Ruleset Update Summary - 2026/05/26 - v11200

Ruleset Updates
1

Summary:

49 new OPEN, 59 new PRO (49 + 10)

Added rules:

Open:

  • 2069395 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (lolfler .lol) (exploit_kit.rules)
  • 2069396 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (dalindo .lol) (exploit_kit.rules)
  • 2069397 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vandenheuvll .lol) (exploit_kit.rules)
  • 2069398 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ackerkann .lol) (exploit_kit.rules)
  • 2069399 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (lolfler .lol) (exploit_kit.rules)
  • 2069400 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (dalindo .lol) (exploit_kit.rules)
  • 2069401 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (vandenheuvll .lol) (exploit_kit.rules)
  • 2069402 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ackerkann .lol) (exploit_kit.rules)
  • 2069403 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (consuus .cyou) (malware.rules)
  • 2069404 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (consuus .cyou) in TLS SNI (malware.rules)
  • 2069405 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cryofficesj .click) (malware.rules)
  • 2069406 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cryofficesj .click) in TLS SNI (malware.rules)
  • 2069407 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deadpannsjzvn .shop) (malware.rules)
  • 2069408 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deadpannsjzvn .shop) in TLS SNI (malware.rules)
  • 2069409 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diplokb .cyou) (malware.rules)
  • 2069410 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (diplokb .cyou) in TLS SNI (malware.rules)
  • 2069411 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (glowscarrytsv .sbs) (malware.rules)
  • 2069412 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (glowscarrytsv .sbs) in TLS SNI (malware.rules)
  • 2069413 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (crystalrocketlab .top) (exploit_kit.rules)
  • 2069414 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lucidgardenhub .top) (exploit_kit.rules)
  • 2069415 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (silentquarry .top) (exploit_kit.rules)
  • 2069416 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (thunderplanethub .top) (exploit_kit.rules)
  • 2069417 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bluecompass .top) (exploit_kit.rules)
  • 2069418 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (crystalrocketlab .top) (exploit_kit.rules)
  • 2069419 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lucidgardenhub .top) (exploit_kit.rules)
  • 2069420 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (silentquarry .top) (exploit_kit.rules)
  • 2069421 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (thunderplanethub .top) (exploit_kit.rules)
  • 2069422 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bluecompass .top) (exploit_kit.rules)
  • 2069423 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .houston-familyoffice .com) (malware.rules)
  • 2069424 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .quantumconcretecoatings .com) (malware.rules)
  • 2069425 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .houston-familyoffice .com) (malware.rules)
  • 2069426 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .quantumconcretecoatings .com) (malware.rules)
  • 2069427 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (crystalrocketlab .top) (exploit_kit.rules)
  • 2069428 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lucidgardenhub .top) (exploit_kit.rules)
  • 2069429 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (silentquarry .top) (exploit_kit.rules)
  • 2069430 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (thunderplanethub .top) (exploit_kit.rules)
  • 2069431 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bluecompass .top) (exploit_kit.rules)
  • 2069432 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (crystalrocketlab .top) (exploit_kit.rules)
  • 2069433 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lucidgardenhub .top) (exploit_kit.rules)
  • 2069434 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (silentquarry .top) (exploit_kit.rules)
  • 2069435 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (thunderplanethub .top) (exploit_kit.rules)
  • 2069436 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bluecompass .top) (exploit_kit.rules)
  • 2069437 - ET PHISHING Generic Fake Document Landing Page 2026-05-26 (phishing.rules)
  • 2069438 - ET PHISHING Generic Fake Document Landing Page Hosted On kuse .ai (phishing.rules)
  • 2069439 - ET PHISHING O365 Phishing Landing Page Observed (phishing.rules)
  • 2069440 - ET INFO Observed DNS Query to Commonly Abused Online Service Domain (app .kuse .ai) (info.rules)
  • 2069441 - ET INFO Observed Commonly Abused Online Service Domain (app .kuse .ai in TLS SNI) (info.rules)
  • 2069442 - ET INFO Observed DNS Query to Commonly Abused Online Service Domain (myportfolio .com) (info.rules)
  • 2069443 - ET INFO Observed Commonly Abused Online Service Domain (myportfolio .com in TLS SNI) (info.rules)

Pro:

  • 2867570 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867571 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867572 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867573 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867574 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867575 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867576 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867577 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867578 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2867579 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)