Ruleset Update Summary - 2026/06/03 - v11206

rulesbot · June 3, 2026, 8:50pm

Summary:

39 new OPEN, 51 new PRO (39 + 12)

Added rules:

Open:

2069610 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (centuriontech .com) (info.rules)
2069611 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (centuriontech .com) (info.rules)
2069612 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (* .remotedesktop .google .com) (info.rules)
2069613 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (* .remotedesktop .google .com) (info.rules)
2069614 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (* .remotedesktop-pa .googleapis .com) (info.rules)
2069615 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (* .remotedesktop-pa .googleapis .com) (info.rules)
2069616 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (chromoting-client .talkgadget .google .com) (info.rules)
2069617 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (chromoting-client .talkgadget .google .com) (info.rules)
2069618 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (chromoting-host .talkgadget .google .com) (info.rules)
2069619 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (chromoting-host .talkgadget .google .com) (info.rules)
2069620 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (chromoting-oauth .talkgadget .google .com) (info.rules)
2069621 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (chromoting-oauth .talkgadget .google .com) (info.rules)
2069622 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (* .hostedrmm .com) (info.rules)
2069623 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (* .hostedrmm .com) (info.rules)
2069624 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (live .screenconnect .com) (info.rules)
2069625 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (live .screenconnect .com) (info.rules)
2069626 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (control .connectwise .com) (info.rules)
2069627 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (control .connectwise .com) (info.rules)
2069628 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (* .crossloop .com) (info.rules)
2069629 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (* .crossloop .com) (info.rules)
2069630 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (crossloop .en .softonic .com) (info.rules)
2069631 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (crossloop .en .softonic .com) (info.rules)
2069632 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (* .dwservice .net) (info.rules)
2069633 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (* .dwservice .net) (info.rules)
2069634 - ET INFO DYNAMIC_DNS Query to a *.commwebworks .com domain (info.rules)
2069635 - ET INFO DYNAMIC_DNS HTTP Request to a *.commwebworks .com domain (info.rules)
2069636 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (elegantlawwen .run) (malware.rules)
2069637 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (elegantlawwen .run) in TLS SNI (malware.rules)
2069638 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (movementby .cyou) (malware.rules)
2069639 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (movementby .cyou) in TLS SNI (malware.rules)
2069640 - ET INFO Observed Javascript for User Fingerprinting (info.rules)
2069641 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (bernardi .lol) (exploit_kit.rules)
2069642 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (bernardi .lol) (exploit_kit.rules)
2069643 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ironsignal .top) (exploit_kit.rules)
2069644 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lucidgrovelab .top) (exploit_kit.rules)
2069645 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ironsignal .top) (exploit_kit.rules)
2069646 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lucidgrovelab .top) (exploit_kit.rules)
2069647 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (api .oysterfloats .com) (malware.rules)
2069648 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (api .oysterfloats .com) (malware.rules)

Pro:

2867624 - ETPRO MALWARE Observed DNS Query to TA2730 Domain (malware.rules)
2867625 - ETPRO MALWARE Observed TA2730 Domain in TLS SNI (malware.rules)
2867626 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2867627 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2867628 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2867629 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2867630 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2867631 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2867632 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2867633 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2867634 - ETPRO PHISHING Observed TA2728 Domain in DNS Lookup (phishing.rules)
2867635 - ETPRO PHISHING Observed TA2728 Domain in TLS SNI Lookup (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2026/06/02 - v11205 Ruleset Updates	33	June 2, 2026
Ruleset Update Summary - 2026/02/09 - v11121 Ruleset Updates	77	February 9, 2026
Ruleset Update Summary - 2026/04/27 - v11180 Ruleset Updates	56	April 27, 2026
Ruleset Update Summary - 2026/04/13 - v11170 Ruleset Updates	78	April 13, 2026
Ruleset Update Summary - 2026/04/03 - v11164 Ruleset Updates	70	April 3, 2026

Ruleset Update Summary - 2026/06/03 - v11206

Summary:

Added rules:

Open:

Pro:

Related topics