Summary:
28 new OPEN, 40 new PRO (28 + 12)
Due to the observation of an internal holiday, there will be no release on Friday, June 19, 2026.
Added rules:
Open:
- 2069971 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (park-lake .com) (exploit_kit.rules)
- 2069972 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (park-lake .com) (exploit_kit.rules)
- 2069973 - ET WEB_SPECIFIC_APPS Oracle PeopleSoft Integration Gateway HttpListeningConnector XXE (CVE-2013-3821) (web_specific_apps.rules)
- 2069974 - ET WEB_SPECIFIC_APPS Oracle PeopleSoft Integration Gateway PeopleSoftServiceListeningConnector XXE (CVE-2017-3548) (web_specific_apps.rules)
- 2069975 - ET MALWARE RevStealer CnC Domain in DNS Lookup (dash .scout-lens34 .xyz) (malware.rules)
- 2069976 - ET MALWARE Observed RevStealer Domain (dash .scout-lens34 .xyz in TLS SNI) (malware.rules)
- 2069977 - ET WEB_SPECIFIC_APPS Oracle PeopleSoft Apache Axis API XML Comment Injection (web_specific_apps.rules)
- 2069978 - ET WEB_SPECIFIC_APPS Atlassian Jira iconUriServlet SSRF (CVE-2017-9506) (web_specific_apps.rules)
- 2069979 - ET WEB_SPECIFIC_APPS Atlassian Jira makeRequest SSRF (CVE-2019-8451) (web_specific_apps.rules)
- 2069980 - ET MALWARE RevStealer Related Domain in DNS Lookup (proxy .willowfleet .click) (malware.rules)
- 2069981 - ET WEB_SPECIFIC_APPS Jenkins GitHub Plugin SSRF (CVE-2018-1000600) (web_specific_apps.rules)
- 2069982 - ET MALWARE Observed RevStealer Domain (proxy .willowfleet .click in TLS SNI) (malware.rules)
- 2069983 - ET WEB_SPECIFIC_APPS Jenkins Stapler Web Framework Remote Code Execution (CVE-2018-1000861) (web_specific_apps.rules)
- 2069984 - ET WEB_SPECIFIC_APPS Jenkins Script Security Plugin Sandbox Bypass (CVE-2019-1003000) (web_specific_apps.rules)
- 2069985 - ET MALWARE RevStealer CnC Checkin (malware.rules)
- 2069986 - ET MALWARE RevStealer Data Exfiltration Attempt M1 (malware.rules)
- 2069987 - ET WEB_SPECIFIC_APPS TOTOLINK N300RH Stack-based Buffer Overflow (CVE-2026-10187) (web_specific_apps.rules)
- 2069988 - ET MALWARE RevStealer Data Exfiltration Attempt M2 (malware.rules)
- 2069989 - ET MALWARE RevStealer Sync Request (malware.rules)
- 2069990 - ET MALWARE RevStealer dl_exec Command from C2 (malware.rules)
- 2069991 - ET MALWARE RevStealer Ping (Keep-Alive) (malware.rules)
- 2069992 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (corraia .icu) (exploit_kit.rules)
- 2069993 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (corraia .icu) (exploit_kit.rules)
- 2069994 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (animal-zoo-lake .com) (exploit_kit.rules)
- 2069995 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (animal-zoo-lake .com) (exploit_kit.rules)
- 2069996 - ET INFO DYNAMIC_DNS Query to a *.juk .fi domain (info.rules)
- 2069997 - ET INFO DYNAMIC_DNS HTTP Request to a *.juk .fi domain (info.rules)
- 2069998 - ET EXPLOIT_KIT Balada Javascript Inject Observed (exploit_kit.rules)
Pro:
- 2867747 - ETPRO EXPLOIT_KIT Balada WebInject Payload Request (exploit_kit.rules)
- 2867748 - ETPRO WEB_SPECIFIC_APPS Fortinet FortiSandbox vnc_port OS Command Injection (CVE-2026-25089) (web_specific_apps.rules)
- 2867749 - ETPRO PHISHING TA402 Domain in DNS Lookup (phishing.rules)
- 2867750 - ETPRO PHISHING TA402 Domain in TLS SNI (phishing.rules)
- 2867751 - ETPRO PHISHING TA402 Domain in DNS Lookup (phishing.rules)
- 2867752 - ETPRO PHISHING TA402 Domain in TLS SNI (phishing.rules)
- 2867753 - ETPRO PHISHING TA402 Domain in DNS Lookup (phishing.rules)
- 2867754 - ETPRO PHISHING TA402 Domain in TLS SNI (phishing.rules)
- 2867755 - ETPRO PHISHING TA402 Domain in DNS Lookup (phishing.rules)
- 2867756 - ETPRO PHISHING TA402 Domain in TLS SNI (phishing.rules)
- 2867757 - ETPRO PHISHING TA402 Domain in DNS Lookup (phishing.rules)
- 2867758 - ETPRO PHISHING TA402 Domain in TLS SNI (phishing.rules)