Photo of smiling Jimmy holding a gold and red trophy in right hand. The top of the trophy is a gold statue of a king holding a sceptre. The king is standing on a red column, with a white base and a gold plaque.
Hand holding a trophy of king standing on a column. At the base of the column is the text:
‘MY NAME IS OZYMANDIAS, KING
OF KINGS; LOOK ON MY WORKS,
YE MIGHTY, AND DESPAIR
I earned my first CVE credit (CVE-2025-7676) for helping with a Windows ARM vuln. So, to commemorate the credit, my coworker, Reid, presented me last week with a Trophy of Perpetual Futility, because there’s always more work to do.
raw.githubusercontent.com/reidmefirst/...
19.02.2026 14:32
👍 13
🔁 0
💬 2
📌 0
Dragos 2026 OT Cybersecurity Report: a Year in Review
Get the latest OT threats, vulnerabilities, and lessons learned from real-world incidents in this year’s 2026 OT Cybersecurity Report.
The Dragos 2026 Year In Review Report is live: 3 new threat groups, updates from 3 of our more active threat groups, and (my personal favorite) coverage of a subset ICS-related capabilities that we found last year.
17.02.2026 15:01
👍 5
🔁 2
💬 0
📌 0
I've spent a lot of time reversing ICS malware. Recently, I've been building it with AI tools. While there's been plenty of commentary and news about AI and malware, I'm excited to share what I learned actually trying to build some at S4x26.
Stage 2, Feb 24, 12pm.
10.02.2026 14:10
👍 1
🔁 1
💬 0
📌 0
I know I'm feeling stressed out when I go back to reading Thich Nhat Hahn. His teachings calm me, and I need that reminder that happiness is available in any moment despite circumstance. I'm not even Buddhist. or maybe I am? He'd probably say the distinction isn't important.
29.01.2026 21:19
👍 4
🔁 1
💬 0
📌 0
Intel Report | ELECTRUM: Cyber Attack on Poland's Electric System 2025 | Dragos
A 2025 cyber attack on Poland’s electric system highlights both risk and resilience in modern power grids. Download the report →
This is the first known attack on DERs. Attackers compromised RTUs at 30 different sites. The report has an overview, defensive guidance, and a comparison to past ELECTRUM ops.
Hats off to CERT Polska for leading the charge, and kudos to our Intel team for the hard work.
27.01.2026 23:00
👍 5
🔁 3
💬 0
📌 0
I spent a couple months arguing with Claude and Copilot while building FrostyGoop variants for DNP3 (and Modbus), keeping detailed notes on what worked and what didn't. At S4, I’ll share my honest assessment of these tools and how they might lower barriers to ICS malware dev. See you in Miami!
16.12.2025 15:00
👍 3
🔁 1
💬 0
📌 0
Dismantling the SEOS Protocol
YouTube video by Black Hat
Finally sharing what’s been under wraps for months.
Adam Foster and I tore into HID SEOS to build the first open-source implementation for Proxmark3.
This is our Black Hat Asia 2025 story → www.youtube.com/watch?v=mnhG...
#RFIDHacking #SEOS #CyberSecurity
11.11.2025 02:26
👍 5
🔁 1
💬 0
📌 0
Associate Project Manager
Hanover, MD
We have a job opening in our Community Defense Program (CDP) which gives small utilities free access to the Dragos Platform. This opening is a chance to do some truly meaningful work for the community.
Job Description: job-boards.greenhous...
CDP Description:
www.dragos.com/commu...
17.11.2025 17:00
👍 9
🔁 1
💬 0
📌 0
Had a great time presenting at LSU this week on hunting and analyzing Go and Python malware samples while hunting for ICS malware. For those who couldn't make it, you can catch a recording of this talk from Hou.Sec.Con last month with @sam-hans0n.bsky.social
www.youtube.com/watc...
14.11.2025 14:01
👍 2
🔁 1
💬 0
📌 0
9 Malicious NuGet Packages Deliver Time-Delayed Destructive ...
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control system...
Props to their Threat Research team for identifying and publicizing these harmful packages. If you want to understand what the code does, check out their post.
Bottom line: Always verify your dependencies and their sources!
socket.dev/blog/9-ma...
6/6
11.11.2025 17:31
👍 1
🔁 0
💬 0
📌 0
The evidence also doesn't rule out security research as an explanation.
I’d give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions, and this isn't a criticism of Socket's solid technical analysis.
5/6
11.11.2025 17:31
👍 1
🔁 0
💬 1
📌 0
- The lure isn't convincing.
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- Why would existing projects switch to the malicious dependencies?
- There's no C2 code to confirm victims. How would an attacker know if this worked?
