Ruleset Update Summary - 2026/06/18 - v11217

Ruleset Updates
1

Summary:

15 new OPEN, 17 new PRO (15 + 2)

Due to the observation of an internal holiday, there will be no release on Friday, June 19, 2026.

Added rules:

Open:

  • 2069999 - ET PHISHING Microsoft Device Code Phishing Landing Page 2026-06-17 (phishing.rules)
  • 2070000 - ET PHISHING Attacker Relayed Device Code and Verification URI (phishing.rules)
  • 2070001 - ET PHISHING Attacker Polling for Device Code Verification (phishing.rules)
  • 2070002 - ET WEB_SPECIFIC_APPS Totolink setWifiWpsConfig PIN Parameter Command Injection Attempt (CVE-2026-9534) (web_specific_apps.rules)
  • 2070003 - ET WEB_SPECIFIC_APPS Totolink recvUpgradeNewFw fwUrl Parameter Command Injection Attempt (CVE-2026-9533) (web_specific_apps.rules)
  • 2070004 - ET WEB_SPECIFIC_APPS Totolink setUploadUserData FileName Parameter Command Injection Attempt (CVE-2026-9532) (web_specific_apps.rules)
  • 2070005 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wawrdenshire .digital) (malware.rules)
  • 2070006 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wawrdenshire .digital) in TLS SNI (malware.rules)
  • 2070007 - ET WEB_SPECIFIC_APPS Totolink setUpgradeUboot FileName Parameter Command Injection Attempt (CVE-2026-9531) (web_specific_apps.rules)
  • 2070008 - ET WEB_SPECIFIC_APPS Totolink setUnloadUserData plugin_version Parameter Command Injection Attempt (CVE-2026-9515) (web_specific_apps.rules)
  • 2070009 - ET WEB_SPECIFIC_APPS Totolink setNetworkDiag Multiple Parameters Command Injection Attempt (CVE-2026-9514) (web_specific_apps.rules)
  • 2070010 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (henriqueq .xyz) (exploit_kit.rules)
  • 2070011 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (henriqueq .xyz) (exploit_kit.rules)
  • 2070012 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ivorycompass .top) (exploit_kit.rules)
  • 2070013 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ivorycompass .top) (exploit_kit.rules)

Pro:

  • 2867759 - ETPRO PHISHING TA402 Relayed Device Code and Verification URI (phishing.rules)
  • 2867760 - ETPRO PHISHING TA402 Polling for Device Code Verification (phishing.rules)

Modified inactive rules:

  • 2069607 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (* .bluetrait .io) (info.rules)