diff --git a/yara/apt_duqu1_5_modules.yar b/yara/apt_duqu1_5_modules.yar
new file mode 100644
index 0000000..762bb7f
--- /dev/null
+++ b/yara/apt_duqu1_5_modules.yar
@@ -0,0 +1,16 @@
+
+rule Duqu1_5_modules {
+   meta:
+      author = "Silas Cutler (havex@chronicle.security)"
+      desc = "Detection for Duqu 1.5 modules"
+      hash = "bb3961e2b473c22c3d5939adeb86819eb846ccd07f5736abb5e897918580aace"
+      reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
+   strings:
+      $c1 = "%s(%d)disk(%d)fdisk(%d)"
+      $c2 = "\\Device\\Floppy%d" wide
+      $c3 = "BrokenAudio" wide
+      $m1 = { 81 3F E9 18 4B 7E}
+      $m2 = { 81 BC 18 F8 04 00 00 B3 20 EA B4 }
+   condition:
+      all of them
+}
diff --git a/yara/apt_flame2_orchestrator.yar b/yara/apt_flame2_orchestrator.yar
new file mode 100644
index 0000000..6f2a4ed
--- /dev/null
+++ b/yara/apt_flame2_orchestrator.yar
@@ -0,0 +1,30 @@
+import"pe"
+import"hash"
+
+rule FLAME2_Orchestrator {
+   meta:
+      desc = "Encrypted resources in Flame2.0 Orchestrators"
+      author = "turla @ Uppercase"
+      hash1 = "15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1" 
+      hash2 = "426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82" 
+      hash3 = "af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4"
+      reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
+   condition: 
+      for any i in (0..pe.number_of_resources-1):
+      ((hash.md5(pe.resources[i].offset,pe.resources[i].length) == "53b19d9863d8ff8cde8e4358d1b57c04") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "4849cc439e524ef6a9964a3666dddb13") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "62bfe21a8eb76fd07e22326c0073fef5") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "dfed2c71749b04dad46d0ce52834492c") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9119aa701b39242a98be118d9c237ecc") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "b69d168e29fba6c88ad4e670949815aa") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "4849cc439e524ef6a9964a3666dddb13") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "1933a1e254b1657a6a2eb8ad1fbe6fa3") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "dfed2c71749b04dad46d0ce52834492c") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9119aa701b39242a98be118d9c237ecc") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "b69d168e29fba6c88ad4e670949815aa") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "17c794f7056349cb82889b5e5b030d15") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "e15187f79b6916cb6763d29d215623c1") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "923963bb24f2e2ceac9f9759071dba88") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9a2766aba7f2a56ef1ab24cf171ee0ed") or
+      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "ebe15bfb5a3944ea4952ddf0f73aa6e8"))
+}
diff --git a/yara/apt_stuxshop.yar b/yara/apt_stuxshop.yar
new file mode 100644
index 0000000..a0aa89c
--- /dev/null
+++ b/yara/apt_stuxshop.yar
@@ -0,0 +1,45 @@
+
+rule STUXSHOP_config {
+   meta:
+      desc = "Stuxshop standalone sample configuration"
+      author = "JAG-S (turla@chronicle.security)"
+      hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
+      reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
+   strings:
+      $cnc1 = "http://211.24.237.226/index.php?data=" ascii wide
+      $cnc2 = "http://todaysfutbol.com/index.php?data=" ascii wide
+      $cnc3 = "http://78.111.169.146/index.php?data=" ascii wide
+      $cnc4 = "http://mypremierfutbol.com/index.php?data=" ascii wide
+      $regkey1 = "Software\\Microsoft\\Windows\\CurrentVersion\\MS-DOS Emulation" ascii wide
+      $regkey2 = "NTVDMParams" ascii wide
+
+      $flowerOverlap1 = { 85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15 }
+      $flowerOverlap2 = { 85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15 }
+      $flowerOverlap3 = { 55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 50 68 19 00 02 00 6A 00 FF 75 0C FF 75 08 }
+      $flowerOverlap4 = { 55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }
+      $flowerOverlap5 = { 85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06 }
+      $flowerOverlap6 = { 85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15 }
+
+   condition:
+      all of ($flowerOverlap*)
+      or
+      2 of ($cnc*)
+      or
+      all of ($regkey*)
+}
+
+rule STUXSHOP_OSCheck {
+   meta:
+      author = "Silas Cutler (havex@Chronicle.Security)"
+      desc = "Identifies the OS Check function in STUXSHOP and CheshireCat"
+      hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
+   strings:
+      $ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00
+      00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05
+      5E }
+      $ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80
+      68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6
+      }
+   condition:
+      any of them
+}