Summary:
15 new OPEN, 29 new PRO (15 + 14)
Added rules:
Open:
- 2069903 - ET MOBILE_MALWARE NSO Group Spyware Domain in DNS Lookup (khwancast .com) (mobile_malware.rules)
- 2069904 - ET MOBILE_MALWARE NSO Group Spyware Domain in DNS Lookup (ghazacast .com) (mobile_malware.rules)
- 2069905 - ET MOBILE_MALWARE NSO Group Spyware Domain in DNS Lookup (fr24cast .com) (mobile_malware.rules)
- 2069906 - ET MOBILE_MALWARE NSO Group Spyware Domain in TLS SNI (khwancast .com) (mobile_malware.rules)
- 2069907 - ET MOBILE_MALWARE NSO Group Spyware Domain in TLS SNI (ghazacast .com) (mobile_malware.rules)
- 2069908 - ET MOBILE_MALWARE NSO Group Spyware Domain in TLS SNI (fr24cast .com) (mobile_malware.rules)
- 2069909 - ET WEB_SPECIFIC_APPS Ivanti Sentry handleMessage commandexec Pre-Auth Command Injection Attempt (CVE-2026-10520) (web_specific_apps.rules)
- 2069910 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (claimsj .cyou) (malware.rules)
- 2069911 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (claimsj .cyou) in TLS SNI (malware.rules)
- 2069912 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curved-goose .cyou) (malware.rules)
- 2069913 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (curved-goose .cyou) in TLS SNI (malware.rules)
- 2069914 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (passedt .cyou) (malware.rules)
- 2069915 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (passedt .cyou) in TLS SNI (malware.rules)
- 2069916 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (alabastermarket .top) (exploit_kit.rules)
- 2069917 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (alabastermarket .top) (exploit_kit.rules)
Pro:
- 2809197 - ETPRO RETIRED SChannel Possible Heap Overflow ECDSAWithSHA256 CVE-2014-6321 (retired.rules)
- 2867706 - ETPRO EXPLOIT_KIT Clearfake Javascript Loader 2026-06-10 (exploit_kit.rules)
- 2867707 - ETPRO HUNTING Calendar Invite .ics with Excessive ORGANIZER Entries (hunting.rules)
- 2867708 - ETPRO WEB_SPECIFIC_APPS SAP NetWeaver SAML XML Signature Wrapping (CVE-2026-23687) (web_specific_apps.rules)
- 2867709 - ETPRO WEB_SPECIFIC_APPS LiteLLM MCP Preview Command Injection (CVE-2026-42271) (web_specific_apps.rules)
- 2867710 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2867711 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2867712 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2867713 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2867714 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2867715 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2867716 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2867717 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2867718 - ETPRO EXPLOIT_KIT ClearFake Update.js Powershell File Inbound 2026-06-11 (exploit_kit.rules)
Disabled and modified rules:
- 2069587 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (atera-agent-heartbeat .servicebus .windows .net) (info.rules)
- 2069588 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (atera-agent-heartbeat .servicebus .windows .net) (info.rules)
- 2069607 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (* .bluetrait .io) (info.rules)
- 2069608 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (* .bluetrait .io) (info.rules)
- 2808604 - ETPRO MALWARE W32.Virut IRC checkin (malware.rules)
- 2819805 - ETPRO MALWARE CryptXXX CnC Beacon (malware.rules)
- 2824545 - ETPRO MALWARE Observed Malicious SSL Cert (Gootkit) (malware.rules)
- 2828986 - ETPRO MALWARE SmokeLoader encrypted module (2) (malware.rules)
- 2829848 - ETPRO MALWARE SmokeLoader encrypted module (3) (malware.rules)
Removed rules:
- 2809197 - ETPRO EXPLOIT SChannel Possible Heap Overflow ECDSAWithSHA256 CVE-2014-6321 (exploit.rules)