diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
index caf1598..3905abe 100644
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -345,3 +345,7 @@ $f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
 /*;*/
 # web shells host type extraction
 php_uname()
+# decode content with basic rot13
+str_split(rawurldecode(str_rot13(
+# generating PHP file name to put content
+substr(md5(time()), 0, 8) . ".php"
\ No newline at end of file
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index 6466b2d..7c0a792 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -96,3 +96,6 @@ eval\(\$[a-z0-9_]+\(\$_POST
 
 # web shells host type extraction RE
 php_uname\(["'asrvm]+\)
+
+# XOR decode POST-ed payload
+(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}
\ No newline at end of file