Jimmy Wylie
@mayahustle.com
I look for ICS threats, and spend a lot of time reverse engineering.
Distinguished Malware Analyst @ Dragos.
Lead Analyst on TRISIS and PIPEDREAM.
He/Him
Distinguished Malware Analyst @ Dragos.
Lead Analyst on TRISIS and PIPEDREAM.
He/Him
Pinned
Jimmy Wylie
@mayahustle.com
· Nov 23
Howdy folks! I'm a malware analyst focused on critical infrastructure threats and ICS/OT malware.
Aside from studying reverse engineering, I lift weights, play a lot of board games and try to keep my philosopher dog, Velma, entertained.
Here's an example of my work:
www.dragos.com/blog/analyzi...
Aside from studying reverse engineering, I lift weights, play a lot of board games and try to keep my philosopher dog, Velma, entertained.
Here's an example of my work:
www.dragos.com/blog/analyzi...
A lot of folks have reached out about Socket’s recent report on a supply chain attack using malicious NuGet packages to target Siemens S7 protocol and other PLCs.
This is not a supply chain attack in the traditional sense.
1/6
This is not a supply chain attack in the traditional sense.
1/6
November 11, 2025 at 5:30 PM
A lot of folks have reached out about Socket’s recent report on a supply chain attack using malicious NuGet packages to target Siemens S7 protocol and other PLCs.
This is not a supply chain attack in the traditional sense.
1/6
This is not a supply chain attack in the traditional sense.
1/6
Learning Modbus is basically this conversation:
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
(1/2)
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
(1/2)
October 31, 2025 at 5:18 PM
Learning Modbus is basically this conversation:
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
(1/2)
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
(1/2)
I'm speaking at S4x26 on creating a FrostyGoop-style tool using AI. This experiment has been a good avenue for tackling a few questions I've had about AI-enabled software development. Most importantly, just how easy is it?
I'm excited to share what I learn come February!
1/2
I'm excited to share what I learn come February!
1/2
October 27, 2025 at 2:04 PM
I'm speaking at S4x26 on creating a FrostyGoop-style tool using AI. This experiment has been a good avenue for tackling a few questions I've had about AI-enabled software development. Most importantly, just how easy is it?
I'm excited to share what I learn come February!
1/2
I'm excited to share what I learn come February!
1/2
I had a great experience at #FTSCon on Monday. Both the speakers and the audience are such high caliber that an interesting discussion can be had at any point during the day. The information presented is useful for folks in any technical aspect of cybersecurity, not just DFIR folks.
1/3
1/3
October 24, 2025 at 7:58 PM
I had a great experience at #FTSCon on Monday. Both the speakers and the audience are such high caliber that an interesting discussion can be had at any point during the day. The information presented is useful for folks in any technical aspect of cybersecurity, not just DFIR folks.
1/3
1/3
MacOS 26 really kills the T2 Intel Macs. It's technically compatible, but the experience is a drag, especially just after boot with all the indexing. I'm going to put a T2 Linux distro on this thing, and hope it improves the experience. I refuse to throw away a computer that's barely 5 years old.
October 21, 2025 at 6:49 PM
MacOS 26 really kills the T2 Intel Macs. It's technically compatible, but the experience is a drag, especially just after boot with all the indexing. I'm going to put a T2 Linux distro on this thing, and hope it improves the experience. I refuse to throw away a computer that's barely 5 years old.
My cousin is raising money to go to the MLS Next Youth Showcase.
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
s.dgpopup.com/0o409evs/rp
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
s.dgpopup.com/0o409evs/rp
Giovanni’s Pop-Up Store - Double Good Online Fundraising
Click here to buy our delicious popcorn and 50% of your purchase benefits this fundraiser. #doublegood #dgpopup
s.dgpopup.com
October 18, 2025 at 9:19 PM
My cousin is raising money to go to the MLS Next Youth Showcase.
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
s.dgpopup.com/0o409evs/rp
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
s.dgpopup.com/0o409evs/rp
Our DEF CON33 ICS Village talk is now on YouTube!
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
DEF CON 33 - Don’t Cry Wolf: Evidence based assessments of ICS Threats - Jimmy Wylie & Sam Hanson
CS Malware is rare. Yet, ICS Malware like FrostyGoop and TRISIS, and related discoveries like COSMICENERGY, were all found on VirusTotal, so analysts still hunt for novel ICS Malware in public malware repositories. In the process, they discover all kinds of tools: research, CTFs, obfuscated nonsense
www.youtube.com
October 16, 2025 at 7:18 PM
Our DEF CON33 ICS Village talk is now on YouTube!
