{
    "version": 3,
    "updated": "2026-06-22",
    "regex": [
        {
            "id": "clickfix-clipboard",
            "pattern": "/navigator\\s*\\.\\s*clipboard\\s*\\.\\s*writeText/i",
            "severity": "high",
            "desc": "ClickFix: writes a command to the visitor clipboard (fake CAPTCHA lure)."
        },
        {
            "id": "clickfix-payload-cmd",
            "pattern": "/(mshta\\s|powershell(\\.exe)?\\s+-|cmd(\\.exe)?\\s*\\/c\\b|certutil\\s+-|curl\\b[^\\n]{0,60}\\|\\s*(bash|sh)\\b)/i",
            "severity": "high",
            "desc": "Windows/Unix command payload commonly delivered via ClickFix."
        },
        {
            "id": "js-eval-atob",
            "pattern": "/(eval|Function)\\s*\\(\\s*atob\\s*\\(/i",
            "severity": "high",
            "desc": "Obfuscated JavaScript: eval of base64-decoded payload."
        },
        {
            "id": "wp-mu-injector",
            "pattern": "/add_action\\s*\\(\\s*['\"]wp_(head|footer)['\"][\\s\\S]{0,200}(base64_decode|clipboard|atob|eval\\s*\\()/i",
            "severity": "critical",
            "desc": "mu-plugin hooking wp_head/wp_footer to inject obfuscated output."
        },
        {
            "id": "php-eval-b64",
            "pattern": "/eval\\s*\\(\\s*(base64_decode|gzinflate|gzuncompress|str_rot13|rawurldecode)\\s*\\(/i",
            "severity": "critical",
            "desc": "Obfuscated eval() of decoded payload (classic backdoor)."
        },
        {
            "id": "php-superglobal-exec",
            "pattern": "/(eval|assert|system|exec|shell_exec|passthru)\\s*\\(\\s*\\$_(GET|POST|REQUEST|COOKIE)\\b/i",
            "severity": "critical",
            "desc": "Executes raw user input from a superglobal."
        },
        {
            "id": "php-gzinflate-chain",
            "pattern": "/(gzinflate|gzuncompress|gzdecode)\\s*\\(\\s*(base64_decode|str_rot13)\\s*\\(/i",
            "severity": "high",
            "desc": "Multi-layer payload de-obfuscation chain."
        },
        {
            "id": "php-shell-exec",
            "pattern": "/\\b(shell_exec|passthru|proc_open|popen|system|exec)\\s*\\(\\s*\\$?(_(get|post|request|cookie|server)|[a-z_]+)/i",
            "severity": "high",
            "desc": "Shell command execution using request data."
        },
        {
            "id": "webshell-known",
            "pattern": "/(c99shell|r57shell|wso\\s?shell|b374k|FilesMan|phpshell|MaxiGad)/i",
            "severity": "critical",
            "desc": "Known web shell identifier string."
        }
    ],
    "tokens": [
        "eval(gzinflate(base64_decode(",
        "eval(base64_decode(",
        "navigator.clipboard.writeText",
        "I am not a robot"
    ]
}