS ZTE teDataNotLoginData Parameter Authentication Bypass Attempt (CVE-2026-34472) (web_specific_apps.rules)
  • 2069374 - ET WEB_SPECIFIC_APPS MedDream PACS Premium cecho.php SSRF Attempt (CVE-2025-24485) (web_specific_apps.rules)
  • 2069375 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (api-v4 .printondemandmerchandise .com) (malware.rules)
  • 2069376 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (api-v4 .printondemandmerchandise .com) (malware.rules)
  • 2069377 - ET INFO DYNAMIC_DNS Query to a *.sgmlguru .org domain (info.rules)
  • 2069378 - ET INFO DYNAMIC_DNS HTTP Request to a *.sgmlguru .org domain (info.rules)
  • 2069379 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tangmwp .club) (malware.rules)
  • 2069380 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tangmwp .club) in TLS SNI (malware.rules)
  • 2069381 - ET HUNTING Observed DNS Query to Suspicious Domain (bromechoku .com) (hunting.rules)
  • 2069382 - ET HUNTING Observed Suspicious Domain (bromechoku .com in TLS SNI) (hunting.rules)
  • 2069383 - ET HUNTING Cloudflare API Zone List Request (GET) (hunting.rules)

Pro:

  • 2867538 - ETPRO MALWARE Observed DNS Query to UNK_BudgetButcher Domain (malware.rules)
  • 2867539 - ETPRO MALWARE Observed UNK_BudgetButcher Domain in TLS SNI (malware.rules)
  • 2867540 - ETPRO MALWARE UNK_BudgetButcher CnC Beacon M1 (malware.rules)
  • 2867541 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2867542 - ETPRO MALWARE UNK_BudgetButcher CnC Beacon M2 (malware.rules)
  • 2867543 - ETPRO MALWARE UNK_BudgetButcher CnC Beacon Response (malware.rules)
  • 2867544 - ETPRO MALWARE UNK_BudgetButcher CnC Beacon M3 (malware.rules)