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
In ICS, malware analysis can feel like archaeology. I started the week with a 13 year old sample and ended the week with @sam-hans0n.bsky.social pinging about an 18 years old sample.
So, save your old Windows ISOs and VMs, you might need them!
So, save your old Windows ISOs and VMs, you might need them!
October 10, 2025 at 6:40 PM
In ICS, malware analysis can feel like archaeology. I started the week with a 13 year old sample and ended the week with @sam-hans0n.bsky.social pinging about an 18 years old sample.
So, save your old Windows ISOs and VMs, you might need them!
So, save your old Windows ISOs and VMs, you might need them!
Thanks to @cybrseccon.bsky.social / HOU.SEC.CON for having us last week. (and for a really unique speaker gift!) The conference has grown into a valuable industry event, and I'm looking forward to the next one!
ICYMI, we posted resources from our talk here:
gist.github.com/maya...
ICYMI, we posted resources from our talk here:
gist.github.com/maya...
October 8, 2025 at 3:51 PM
Thanks to @cybrseccon.bsky.social / HOU.SEC.CON for having us last week. (and for a really unique speaker gift!) The conference has grown into a valuable industry event, and I'm looking forward to the next one!
ICYMI, we posted resources from our talk here:
gist.github.com/maya...
ICYMI, we posted resources from our talk here:
gist.github.com/maya...
Well.. I can’t help but listen to this. 🤘It’s weird, and I like it.
deathmeta.bandcamp.com/album/malware
deathmeta.bandcamp.com/album/malware
MALWARE | DEATH META
10 track album
deathmeta.bandcamp.com
October 7, 2025 at 6:14 PM
Well.. I can’t help but listen to this. 🤘It’s weird, and I like it.
deathmeta.bandcamp.com/album/malware
deathmeta.bandcamp.com/album/malware
The Difference Maker Awards are about contributions to the community, so they let the community decide.
Voting ends on Wednesday, October 8. If you haven’t voted yet, please consider it!
(I’m a finalist in the ICS category alongside some amazing industry leaders)
www.sans.org/about/awards...
Voting ends on Wednesday, October 8. If you haven’t voted yet, please consider it!
(I’m a finalist in the ICS category alongside some amazing industry leaders)
www.sans.org/about/awards...
SANS Difference Makers Awards
These are the people and organizations acknowledged by the SANS Institute for their oustanding contributions to cyber security each year.
www.sans.org
October 3, 2025 at 8:08 PM
The Difference Maker Awards are about contributions to the community, so they let the community decide.
Voting ends on Wednesday, October 8. If you haven’t voted yet, please consider it!
(I’m a finalist in the ICS category alongside some amazing industry leaders)
www.sans.org/about/awards...
Voting ends on Wednesday, October 8. If you haven’t voted yet, please consider it!
(I’m a finalist in the ICS category alongside some amazing industry leaders)
www.sans.org/about/awards...
@xorhex.bsky.social Good work on this BinaryNinja plugin! It really came in handy the other day when I was trying to type and label some dynamic api resolution code. Someone in Binja’s slack recommended it. Rock on!
github.com/xorhex/binja...
github.com/xorhex/binja...
GitHub - xorhex/binjaextras
Contribute to xorhex/binjaextras development by creating an account on GitHub.
github.com
October 2, 2025 at 5:45 PM
@xorhex.bsky.social Good work on this BinaryNinja plugin! It really came in handy the other day when I was trying to type and label some dynamic api resolution code. Someone in Binja’s slack recommended it. Rock on!
github.com/xorhex/binja...
github.com/xorhex/binja...
I was nominated for a SANS DMA - ICS/OT Practitioner of the Year, along with some impressive folks. Reverse engineering ICS malware is hard, but communicating the results is harder. Grateful to SANS for recognizing my work in this area.
Link below. Voting ends on Oct. 8.
Link below. Voting ends on Oct. 8.
SANS Difference Makers Awards | SANS Institute
These are the people and organizations acknowledged by the SANS Institute for their oustanding contributions to cyber security each year.
www.sans.org
September 23, 2025 at 4:21 PM
I was nominated for a SANS DMA - ICS/OT Practitioner of the Year, along with some impressive folks. Reverse engineering ICS malware is hard, but communicating the results is harder. Grateful to SANS for recognizing my work in this area.
Link below. Voting ends on Oct. 8.
Link below. Voting ends on Oct. 8.
Earlier this year, I complained about how many hyphens there were in Unicode. It turns out a Soft Hyphen was abused last year in a creative PHP exploit.
