Ruleset Update Summary - 2026/05/22 - v11199

Ruleset Updates
1

Summary:

7 new OPEN, 24 new PRO (7 + 17)

Note: There will be no rule release on Monday, May 25th on account of it being both a US and UK holiday.

Added rules:

Open:

  • 2069388 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (dl .emergencepsychservices .com) (malware.rules)
  • 2069389 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (dl .emergencepsychservices .com) (malware.rules)
  • 2069390 - ET WEB_SPECIFIC_APPS SEPPmail Gateway GINA v2 Environment Variables Disclosure (CVE-2026-7864) (web_specific_apps.rules)
  • 2069391 - ET WEB_SPECIFIC_APPS SEPPmail Gateway GINA v2 Arbitrary File Read (CVE-2026-44127) (web_specific_apps.rules)
  • 2069392 - ET WEB_SPECIFIC_APPS SEPPmail Gateway GINA v2 Command Injection (CVE-2026-44128) (web_specific_apps.rules)
  • 2069393 - ET WEB_SPECIFIC_APPS SEPPmail Gateway RCE via Arbitrary File Write (CVE-2026-2743) (web_specific_apps.rules)
  • 2069394 - ET WEB_SPECIFIC_APPS Apache HertzBeat 1.8.0 Authenticated Remote Code Execution (web_specific_apps.rules)

Pro:

  • 2850934 - ETPRO MALWARE Double Extension PIF Download from Google Drive (malware.rules)
  • 2867554 - ETPRO HUNTING Observed Base64 Encoded Wide String Inbound ($env:APPDATA) M2 (hunting.rules)
  • 2867555 - ETPRO HUNTING Observed Base64 Encoded Wide String Inbound ($env:APPDATA) M3 (hunting.rules)
  • 2867556 - ETPRO WEB_SPECIFIC_APPS Drupal Core DB Abstraction API SQL Injection (CVE-2026-9082) M1 (web_specific_apps.rules)
  • 2867557 - ETPRO WEB_SPECIFIC_APPS Drupal Core DB Abstraction API SQL Injection (CVE-2026-9082) M2 (web_specific_apps.rules)
  • 2867558 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867559 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867560 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867561 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867562 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867563 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867564 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867565 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867566 - ETPRO MALWARE MaskGramStealer CnC Connectivity Check (malware.rules)
  • 2867567 - ETPRO MALWARE MaskGramStealer Request to CnC Config Hosted on Telegram (malware.rules)
  • 2867568 - ETPRO WEB_SPECIFIC_APPS Arcane Backend GitOps Management Unauthenticated Remote Code Execution (CVE-2026-45625) M1 (web_specific_apps.rules)
  • 2867569 - ETPRO WEB_SPECIFIC_APPS Arcane Backend GitOps Management Unauthenticated Remote Code Execution (CVE-2026-45625) M2 (web_specific_apps.rules)

Removed rules:

  • 2850934 - ETPRO HUNTING Double Extension PIF Download from Google Drive (hunting.rules)