diff --git a/README.md b/README.md
index 910a32297..5d9874bd2 100644
--- a/README.md
+++ b/README.md
@@ -45,12 +45,14 @@ CAPE also has Yara signatures to detect payloads that are extracted by a behavio
     - Dridex
     - NetTraveler
     - ZeroT
+    - Jaff
+    - T5000
     
 There are a number of other behavioural and malware family packages and parsers currently in the works, so watch this space.
     
 Packages can be written based on API hooks, the CAPE debugger, or a combination of both.
 
-The CAPE debugger allows four breakpoints to be set on each malware thread to detect on read, write or execute of a memory region, as well as single-step mode. This allows fine control over malware execution until it is possible to dump the memory regions of interest, containing code or configuration data. Breakpoints can be set dynamically by package code or via Yara signatures.
+The CAPE debugger allows four breakpoints to be set on each malware thread to detect on read, write or execute of a memory region, as well as single-step mode. This allows fine control over malware execution until it is possible to dump the memory regions of interest, containing code or configuration data. Breakpoints can be set dynamically by package code, API hooks or Yara signatures.
 
 Processes, modules and memory regions can variously be dumped by CAPE through use of a simple API. These dumps can then be scanned and parsed for configuration information.
 
diff --git a/data/yara/CAPE/T5000.yar b/data/yara/CAPE/T5000.yar
new file mode 100644
index 000000000..543e21c64
--- /dev/null
+++ b/data/yara/CAPE/T5000.yar
@@ -0,0 +1,30 @@
+rule T5000
+{
+    meta:
+        author = "Seth Hardy"
+        description = "T5000 Payload"
+        cape_type = "T5000 Payload"
+        
+    strings:
+        $ = "_tmpR.vbs"
+        $ = "_tmpg.vbs"
+        $ = "Dtl.dat" wide ascii
+        $ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
+        $ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
+        $ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
+        $ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
+        $ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
+        $ = "A59CF429-D0DD-4207-88A1-04090680F714"
+        $ = "utd_CE31" wide ascii
+        $ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
+        $ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
+        $ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
+        $ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
+        
+    condition:
+       any of them
+}
+/*
+    last_modified = "2014-06-26"
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/