diff --git a/yara/generic_anomalies.yar b/yara/generic_anomalies.yar
index db409081..3759f4fe 100644
--- a/yara/generic_anomalies.yar
+++ b/yara/generic_anomalies.yar
@@ -215,12 +215,13 @@ rule Suspicious_Size_java_exe {
       author = "Florian Roth (Nextron Systems)"
       score = 60
       date = "2015-12-21"
+      modified = "2026-03-30"
       noarchivescan = 1
       id = "b6dc297b-8388-5e39-ba77-c027cdea7afa"
    condition:
       uint16(0) == 0x5a4d
       and filename == "java.exe"
-      and (filesize < 30KB or filesize > 900KB)
+      and (filesize < 30KB or filesize > 1500KB)
 }
 
 rule Suspicious_Size_lsass_exe {
diff --git a/yara/hktl_redsun_apr26.yar b/yara/hktl_redsun_apr26.yar
new file mode 100644
index 00000000..97ee1aa2
--- /dev/null
+++ b/yara/hktl_redsun_apr26.yar
@@ -0,0 +1,24 @@
+rule HKTL_RedSun_Privilege_Escalation_Apr26 {
+   meta:
+      description = "Detects RedSun hacktool used for privilege escalation through Microsoft Defender."
+      author = "Jonathan Peters (cod3nym)"
+      date = "2026-04-16"
+      reference = "https://github.com/Nightmare-Eclipse/RedSun"
+      hash = "57a70c383feb9af60b64ab6768a1ca1b3f7394b8c5ffdbfafc8e988d63935120"
+      score = 80
+   strings:
+      $x1 = "\\??\\pipe\\REDSUN" wide
+      $x2 = "The red sun shall prevail.\n" ascii fullword
+      $x3 = "\\RedSun.pdb" ascii
+
+      $s1 = "\\System32\\TieringEngineService.exe" wide
+      $s2 = "SERIOUSLYMSFT" wide
+      $s3 = "*H+H$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE$}7)CC7)^P(45XZP\\4[PA@%P!O5X" ascii
+   condition:
+      uint16(0) == 0x5a4d
+      and (
+         1 of ($x*)
+         or 2 of ($s*)
+      )
+      or 3 of them
+}