Ruleset Update Summary - 2026/06/10 - v11211

Ruleset Updates
1

Summary:

25 new OPEN, 50 new PRO (25 + 25)

Added rules:

Open:

  • 2069878 - ET MALWARE PackClient RAT CnC Checkin M1 (malware.rules)
  • 2069879 - ET MALWARE PackClient RAT CnC Checkin M2 (malware.rules)
  • 2069880 - ET MALWARE PackClient RAT CnC Checkin M2 - C2 Response (malware.rules)
  • 2069881 - ET MALWARE PackClient RAT Payload Request (malware.rules)
  • 2069882 - ET MALWARE PackClient RAT Payload Request - C2 Response (malware.rules)
  • 2069883 - ET MALWARE PackClient RAT Payload Data Recieved Acknowledgement (malware.rules)
  • 2069884 - ET MALWARE PackClient RAT Status Checkin Message - From Client (malware.rules)
  • 2069885 - ET MALWARE PackClient RAT Status Checkin Message - From Server (malware.rules)
  • 2069886 - ET MALWARE PackClient RAT Client Heartbeat (malware.rules)
  • 2069887 - ET MALWARE PackClient RAT Heartbeat Response From C2 (malware.rules)
  • 2069888 - ET MALWARE PackClient RAT C2 Information Request (malware.rules)
  • 2069889 - ET MALWARE PackClient RAT C2 Information Request - Client Response (malware.rules)
  • 2069890 - ET MALWARE PackClient RAT Desktop Screen Capture Exfiltration (malware.rules)
  • 2069891 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (saffronecho .top) (exploit_kit.rules)
  • 2069892 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (saffronecho .top) (exploit_kit.rules)
  • 2069893 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vanderaeijden .lol) (exploit_kit.rules)
  • 2069894 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (vanderaeijden .lol) (exploit_kit.rules)
  • 2069895 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (autoupdaters .com) (exploit_kit.rules)
  • 2069896 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (autoupdatet .com) (exploit_kit.rules)
  • 2069897 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (autoupdatethis .com) (exploit_kit.rules)
  • 2069898 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (updatemsnow .com) (exploit_kit.rules)
  • 2069899 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (autoupdaters .com) (exploit_kit.rules)
  • 2069900 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (autoupdatet .com) (exploit_kit.rules)
  • 2069901 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (autoupdatethis .com) (exploit_kit.rules)
  • 2069902 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (updatemsnow .com) (exploit_kit.rules)

Pro:

  • 2867680 - ETPRO PHISHING TA2730 Landing Page Filter 2026-06-09 (phishing.rules)
  • 2867681 - ETPRO MALWARE Google Chrome Fake Updates Landing Page Observed (malware.rules)
  • 2867682 - ETPRO MALWARE Google Chrome Fake Updates CnC Javascript Payload (malware.rules)
  • 2867683 - ETPRO MALWARE Google Chrome Fake Updates CnC Beacon via Telegram (malware.rules)
  • 2867684 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867685 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867686 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867687 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867688 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867689 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867690 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867691 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867692 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867693 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867694 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867695 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867696 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867697 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867698 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867699 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867701 - ETPRO EXPLOIT_KIT Clearfake Fetch Resource M1 (exploit_kit.rules)
  • 2867702 - ETPRO EXPLOIT_KIT Clearfake Fetch Resource M2 (exploit_kit.rules)
  • 2867703 - ETPRO EXPLOIT_KIT Clearfake Fetch Resource M3 (exploit_kit.rules)
  • 2867704 - ETPRO EXPLOIT_KIT Clearfake Fetch Resource M4 (exploit_kit.rules)
  • 2867705 - ETPRO EXPLOIT_KIT Clearfake Fetch Resource M5 (exploit_kit.rules)