Ruleset Update Summary - 2026/05/27 - v11201

Ruleset Updates
1

Summary:

21 new OPEN, 24 new PRO (21 + 3)

Added rules:

Open:

  • 2060957 - ET MALWARE Windows Shortcut Link Padded Whitespace in Command Line Arguments (ZDI-CAN-25373) (malware.rules)
  • 2069444 - ET MALWARE MacSync Stealer Exfil (PUT) (malware.rules)
  • 2069445 - ET ATTACK_RESPONSE MacSync Stealer Payload Inbound (attack_response.rules)
  • 2069446 - ET ATTACK_RESPONSE MacSync Stealer Stage 2 Payload Inbound (attack_response.rules)
  • 2069447 - ET MALWARE Observed DNS Query to MacSync Stealer Domain (byrnewealthmanagement .com) (malware.rules)
  • 2069448 - ET MALWARE Observed DNS Query to MacSync Stealer Domain (marbellaresales .com) (malware.rules)
  • 2069449 - ET MALWARE Observed MacSync Stealer Domain (byrnewealthmanagement .com in TLS SNI) (malware.rules)
  • 2069450 - ET MALWARE Observed MacSync Stealer Domain (marbellaresales .com in TLS SNI) (malware.rules)
  • 2069451 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (hiddenplanetlab .top) (exploit_kit.rules)
  • 2069452 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (rapidcanvas .top) (exploit_kit.rules)
  • 2069453 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (hiddenplanetlab .top) (exploit_kit.rules)
  • 2069454 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (rapidcanvas .top) (exploit_kit.rules)
  • 2069455 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (listings .mildecommercialrealestate .com) (malware.rules)
  • 2069456 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (listings .mildecommercialrealestate .com) (malware.rules)
  • 2069457 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (eegelhardt .lol) (exploit_kit.rules)
  • 2069458 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (hartunh .lol) (exploit_kit.rules)
  • 2069459 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (eegelhardt .lol) (exploit_kit.rules)
  • 2069460 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (hartunh .lol) (exploit_kit.rules)
  • 2069461 - ET INFO DYNAMIC_DNS Query to a *.srivaishnavam .org .au domain (info.rules)
  • 2069462 - ET INFO DYNAMIC_DNS HTTP Request to a *.srivaishnavam .org .au domain (info.rules)
  • 2069463 - ET INFO Telegram 409 Error Response, Failed Fetch /getUpdates due to Multiple Bot Instances (info.rules)

Pro:

  • 2867580 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2867581 - ETPRO MALWARE NinjaRAT CnC Activity (Client Exfil) (malware.rules)
  • 2867582 - ETPRO MALWARE NinjaRAT CnC Activity (Client Exfil Response) (malware.rules)

Removed rules:

  • 2060957 - ET HUNTING Windows Shortcut Link Padded Whitespace in Command Line Arguments (ZDI-CAN-25373) (hunting.rules)