diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 75361c9..9ecb1ad 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -312,6 +312,7 @@ rule DodgyStrings
         $ = "ipconfig" fullword nocase
         $ = "kernel32.dll" fullword nocase
         $ = "kingdefacer" nocase
+        $ = "Wireghoul" nocase fullword
         $ = "htshell" nocase fullword
         $ = "LD_PRELOAD" fullword
         $ = "libpcprofile"  // CVE-2010-3856 local root
@@ -375,4 +376,3 @@ rule Websites
     condition:
         (any of them) and not IsWhitelisted
 }
-