Ruleset Update Summary - 2026/07/13 - v11232

Summary:

24 new OPEN, 41 new PRO (24 + 17)


Added rules:

Open:

  • 2071158 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (arethqg .lat) (malware.rules)
  • 2071159 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (arethqg .lat) in TLS SNI (malware.rules)
  • 2071160 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (silverlandscape .top) (exploit_kit.rules)
  • 2071161 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (silverlandscape .top) (exploit_kit.rules)
  • 2071162 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (high-priority .futurainternationalrealty .com) (malware.rules)
  • 2071163 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (high-priority .futurainternationalrealty .com) (malware.rules)
  • 2071164 - ET INFO ScreenConnect Initial Origin Checkin (info.rules)
  • 2071165 - ET WEB_SERVER Check Point VPN IKEv1 (TCPT) Authentication Bypass (CVE-2026-50751) (web_server.rules)
  • 2071166 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (dillonhomeservices .com) (exploit_kit.rules)
  • 2071167 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (circlehomeservices .com) (exploit_kit.rules)
  • 2071168 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (bridgehomeservices .com) (exploit_kit.rules)
  • 2071169 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (waltonenvironmental .com) (exploit_kit.rules)
  • 2071170 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (dundalkpestcontrol .com) (exploit_kit.rules)
  • 2071171 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (spurlockroofing .com) (exploit_kit.rules)
  • 2071172 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (razorbackroofing .com) (exploit_kit.rules)
  • 2071173 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (ridgewellroofing .com) (exploit_kit.rules)
  • 2071174 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (dillonhomeservices .com) (exploit_kit.rules)
  • 2071175 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (circlehomeservices .com) (exploit_kit.rules)
  • 2071176 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (bridgehomeservices .com) (exploit_kit.rules)
  • 2071177 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (waltonenvironmental .com) (exploit_kit.rules)
  • 2071178 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (dundalkpestcontrol .com) (exploit_kit.rules)
  • 2071179 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (spurlockroofing .com) (exploit_kit.rules)
  • 2071180 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (razorbackroofing .com) (exploit_kit.rules)
  • 2071181 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (ridgewellroofing .com) (exploit_kit.rules)

Pro:

  • 2867946 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867947 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867948 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867949 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867950 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867951 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867952 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867953 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867954 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867955 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867956 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867957 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867958 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867959 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867960 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867961 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867962 - ETPRO MALWARE Malicious Certificate Issuer Observed in TLS Certificate (malware.rules)