Ruleset Update Summary - 2026/05/28 - v11202

Ruleset Updates
1

Summary:

14 new OPEN, 21 new PRO (14 + 7)

Added rules:

Open:

  • 2069464 - ET MALWARE Gh0st RAT Variant CnC Domain in DNS Lookup (kele12 .vip) (malware.rules)
  • 2069465 - ET MALWARE Gh0st RAT Variant CNC Checkin Attempt (malware.rules)
  • 2069466 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weekfoc .cyou) (malware.rules)
  • 2069467 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (weekfoc .cyou) in TLS SNI (malware.rules)
  • 2069468 - ET WEB_SPECIFIC_APPS TYPO3 CMS ceselector Extension Object Injection via Insecure Deserialization (CVE-2026-46725) (web_specific_apps.rules)
  • 2069469 - ET WEB_SPECIFIC_APPS Next.js WebSocket Upgrade Handler Server-Side Request Forgery (CVE-2026-44578) (web_specific_apps.rules)
  • 2069470 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (smoothcompass .top) (exploit_kit.rules)
  • 2069471 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (smoothcompass .top) (exploit_kit.rules)
  • 2069472 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (dl .overscaleconsulting .com) (malware.rules)
  • 2069473 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (dl .overscaleconsulting .com) (malware.rules)
  • 2069474 - ET EXPLOIT Apache Tomcat Tribes EncryptInterceptor Bypass Remote Code Execution (CVE-2026-34486) (exploit.rules)
  • 2069475 - ET WEB_SPECIFIC_APPS Apache ActiveMQ 6.x Default Unauthenticated API Access (CVE-2024-32114) M1 (web_specific_apps.rules)
  • 2069476 - ET WEB_SPECIFIC_APPS Apache ActiveMQ 6.x Unauthenticated API Access (CVE-2024-32114) M2 (web_specific_apps.rules)
  • 2069477 - ET HUNTING HTTP Request Body Longer Than Content-Length Specifies - Investigate Possible Overflow Activity (hunting.rules)

Pro:

  • 2867583 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2867584 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2867585 - ETPRO HUNTING Microsoft Windows UnDefend Defender Bypass - API Imports Fingerprint (CVE-2026-45498) (hunting.rules)
  • 2867586 - ETPRO HUNTING Microsoft Windows UnDefend Defender Bypass - Embedded Strings (CVE-2026-45498) (hunting.rules)
  • 2867587 - ETPRO HUNTING Microsoft Windows MiniPlasma WER QueueReporting Task EoP (CVE-2020-17103) (hunting.rules)
  • 2867588 - ETPRO HUNTING Microsoft Windows RedSun Defender EoP (CVE-2026-410091) (hunting.rules)
  • 2867589 - ETPRO HUNTING Microsoft Windows GreenPlasma CTFMON Arbitrary Section Creation EoP (hunting.rules)

Modified inactive rules:

  • 2867415 - ETPRO HUNTING FastCGI IPC ReadParams Abnormal Behavior MSB Set (hunting.rules)

Disabled and modified rules:

  • 2069427 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (crystalrocketlab .top) (exploit_kit.rules)
  • 2069428 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lucidgardenhub .top) (exploit_kit.rules)
  • 2069429 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (silentquarry .top) (exploit_kit.rules)
  • 2069430 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (thunderplanethub .top) (exploit_kit.rules)
  • 2069431 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bluecompass .top) (exploit_kit.rules)
  • 2069432 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (crystalrocketlab .top) (exploit_kit.rules)
  • 2069433 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lucidgardenhub .top) (exploit_kit.rules)
  • 2069434 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (silentquarry .top) (exploit_kit.rules)
  • 2069435 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (thunderplanethub .top) (exploit_kit.rules)
  • 2069436 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bluecompass .top) (exploit_kit.rules)