diff --git a/rules/web/proxy_generic/proxy_ua_malware.yml b/rules/web/proxy_generic/proxy_ua_malware.yml
index 79641392e..d20f4dbae 100644
--- a/rules/web/proxy_generic/proxy_ua_malware.yml
+++ b/rules/web/proxy_generic/proxy_ua_malware.yml
@@ -11,7 +11,7 @@ references:
     - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
 author: Florian Roth (Nextron Systems)
 date: 2017/07/08
-modified: 2023/01/22
+modified: 2023/03/20
 tags:
     - attack.command_and_control
     - attack.t1071.001
@@ -92,6 +92,22 @@ detection:
             - 'qwrqrwrqwrqwr'  # Racoon Stealer
             - 'rc2.0/client'  # Racoon Stealer
             - 'TakeMyPainBack'  # Racoon Stealer
+            - 'xxx' # Racoon Stealer
+            - '20112211' # Racoon Stealer
+            - '23591' # Racoon Stealer
+            - '901785252112' # Racoon Stealer
+            - '1235125521512' # Racoon Stealer
+            - '125122112551' # Racoon Stealer
+            - 'B1D3N_RIM_MY_ASS' # Racoon Stealer
+            - 'Ares_ldr_v_*' # AresLoader
+            # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
+            - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
+            - 'CLCTR' # https://github.com/silence-is-best/c2db
+            - 'uploader' # https://github.com/silence-is-best/c2db
+            - 'agent' # https://github.com/silence-is-best/c2db
+            - 'License' # https://github.com/silence-is-best/c2db
+            - 'vb wininet' # https://github.com/silence-is-best/c2db
+            - 'Client' # https://github.com/silence-is-best/c2db
     condition: selection
 fields:
     - ClientIP