Ruleset Update Summary - 2026/06/26 - v11222

Summary:

12 new OPEN, 19 new PRO (12 + 7)


Added rules:

Open:

  • 2070070 - ET INFO Ethereum Contract Request, getDomain() (info.rules)
  • 2070071 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .courtpsychologists .com) (malware.rules)
  • 2070072 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .courtpsychologists .com) (malware.rules)
  • 2070073 - ET EXPLOIT_KIT ErrTraffic Domain in DNS Lookup (verificationscodes .beer) (exploit_kit.rules)
  • 2070074 - ET EXPLOIT_KIT ErrTraffic Domain in TLS SNI (verificationscodes .beer) (exploit_kit.rules)
  • 2070075 - ET INFO DYNAMIC_DNS Query to a *.sprinkul .com domain (info.rules)
  • 2070076 - ET INFO DYNAMIC_DNS HTTP Request to a *.sprinkul .com domain (info.rules)
  • 2070077 - ET INFO DYNAMIC_DNS Query to a *.hospitaldelninodif .gob .mx domain (info.rules)
  • 2070078 - ET INFO DYNAMIC_DNS HTTP Request to a *.hospitaldelninodif .gob .mx domain (info.rules)
  • 2070079 - ET HUNTING Javascript Mobile Device Check (hunting.rules)
  • 2070080 - ET HUNTING FakeUpdate Injector Script Request (hunting.rules)
  • 2070081 - ET EXPLOIT_KIT ErrTraffic Beer Cluster Checkin (exploit_kit.rules)

Pro:

  • 2867806 - ETPRO MALWARE Observed DNS Query to Payload Delivery Domain (malware.rules)
  • 2867807 - ETPRO MALWARE Observed Payload Delivery Domain in TLS SNI (malware.rules)
  • 2867808 - ETPRO MALWARE Observed DNS Query to Payload Delivery Domain (malware.rules)
  • 2867809 - ETPRO MALWARE Observed DNS Query to Payload Delivery Domain (malware.rules)
  • 2867810 - ETPRO MALWARE Observed Payload Delivery Domain in TLS SNI (malware.rules)
  • 2867811 - ETPRO MALWARE Observed Payload Delivery Domain in TLS SNI (malware.rules)
  • 2867812 - ETPRO MALWARE Fake Document Payload Delivery Landing Page (malware.rules)

Disabled and modified rules:

  • 2070024 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ivorycompass .top) (exploit_kit.rules)
  • 2070025 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ivorycompass .top) (exploit_kit.rules)