Summary:
16 new OPEN, 30 new PRO (16 + 14)
Added rules:
Open:
- 2033545 - ET HUNTING ysoserial.NET Payload in HTTP Header (Spring1/Spring2) M1 (hunting.rules)
- 2069649 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jclforwarding .com) (exploit_kit.rules)
- 2069650 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (check .first-node .rocks) (exploit_kit.rules)
- 2069651 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jclforwarding .com) (exploit_kit.rules)
- 2069652 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (check .first-node .rocks) (exploit_kit.rules)
- 2069653 - ET WEB_SPECIFIC_APPS Gitea Container Registry Unauthorized Private Image Access (CVE-2026-27771) (web_specific_apps.rules)
- 2069654 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vividtunnellab .top) (exploit_kit.rules)
- 2069655 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vividtunnellab .top) (exploit_kit.rules)
- 2069656 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (rueckec .lol) (exploit_kit.rules)
- 2069657 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (rueckec .lol) (exploit_kit.rules)
- 2069658 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .nynovation .com) (malware.rules)
- 2069659 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .nynovation .com) (malware.rules)
- 2069660 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (politoe .pics) (malware.rules)
- 2069661 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (politoe .pics) in TLS SNI (malware.rules)
- 2069662 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starexs .bet) (malware.rules)
- 2069663 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (starexs .bet) in TLS SNI (malware.rules)
Pro:
- 2867636 - ETPRO HUNTING Ivanti Connect Secure TOTP Authentication Bypass (hunting.rules)
- 2867637 - ETPRO WEB_SPECIFIC_APPS Laravel Livewire Remote Command Execution (CVE-2025-54068) (web_specific_apps.rules)
- 2867638 - ETPRO WEB_SERVER Cisco vManage XML External Entity (CVE-2026-20224) (web_server.rules)
- 2867639 - ETPRO EXPLOIT Microsoft Word Remote Code Execution (CVE-2026-40361) (exploit.rules)
- 2867640 - ETPRO HUNTING Microsoft Windows search URI Handler NTLM Coercion M1 (hunting.rules)
- 2867641 - ETPRO HUNTING Microsoft Windows search URI Handler NTLM Coercion M2 (hunting.rules)
- 2867642 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2867643 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2867644 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2867645 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2867646 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2867647 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2867648 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2867649 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
Removed rules:
- 2033545 - ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M1 (exploit.rules)