diff --git a/load-code/shellcode/execute-shellcode-via-readdirectorychanges.yml b/load-code/shellcode/execute-shellcode-via-readdirectorychanges.yml
new file mode 100644
index 000000000..61ca567f7
--- /dev/null
+++ b/load-code/shellcode/execute-shellcode-via-readdirectorychanges.yml
@@ -0,0 +1,31 @@
+rule:
+  meta:
+    name: execute shellcode via ReadDirectoryChanges APC
+    namespace: load-code/shellcode
+    authors:
+      - sherkhanz
+    description: Detects abuse of the ReadDirectoryChanges API completion routine combined with an alertable wait state to execute shellcode.
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004]
+    mbc:
+      - Defense Evasion::Hijack Execution Flow::Abuse Windows Function Calls [F0015.006]
+    references:
+      - https://github.com/mandiant/capa-rules/issues/1095
+      - https://osandamalith.com/2025/09/25/executing-shellcode-with-readdirectorychangess-hidden-callback/
+      - https://github.com/OsandaMalith/CallbackShellcode/blob/main/ReadDirectoryChanges.c
+  features:
+    - and:
+      - or:
+        - api: ReadDirectoryChangesW
+        - api: ReadDirectoryChangesA
+        - api: ReadDirectoryChangesExW
+        - api: ReadDirectoryChangesExA
+      - or:
+        - api: SleepEx
+        - api: WaitForSingleObjectEx
+        - api: WaitForMultipleObjectsEx
+        - api: MsgWaitForMultipleObjectsEx
+        - api: SignalObjectAndWait
diff --git a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml
index 91fd70ddd..dc9713752 100644
--- a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml
+++ b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml
@@ -22,6 +22,7 @@ rule:
       - https://osandamalith.com/2021/04/01/executing-shellcode-via-callbacks/
       - https://github.com/tlsbollei/Malware-Training/blob/main/Code%20Injection/LdrCallEnclave.cpp
       - https://osandamalith.com/2025/10/18/rtlregisterwait-shellcode-execution-poc/
+      - https://osandamalith.com/2025/09/25/executing-shellcode-with-readdirectorychangess-hidden-callback/
     examples:
       - 10cd7afd580ee9c222b0a87ff241d306:0x10008BE0
       - 268d61837aa248c1d49a973612a129ce:0x1000CEC0
@@ -82,6 +83,10 @@ rule:
         - api: ImmEnumInputContext
         - api: LdrCallEnclave
         - api: LineDDA
+        - api: ReadDirectoryChangesA
+        - api: ReadDirectoryChangesW
+        - api: ReadDirectoryChangesExA
+        - api: ReadDirectoryChangesExW
         - and:
           - api: RtlRegisterWait
           - api: SetEvent