Ruleset Update Summary - 2026/06/04 - v11207

Summary:

16 new OPEN, 30 new PRO (16 + 14)


Added rules:

Open:

  • 2033545 - ET HUNTING ysoserial.NET Payload in HTTP Header (Spring1/Spring2) M1 (hunting.rules)
  • 2069649 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jclforwarding .com) (exploit_kit.rules)
  • 2069650 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (check .first-node .rocks) (exploit_kit.rules)
  • 2069651 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jclforwarding .com) (exploit_kit.rules)
  • 2069652 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (check .first-node .rocks) (exploit_kit.rules)
  • 2069653 - ET WEB_SPECIFIC_APPS Gitea Container Registry Unauthorized Private Image Access (CVE-2026-27771) (web_specific_apps.rules)
  • 2069654 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vividtunnellab .top) (exploit_kit.rules)
  • 2069655 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vividtunnellab .top) (exploit_kit.rules)
  • 2069656 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (rueckec .lol) (exploit_kit.rules)
  • 2069657 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (rueckec .lol) (exploit_kit.rules)
  • 2069658 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .nynovation .com) (malware.rules)
  • 2069659 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .nynovation .com) (malware.rules)
  • 2069660 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (politoe .pics) (malware.rules)
  • 2069661 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (politoe .pics) in TLS SNI (malware.rules)
  • 2069662 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starexs .bet) (malware.rules)
  • 2069663 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (starexs .bet) in TLS SNI (malware.rules)

Pro:

  • 2867636 - ETPRO HUNTING Ivanti Connect Secure TOTP Authentication Bypass (hunting.rules)
  • 2867637 - ETPRO WEB_SPECIFIC_APPS Laravel Livewire Remote Command Execution (CVE-2025-54068) (web_specific_apps.rules)
  • 2867638 - ETPRO WEB_SERVER Cisco vManage XML External Entity (CVE-2026-20224) (web_server.rules)
  • 2867639 - ETPRO EXPLOIT Microsoft Word Remote Code Execution (CVE-2026-40361) (exploit.rules)
  • 2867640 - ETPRO HUNTING Microsoft Windows search URI Handler NTLM Coercion M1 (hunting.rules)
  • 2867641 - ETPRO HUNTING Microsoft Windows search URI Handler NTLM Coercion M2 (hunting.rules)
  • 2867642 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867643 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867644 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867645 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867646 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867647 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867648 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867649 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Removed rules:

  • 2033545 - ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M1 (exploit.rules)