4/6
11.11.2025 17:31
👍 1
🔁 0
💬 1
📌 0
While I agree the code is harmful and the packages are suspicious, I'm not convinced about the supply chain attack angle -- or if it is one, it’s not a particularly effective one. Several factors give me pause:
3/6
11.11.2025 17:31
👍 1
🔁 0
💬 1
📌 0
No legitimate projects were compromised, and no S7, Sharp7, or Siemens codebases were modified. Socket identified packages published by a separate user ("shanhai666") containing code that probabilistically kills host processes and causes database write failures within specific date ranges.
2/6
11.11.2025 17:30
👍 1
🔁 0
💬 1
📌 0
A lot of folks have reached out about Socket’s recent report on a supply chain attack using malicious NuGet packages to target Siemens S7 protocol and other PLCs.
This is not a supply chain attack in the traditional sense.
1/6
11.11.2025 17:30
👍 3
🔁 2
💬 1
📌 0
Modbus Offset vs. Addressing: Why Does It Matter?
Discover the relationship between the Modbus address used by TOP Server and the physical offset in a device when enabling/disabling Zero-Based Addressing.
“No, that’s my neighbor, Bobby. I live at 502, but you have to write 501 on the package or the mail carrier brings it to the wrong house. He has a problem.”
ICS is fun. This blog covers the problem:
blog.softwaretoolbox.com/topserver-mo...
(H/T to Reid Wightman for inspiring this post)
(2/2)
31.10.2025 17:18
👍 2
🔁 1
💬 0
📌 0
Learning Modbus is basically this conversation:
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
(1/2)
31.10.2025 17:18
👍 2
🔁 1
💬 1
📌 0
Other questions I'm exploring:
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or solving some problems but creating new ones for a net-zero benefit?
2/2
27.10.2025 14:04
👍 3
🔁 0
💬 0
📌 0
I'm speaking at S4x26 on creating a FrostyGoop-style tool using AI. This experiment has been a good avenue for tackling a few questions I've had about AI-enabled software development. Most importantly, just how easy is it?
I'm excited to share what I learn come February!
1/2
27.10.2025 14:04
👍 4
🔁 0
💬 1
📌 0
I had a great experience at #FTSCon on Monday. Both the speakers and the audience are such high caliber that an interesting discussion can be had at any point during the day. The information presented is useful for folks in any technical aspect of cybersecurity, not just DFIR folks.
1/3
24.10.2025 19:58
👍 2
🔁 1
💬 1
📌 0
MacOS 26 really kills the T2 Intel Macs. It's technically compatible, but the experience is a drag, especially just after boot with all the indexing. I'm going to put a T2 Linux distro on this thing, and hope it improves the experience. I refuse to throw away a computer that's barely 5 years old.
21.10.2025 18:49
👍 0
🔁 0
💬 1
📌 0
Giovanni’s Pop-Up Store - Double Good Online Fundraising
Click here to buy our delicious popcorn and 50% of your purchase benefits this fundraiser. #doublegood #dgpopup
My cousin is raising money to go to the MLS Next Youth Showcase.
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
s.dgpopup.com/0o409evs/rp
18.10.2025 21:19
👍 0
🔁 0
💬 0
📌 0
DEF CON 33 - Don’t Cry Wolf: Evidence based assessments of ICS Threats - Jimmy Wylie & Sam Hanson
CS Malware is rare. Yet, ICS Malware like FrostyGoop and TRISIS, and related discoveries like COSMICENERGY, were all found on VirusTotal, so analysts still hunt for novel ICS Malware in public malware repositories. In the process, they discover all kinds of tools: research, CTFs, obfuscated nonsense
Our DEF CON33 ICS Village talk is now on YouTube!
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
16.10.2025 19:18
👍 6
🔁 5
💬 0
📌 1
I couldn’t think of a picture, so here’s an image from an old show that probably planted the seed for me to become a malware analyst.
10.10.2025 18:40
👍 1
🔁 0
💬 0
📌 0
In ICS, malware analysis can feel like archaeology. I started the week with a 13 year old sample and ended the week with @sam-hans0n.bsky.social pinging about an 18 years old sample.
So, save your old Windows ISOs and VMs, you might need them!
10.10.2025 18:40
👍 4
🔁 1
💬 1
📌 0
I enjoyed it, but I’ll readily admit, it’s not for everyone.
08.10.2025 16:45
👍 1
🔁 0
💬 1
📌 0
Selfie of Jimmy holding a belt buckle. The belt buckle is a western style buckle. The buckle has Speaker along the top, an image of the HOUSECCON flying saucer logo below it, and an astronaut riding a horse. The bottom of the buckle has the year, 2025. The rest of the buckle is decorated with filigree.
Thanks to @cybrseccon.bsky.social / HOU.SEC.CON for having us last week. (and for a really unique speaker gift!) The conference has grown into a valuable industry event, and I'm looking forward to the next one!
ICYMI, we posted resources from our talk here:
gist.github.com/maya...
08.10.2025 15:51
👍 4
🔁 0
💬 0
📌 0
