diff --git a/yara/expl_copy_fail_cve_2026_31431.yar b/yara/expl_copy_fail_cve_2026_31431.yar
index 2354f901..4c1cb062 100644
--- a/yara/expl_copy_fail_cve_2026_31431.yar
+++ b/yara/expl_copy_fail_cve_2026_31431.yar
@@ -3,25 +3,33 @@ rule EXPL_LNX_Copy_Fail_Artefacts_CVE_2026_31431_Apr26 {
       description = "Detects forensic artifacts related to public Copy Fail (CVE-2026-31431) exploit PoCs, including known tiny ELF shell payloads, Python exploit code fragments, AF_ALG/authencesn/splice usage patterns, public PoC URLs, and other indicators observed in online proof-of-concept material."
       author = "Florian Roth"
       reference = "https://copy.fail"
-      reference_1 = "https://github.com/tgies/copy-fail-c"
-      reference_2 = "https://github.com/theori-io/copy-fail-CVE-2026-31431"
-      reference_3 = "https://hackerspace.pl/~q3k/alpine.py"
-      reference_4 = "https://github.com/badsectorlabs/copyfail-go"
+      reference_2 = "https://github.com/tgies/copy-fail-c"
+      reference_3 = "https://github.com/theori-io/copy-fail-CVE-2026-31431"
+      reference_4 = "https://hackerspace.pl/~q3k/alpine.py"
+      reference_5 = "https://github.com/badsectorlabs/copyfail-go"
+      reference_6 = "https://github.com/iss4cf0ng/CVE-2026-31431-Linux-Copy-Fail"
       date = "2026-04-30"
       score = 75
    strings:
       // Network indicators (e.g. in bash history, logs, etc.)
-      $xs1 = "curl https://copy.fail/exp" ascii
+      $xn1 = "curl https://copy.fail/exp" ascii
 
       // Code fragments from public PoCs
-      $x1 = "| python3 && su"
-      $x2 = "g.open(\"/usr/bin/su\",0);i=0;"
-      $x3 = "[-] page-cache mutation failed"
-      $x4 = "[+] /etc/passwd page cache mutated"
-      $x5 = "bind(AF_ALG: authencesn(hmac(sha256),cbc(aes)))"
+      $xs1 = "| python3 && su"
+      $xs2 = "g.open(\"/usr/bin/su\",0);i=0;"
+      $xs3 = "[-] page-cache mutation failed"
+      $xs4 = "[+] /etc/passwd page cache mutated"
+      $xs5 = "bind(AF_ALG: authencesn(hmac(sha256),cbc(aes)))"
+      $xs6 = "/tmp/.cve_test"
 
-      $s1 = "0800010000000010" ascii
-      $s2 = "authencesn(hmac(sha256),cbc(aes))" ascii
+      // Indicator Combo
+      $sa1 = "authencesn(hmac(sha256),cbc(aes))" ascii
+
+      $sb1 = { 08 00 01 00 00 00 00 10 }
+      $sb2 = "0800010000000010" ascii
+
+      // Base64 encoded payloads
+      $xe1 = "authencesn(hmac(sha256),cbc(aes))" base64
 
       // Tiny x86-64 ELF shell payload: setuid(0) -> execve("/bin/sh") -> exit(0)
       $xc1 = { 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 02 00 3e 00 01 00 00 00 78 00 40 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 38 00 01 00 00 00 00 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 9e 00 00 00 00 00 00 00 9e 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 31 c0 31 ff b0 69 0f 05 48 8d 3d 0f 00 00 00 31 f6 6a 3b 58 99 0f 05 31 ff 6a 3c 58 0f 05 2f 62 69 6e 2f 73 68 00 00 00 }
@@ -44,5 +52,5 @@ rule EXPL_LNX_Copy_Fail_Artefacts_CVE_2026_31431_Apr26 {
       $xge6 = { 78 9c ab 77 f5 71 63 62 64 64 80 01 26 86 ed 0c 20 5e 05 83 03 98 ef c0 80 09 1c 18 2c 18 60 3a 40 34 2b 9a 2c 32 bd 04 ca 5b 02 97 87 e9 6c b8 e4 21 d4 70 09 c8 bb f2 80 db e1 27 23 90 cf 04 c4 2b a4 21 62 20 f9 15 dc 10 36 00 d7 2b 15 09 }
    condition:
       1 of ($x*)
-      or all of ($s*)
+      or ($sa1 and 1 of ($sb*))
 }