[***] Summary: [***]

5 new OPEN, 10 new PRO (5 + 5). DonotGroup, Win32/Aurora, Win32/Lumma,
Others.

Thanks @jay_townsend1

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2043202 - ET MALWARE Rhadamanthys Stealer - Payload Download Request
(malware.rules)
2043203 - ET MALWARE Win32/Aurora Stealer Sending System Information
(malware.rules)
2043204 - ET MALWARE Observed PyPI Malicious Library Payload Delivery
Domain (h4ck .cfd) Domain in DNS Lookup (malware.rules)
2043205 - ET MALWARE Observed PyPI Malicious Library Payload Delivery
Domain (h4ck .cfd in TLS SNI) (malware.rules)
2043206 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
(malware.rules)

Pro:

2853001 - ETPRO MALWARE Rhadamanthys Stealer - Payload Response
(malware.rules)
2853002 - ETPRO MALWARE Rhadamanthys Stealer - Data Exfil (malware.rules)
2853003 - ETPRO MALWARE DonotGroup Backdoor Activity (POST)
(malware.rules)
2853004 - ETPRO MALWARE DonotGroup Backdoor Activity (POST)
(malware.rules)
2853006 - ETPRO MALWARE Snake Keylogger Telegram Exfil (malware.rules)

[///] Modified active rules: [///]

2013097 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain
(info.rules)
2039423 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M1
(malware.rules)
2041120 - ET MALWARE DonotGroup Backdoor Activity (POST) (malware.rules)
2042688 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
(info.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team