diff --git a/packs/win_malware.conf b/packs/win_malware.conf
index 55ed072..e4f2f5b 100644
--- a/packs/win_malware.conf
+++ b/packs/win_malware.conf
@@ -784,6 +784,24 @@
                 "windows"
             ]
         },
+        "zardoor_mutex": {
+            "query": "SELECT object_name, object_type from winbaseobj WHERE object_type='Mutant' AND (object_name='ThreadMutex12453' OR object_name='3e603a07-7b2d-4a15-afef-7e9a0841e4d5' OR object_name like 'rrx_%' OR object_name='6c2711b5-e736-4397-a883-0d181a3f85ae');",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool (RAT) notably used by threat actors to maintain unauthorized access on the infected system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.",
+            "platform": [
+                "windows"
+            ]
+        },
+        "zardoor_modules": {
+            "query": "SELECT f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime,'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path = h.path WHERE (f.filename = 'oci.dll' OR f.filename = 'zor32.dll' OR f.filename = 'zar32.dll') AND f.directory = 'C:\\Windows\\System32';",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool (RAT) notably used by threat actors to maintain unauthorized access on the infected system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.",
+            "platform": [
+                "windows"
+            ]
+        },
         "ransomware_mountlocker_filepath": {
             "query": "SELECT f.path, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE f.path LIKE '%RecoveryManual.html'; ",
             "interval": 86400,
diff --git a/win_malware/zardoor_modules.yaml b/win_malware/zardoor_modules.yaml
new file mode 100644
index 0000000..b1b7410
--- /dev/null
+++ b/win_malware/zardoor_modules.yaml
@@ -0,0 +1,24 @@
+Zardoor Modules:
+  query: SELECT f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime,"unixepoch","UTC") AS last_access_time, DATETIME(f.mtime, "unixepoch", "UTC") AS last_modified, DATETIME(f.ctime, "unixepoch", "UTC") AS last_status_change_time, DATETIME(f.btime, "unixepoch", "UTC") AS creation_time, f.type 
+   FROM file f 
+   LEFT JOIN hash h ON f.path = h.path 
+   WHERE (f.filename = "oci.dll" OR f.filename = "zor32.dll" OR f.filename = "zar32.dll") AND f.directory = "C:\Windows\System32";
+  interval: 86400
+  snapshot: true
+  description: Zardoor backdoor components were written to disk and executed. Zardoor 
+    is a custom remote access tool (RAT) notably used by threat actors to maintain 
+    unauthorized access on the infected system. Once successfully executed, Zardoor 
+    can be used to execute arbitrary commands, interact with the file system, and 
+    connect to other systems on the local network.
+  references:
+  - c6419df4bbda5b75ea4a0b8e8acd2100b149443584390c91a218e7735561ef74
+  - f71f7c68209ea8218463df397e5c39ef5f916f138dc001feb3a60ef585bd2ac2
+  - a99a9f2853ff0ca5b91767096c7f7e977b43e62dd93bde6d79e3407bc01f661d
+  - 0058d495254bf3760b30b5950d646f9a38506cef8f297c49c3b73c208ab723bf
+  - d267e2a6311fe4e2dfd0237652223add300b9a5233b555e131325a2612e1d7ef
+  mitre_tactics:
+  - defense-evasion: TA0005
+  mitre_techniques:
+  - hide-artifacts: T1564
+  platform:
+  - windows
diff --git a/win_malware/zardoor_mutex.yaml b/win_malware/zardoor_mutex.yaml
new file mode 100644
index 0000000..2b49375
--- /dev/null
+++ b/win_malware/zardoor_mutex.yaml
@@ -0,0 +1,23 @@
+Zardoor Mutex:
+  query: SELECT object_name, object_type 
+    FROM winbaseobj 
+    WHERE object_type = "Mutant" AND (object_name = "ThreadMutex12453" OR object_name = "3e603a07-7b2d-4a15-afef-7e9a0841e4d5" OR object_name like "rrx_%" OR object_name = "6c2711b5-e736-4397-a883-0d181a3f85ae");
+  interval: 86400
+  snapshot: true
+  description: Zardoor backdoor components were written to disk and executed. Zardoor 
+    is a custom remote access tool (RAT) notably used by threat actors to maintain 
+    unauthorized access on the infected system. Once successfully executed, Zardoor 
+    can be used to execute arbitrary commands, interact with the file system, and 
+    connect to other systems on the local network.
+  references:
+  - c6419df4bbda5b75ea4a0b8e8acd2100b149443584390c91a218e7735561ef74
+  - f71f7c68209ea8218463df397e5c39ef5f916f138dc001feb3a60ef585bd2ac2
+  - a99a9f2853ff0ca5b91767096c7f7e977b43e62dd93bde6d79e3407bc01f661d
+  - 0058d495254bf3760b30b5950d646f9a38506cef8f297c49c3b73c208ab723bf
+  - d267e2a6311fe4e2dfd0237652223add300b9a5233b555e131325a2612e1d7ef
+  mitre_tactics:
+  - defense-evasion: TA0005
+  mitre_techniques:
+  - rundll32: T1218.011
+  platform:
+  - windows