CVE-2024-4577 exploits Windows’ Best Fit character conversion feature that auto-converts certain Unicode characters to ASCII equivalents.
1/3
CVE-2024-4577 exploits Windows’ Best Fit character conversion feature that auto-converts certain Unicode characters to ASCII equivalents.
1/3
September 19, 2025 at 6:58 PM
Earlier this year, I complained about how many hyphens there were in Unicode. It turns out a Soft Hyphen was abused last year in a creative PHP exploit.
CVE-2024-4577 exploits Windows’ Best Fit character conversion feature that auto-converts certain Unicode characters to ASCII equivalents.
1/3
CVE-2024-4577 exploits Windows’ Best Fit character conversion feature that auto-converts certain Unicode characters to ASCII equivalents.
1/3
Oh hey, Hex-Rays released IDA 9.2. There are new Go features like support for multiple return values to annotate Go function calls correctly. Jump Anywhere is a nice usability improvement supplanting the need to remember 5 keyboard shortcuts.
hex-rays.com/blog/id...
#idapro #reverseengineering
hex-rays.com/blog/id...
#idapro #reverseengineering
IDA 9.2 Release: Golang Improvements, New UI Widgets, Types Parsing and More
IDA 9.2: Smarter Go decompilation, new UI widgets, Xref Graph/Tree, LLVM-based type parser, debugger upgrades, and expanded processor support.
hex-rays.com
September 9, 2025 at 4:41 PM
Oh hey, Hex-Rays released IDA 9.2. There are new Go features like support for multiple return values to annotate Go function calls correctly. Jump Anywhere is a nice usability improvement supplanting the need to remember 5 keyboard shortcuts.
hex-rays.com/blog/id...
#idapro #reverseengineering
hex-rays.com/blog/id...
#idapro #reverseengineering
This is a great story about Donald Knuth and Doug McIlroy participating in a literate programming exercise and a hilarious example of different perspectives in problem solving from godfathers of Computer Science.
Original post: hachyderm.io/@mweagle/115...
Original post: hachyderm.io/@mweagle/115...
September 4, 2025 at 10:32 PM
This is a great story about Donald Knuth and Doug McIlroy participating in a literate programming exercise and a hilarious example of different perspectives in problem solving from godfathers of Computer Science.
Original post: hachyderm.io/@mweagle/115...
Original post: hachyderm.io/@mweagle/115...
Sam Hanson and I are speaking at @hou-sec-con.bsky.social on hunting for Python and Go ICS-related malware. You'll learn playbooks for these cases and hear stories about malware targeting ICS in the past year. The talk is on October 1st, at 1 p.m., Track 1. I hope you can make it!
#ICS #OTSecurity
#ICS #OTSecurity
September 3, 2025 at 6:28 PM
Sam Hanson and I are speaking at @hou-sec-con.bsky.social on hunting for Python and Go ICS-related malware. You'll learn playbooks for these cases and hear stories about malware targeting ICS in the past year. The talk is on October 1st, at 1 p.m., Track 1. I hope you can make it!
#ICS #OTSecurity
#ICS #OTSecurity
Just read up on the IDA Domain API updates from Hex Rays. This on top of idalib is a nice step forward in usability. Def recommend checking out the All Things IDA video.
Looking forward to seeing the use case spotlights that they’ll be publishing.
youtu.be/IaOucXb033Q
#idapro #reverseengineering
Looking forward to seeing the use case spotlights that they’ll be publishing.
youtu.be/IaOucXb033Q
#idapro #reverseengineering
An introduction to the IDA Domain API
youtu.be
August 26, 2025 at 10:02 PM
Just read up on the IDA Domain API updates from Hex Rays. This on top of idalib is a nice step forward in usability. Def recommend checking out the All Things IDA video.
Looking forward to seeing the use case spotlights that they’ll be publishing.
youtu.be/IaOucXb033Q
#idapro #reverseengineering
Looking forward to seeing the use case spotlights that they’ll be publishing.
