Summary:
20 new OPEN, 23 new PRO (20 + 3)
There will be no release Friday July 3rd.
Added rules:
Open:
- 2070125 - ET WEB_SPECIFIC_APPS Progress Kemp Loadmaster Remote Code Execution (CVE-2026-8037) (web_specific_apps.rules)
- 2070126 - ET WEB_SPECIFIC_APPS [aretiq.ai] Exchange EWS InstallApp with ManifestUrl Server-Side Request Forgery Attempt (CVE-2026-45502) (web_specific_apps.rules)
- 2070127 - ET WEB_SPECIFIC_APPS Langflow AI Authenticated Arbitrary File Write via Path Traversal (CVE-2026-33309) (web_specific_apps.rules)
- 2070128 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soupedburhsh .biz) (malware.rules)
- 2070129 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (soupedburhsh .biz) in TLS SNI (malware.rules)
- 2070130 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (triangledh .store) (malware.rules)
- 2070131 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (triangledh .store) in TLS SNI (malware.rules)
- 2070132 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (abernaahy .sbs) (exploit_kit.rules)
- 2070133 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (reindardt .lol) (exploit_kit.rules)
- 2070134 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (schuttc .lol) (exploit_kit.rules)
- 2070135 - ET WEB_SPECIFIC_APPS UniFi Network Application Unauthenticated Path Traversal (CVE-2026-22557) (web_specific_apps.rules)
- 2070136 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (abernaahy .sbs) (exploit_kit.rules)
- 2070137 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (reindardt .lol) (exploit_kit.rules)
- 2070138 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (schuttc .lol) (exploit_kit.rules)
- 2070139 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (files .crapofirouzi .com) (malware.rules)
- 2070140 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (files .crapofirouzi .com) (malware.rules)
- 2070141 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bronzehorizon .top) (exploit_kit.rules)
- 2070142 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (linenharvest .top) (exploit_kit.rules)
- 2070143 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bronzehorizon .top) (exploit_kit.rules)
- 2070144 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (linenharvest .top) (exploit_kit.rules)
Pro:
- 2867875 - ETPRO WEB_SPECIFIC_APPS Langflow AI Unauthenticated Remote Code Execution (CVE-2026-33017) (web_specific_apps.rules)
- 2867876 - ETPRO HUNTING Response Header Override via HTTP Request Parameter (hunting.rules)
- 2867877 - ETPRO WEB_SPECIFIC_APPS Microsoft Sharepoint Remote Code Execution via ProxyUpdateExecutor (web_specific_apps.rules)
Disabled and modified rules:
- 2070106 - ET MALWARE Observed VenomRAT SSL Cert (malware.rules)
- 2070117 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (coralwayfinder .top) (exploit_kit.rules)
- 2070118 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (coralwayfinder .top) (exploit_kit.rules)
- 2867843 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2867847 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2867852 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2867857 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2867859 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)