diff --git a/rules/encoding/json-encode.yara b/rules/encoding/json-encode.yara
index 656b8d85..571dfa87 100644
--- a/rules/encoding/json-encode.yara
+++ b/rules/encoding/json-encode.yara
@@ -1,4 +1,3 @@
-
 rule JSONEncode {
 	meta:
 		description = "encodes JSON"
@@ -9,3 +8,15 @@ rule JSONEncode {
 	condition:
 		any of them
 }
+
+rule json_dumps : low {
+	meta:
+		description = "encodes JSON"
+		filetypes = "py"
+	strings:
+		$jsone = "json" fullword
+		$marshal = "dumps" fullword
+		$import = "import" fullword
+	condition:
+		filesize < 8KB and all of them
+}
diff --git a/rules/exfil/b64_zlib.yara b/rules/exfil/b64_zlib.yara
new file mode 100644
index 00000000..0cf1d9b7
--- /dev/null
+++ b/rules/exfil/b64_zlib.yara
@@ -0,0 +1,40 @@
+rule cipher_exfil : high {
+  meta:
+    description = "may exfiltrate base64-encoded zlib content"
+	ref = "https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-dependencies/"
+	filetypes = "py"
+  strings:
+	$s_zlib = "zlib" fullword
+	$s_compress = "compress" fullword
+	$s_b64encode = "b64encode"
+	$s_json = "json" fullword
+	$s_dumps = "dumps" fullword
+	$s_map_chr = "chr" fullword
+
+	$http = "http.client"
+	$h_requests = "requests"
+  condition:
+    filesize < 8KB and all of ($s*) and any of ($h*)
+}
+
+rule cipher_exfil2 : high {
+  meta:
+    description = "may exfiltrate base64-encoded zlib content"
+	ref = "https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-dependencies/"
+	filetypes = "py"
+  strings:
+	$s_zlib = "zlib" fullword
+	$s_compress = "compress" fullword
+	$s_b64encode = "b64encode"
+	$s_b64decode = "b64decode"
+	$s_json = "json" fullword
+	$s_dumps = "dumps" fullword
+	$s_map_chr = "chr" fullword
+	$s_getlogin = "getlogin" fullword
+	$s_decode = "decode" fullword
+
+	$http = "http"
+	$h_requests = "requests"
+  condition:
+    filesize < 8KB and 85% of ($s*) and any of ($h*)
+}
diff --git a/rules/net/http-request.yara b/rules/net/http-request.yara
index e652dfce..a903f263 100644
--- a/rules/net/http-request.yara
+++ b/rules/net/http-request.yara
@@ -1,4 +1,4 @@
-rule http_request {
+rule http_request : low {
 	meta:
 		pledge = "inet"
 		description = "makes HTTP requests"
@@ -12,6 +12,8 @@ rule http_request {
 		$http2 = "Referer" fullword
 		$uri = "open-uri" fullword
 		$http_get = "http.get" fullword
+		$http_connect = "HTTPConnection" fullword
+		$https_connect = "HTTPSConnection" fullword
 	condition:
 		any of them
 }
diff --git a/rules/obfuscation/python/chr.yara b/rules/obfuscation/python/chr.yara
new file mode 100644
index 00000000..e720b289
--- /dev/null
+++ b/rules/obfuscation/python/chr.yara
@@ -0,0 +1,10 @@
+rule join_map_chr : high {
+  meta:
+    description = "assembles strings from character code constants"
+	ref = "https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-dependencies/"
+	filetypes = "py"
+  strings:
+	$ref = /join\(map\(chr,\[\d{1,3},\d{1,3},[\d\,]{1,32}/
+  condition:
+    filesize < 8KB and $ref
+}