diff --git a/malware5.pl b/malware5.pl
index 1352611..e30e4a4 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -481,7 +481,9 @@ my @regexen = (
     qr/<\?\/\*\s+eval\(base64\_decode\(+?\)\)\;\s+\*\/\s+\?>/is,
     qr/<\?php.+?\$cache\_folder\s+\=\s+\"wtuds\"\;\s+\$template\_folder\s+\=\s+\"sotpie\"\;.+?\$user\_agent\_to\_filter\s+\=\s+array\(.+?exit\;\s+\}\s+\?>/is,
     qr/<\?php\s+ignore\_user\_abort\(\)\;.+?if\s+\(strpos\(\$inn\,\s+\"\.php\.suspected\"\)\).+?rename.+?\?>/is,
-            
+    qr/<\?php\s+extract\(\$\_COOKIE\)\;\s+if\s+\(\$\w\)\s+\{\s+\@\$\w\(\$\w\,\$\w\)\;\s+\@\$\w\(\$\w\(\$\w\,\$\w\)\)\;\s+\}/is,
+    qr/<\?php\s+eval\s+\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
+        
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 74e8f9f..aabac61 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -964,6 +964,8 @@ my @regexen = (
     qr/<\?\/\*\s+eval\(base64\_decode\(+?\)\)\;\s+\*\/\s+\?>/is,
     qr/<\?php.+?\$cache\_folder\s+\=\s+\"wtuds\"\;\s+\$template\_folder\s+\=\s+\"sotpie\"\;.+?\$user\_agent\_to\_filter\s+\=\s+array\(.+?exit\;\s+\}\s+\?>/is,
     qr/<\?php\s+ignore\_user\_abort\(\)\;.+?if\s+\(strpos\(\$inn\,\s+\"\.php\.suspected\"\)\).+?rename.+?\?>/is,
+    qr/<\?php\s+extract\(\$\_COOKIE\)\;\s+if\s+\(\$\w\)\s+\{\s+\@\$\w\(\$\w\,\$\w\)\;\s+\@\$\w\(\$\w\(\$\w\,\$\w\)\)\;\s+\}/is,
+    qr/<\?php\s+eval\s+\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
     
 );