diff --git a/detection/evasion/unexpected-user-executables-macos.sql b/detection/evasion/unexpected-user-executables-macos.sql
index da91614..672db69 100644
--- a/detection/evasion/unexpected-user-executables-macos.sql
+++ b/detection/evasion/unexpected-user-executables-macos.sql
@@ -2,6 +2,8 @@
 --
 -- references:
 --   * https://www.elastic.co/security-labs/inital-research-of-jokerspy
+--   * https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
+--
 -- false positives:
 --   * none known
 --