youtu.be/IaOucXb033Q
#idapro #reverseengineering
My reading list for the rest of the year, inspired by DEFCON 33 and the starting chapters of the first book:
- Microcontroller Exploits - Goodspeed
- Hack to the Future - Crose
- Hardware Hacker - bunnie
- Hardware Hacking Handbook - Van Woudenberg + O’Flynn
- Art of Mac Malware (Vol 1+2) - Wardle
- Microcontroller Exploits - Goodspeed
- Hack to the Future - Crose
- Hardware Hacker - bunnie
- Hardware Hacking Handbook - Van Woudenberg + O’Flynn
- Art of Mac Malware (Vol 1+2) - Wardle
August 25, 2025 at 2:07 PM
My reading list for the rest of the year, inspired by DEFCON 33 and the starting chapters of the first book:
- Microcontroller Exploits - Goodspeed
- Hack to the Future - Crose
- Hardware Hacker - bunnie
- Hardware Hacking Handbook - Van Woudenberg + O’Flynn
- Art of Mac Malware (Vol 1+2) - Wardle
- Microcontroller Exploits - Goodspeed
- Hack to the Future - Crose
- Hardware Hacker - bunnie
- Hardware Hacking Handbook - Van Woudenberg + O’Flynn
- Art of Mac Malware (Vol 1+2) - Wardle
Eesh.. I know #ArchLinux can be difficult for folks, but this seems uncalled for. I hope they figure out who’s behind it.
www.zdnet.com/article/arch...
www.zdnet.com/article/arch...
Arch Linux remains under attack as DDoS enters week 2 - here's a workaround | ZDNET
Something mysterious is happening to the popular Linux distro's website. Here's what we know so far.
www.zdnet.com
August 24, 2025 at 10:37 PM
Eesh.. I know #ArchLinux can be difficult for folks, but this seems uncalled for. I hope they figure out who’s behind it.
www.zdnet.com/article/arch...
www.zdnet.com/article/arch...
You want @hermit.sh on your team. If you know of anything, send it their way.
hi!
I'm looking for new work opportunities
strongest areas are data analysis & threat hunting. I love SQL, regex, anomaly detection, data wrangling
experienced designing & using honeypot systems. have created novel techniques
I use python a lot, but can use whatever a situation calls for
tysm💓
I'm looking for new work opportunities
strongest areas are data analysis & threat hunting. I love SQL, regex, anomaly detection, data wrangling
experienced designing & using honeypot systems. have created novel techniques
I use python a lot, but can use whatever a situation calls for
tysm💓
August 18, 2025 at 9:02 PM
You want @hermit.sh on your team. If you know of anything, send it their way.
Poland stopped a cyberattack that could have cut water supply to a major city yesterday.
Cyberattacks against water is a troubling trend. Access to clean water is fundamental, and these types of attacks are direct threats to public health and safety.
#ICS #OTsecurity
www.reuters.com/en/p...
Cyberattacks against water is a troubling trend. Access to clean water is fundamental, and these types of attacks are direct threats to public health and safety.
#ICS #OTsecurity
www.reuters.com/en/p...
August 15, 2025 at 6:16 AM
Poland stopped a cyberattack that could have cut water supply to a major city yesterday.
Cyberattacks against water is a troubling trend. Access to clean water is fundamental, and these types of attacks are direct threats to public health and safety.
#ICS #OTsecurity
www.reuters.com/en/p...
Cyberattacks against water is a troubling trend. Access to clean water is fundamental, and these types of attacks are direct threats to public health and safety.
#ICS #OTsecurity
www.reuters.com/en/p...
Played “In the Footsteps of Marie Curie” tonight. More of a family game, light on the strategy, easy playing. Good one for folks just getting into independent #boardgames
August 15, 2025 at 3:24 AM
Played “In the Footsteps of Marie Curie” tonight. More of a family game, light on the strategy, easy playing. Good one for folks just getting into independent #boardgames
I’m forcing myself to learn #BinaryNinja, and using an LLM to search through the user manual and learn the basics is a game changer. Questions about fonts, theming, basic shortcuts, and considerations coming from IDA all answered easily.
August 14, 2025 at 9:53 PM
I’m forcing myself to learn #BinaryNinja, and using an LLM to search through the user manual and learn the basics is a game changer. Questions about fonts, theming, basic shortcuts, and considerations coming from IDA all answered easily.
Like every other industry, criminals and state-backed groups have jumped on the AI bandwagon. I spent some time reading threat reports from Anthropic, Google, and Open AI. Here's some of what they found:
- Malware and software dev in Python, C/C++, Go, Android (lang unspecified), and others.
1/3
- Malware and software dev in Python, C/C++, Go, Android (lang unspecified), and others.
1/3
August 13, 2025 at 6:30 PM
Like every other industry, criminals and state-backed groups have jumped on the AI bandwagon. I spent some time reading threat reports from Anthropic, Google, and Open AI. Here's some of what they found:
- Malware and software dev in Python, C/C++, Go, Android (lang unspecified), and others.
1/3
- Malware and software dev in Python, C/C++, Go, Android (lang unspecified), and others.
1/3