Jimmy Wylie
@mayahustle.com
I look for ICS threats, and spend a lot of time reverse engineering.
Distinguished Malware Analyst @ Dragos.
Lead Analyst on TRISIS and PIPEDREAM.
He/Him
Distinguished Malware Analyst @ Dragos.
Lead Analyst on TRISIS and PIPEDREAM.
He/Him
Pinned
Jimmy Wylie
@mayahustle.com
· Nov 23
Howdy folks! I'm a malware analyst focused on critical infrastructure threats and ICS/OT malware.
Aside from studying reverse engineering, I lift weights, play a lot of board games and try to keep my philosopher dog, Velma, entertained.
Here's an example of my work:
www.dragos.com/blog/analyzi...
Aside from studying reverse engineering, I lift weights, play a lot of board games and try to keep my philosopher dog, Velma, entertained.
Here's an example of my work:
www.dragos.com/blog/analyzi...
I spent a couple months arguing with Claude and Copilot while building FrostyGoop variants for DNP3 (and Modbus), keeping detailed notes on what worked and what didn't. At S4, I’ll share my honest assessment of these tools and how they might lower barriers to ICS malware dev. See you in Miami!
December 16, 2025 at 3:00 PM
I spent a couple months arguing with Claude and Copilot while building FrostyGoop variants for DNP3 (and Modbus), keeping detailed notes on what worked and what didn't. At S4, I’ll share my honest assessment of these tools and how they might lower barriers to ICS malware dev. See you in Miami!
Reposted by Jimmy Wylie
Finally sharing what’s been under wraps for months.
Adam Foster and I tore into HID SEOS to build the first open-source implementation for Proxmark3.
This is our Black Hat Asia 2025 story → www.youtube.com/watch?v=mnhG...
#RFIDHacking #SEOS #CyberSecurity
Adam Foster and I tore into HID SEOS to build the first open-source implementation for Proxmark3.
This is our Black Hat Asia 2025 story → www.youtube.com/watch?v=mnhG...
#RFIDHacking #SEOS #CyberSecurity
Dismantling the SEOS Protocol
YouTube video by Black Hat
www.youtube.com
November 11, 2025 at 2:26 AM
Finally sharing what’s been under wraps for months.
Adam Foster and I tore into HID SEOS to build the first open-source implementation for Proxmark3.
This is our Black Hat Asia 2025 story → www.youtube.com/watch?v=mnhG...
#RFIDHacking #SEOS #CyberSecurity
Adam Foster and I tore into HID SEOS to build the first open-source implementation for Proxmark3.
This is our Black Hat Asia 2025 story → www.youtube.com/watch?v=mnhG...
#RFIDHacking #SEOS #CyberSecurity
We have a job opening in our Community Defense Program (CDP) which gives small utilities free access to the Dragos Platform. This opening is a chance to do some truly meaningful work for the community.
Job Description: job-boards.greenhous...
CDP Description:
www.dragos.com/commu...
Job Description: job-boards.greenhous...
CDP Description:
www.dragos.com/commu...
Associate Project Manager
Hanover, MD
job-boards.greenhouse.io
November 17, 2025 at 5:00 PM
We have a job opening in our Community Defense Program (CDP) which gives small utilities free access to the Dragos Platform. This opening is a chance to do some truly meaningful work for the community.
Job Description: job-boards.greenhous...
CDP Description:
www.dragos.com/commu...
Job Description: job-boards.greenhous...
CDP Description:
www.dragos.com/commu...
Had a great time presenting at LSU this week on hunting and analyzing Go and Python malware samples while hunting for ICS malware. For those who couldn't make it, you can catch a recording of this talk from Hou.Sec.Con last month with @sam-hans0n.bsky.social
www.youtube.com/watc...
www.youtube.com/watc...
November 14, 2025 at 2:01 PM
Had a great time presenting at LSU this week on hunting and analyzing Go and Python malware samples while hunting for ICS malware. For those who couldn't make it, you can catch a recording of this talk from Hou.Sec.Con last month with @sam-hans0n.bsky.social
www.youtube.com/watc...
www.youtube.com/watc...
Props to their Threat Research team for identifying and publicizing these harmful packages. If you want to understand what the code does, check out their post.
Bottom line: Always verify your dependencies and their sources!
socket.dev/blog/9-ma...
6/6
Bottom line: Always verify your dependencies and their sources!
socket.dev/blog/9-ma...
6/6
9 Malicious NuGet Packages Deliver Time-Delayed Destructive ...
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control system...
socket.dev
November 11, 2025 at 5:31 PM
Props to their Threat Research team for identifying and publicizing these harmful packages. If you want to understand what the code does, check out their post.
Bottom line: Always verify your dependencies and their sources!
socket.dev/blog/9-ma...
6/6
Bottom line: Always verify your dependencies and their sources!
socket.dev/blog/9-ma...
6/6
The evidence also doesn't rule out security research as an explanation.
I’d give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions, and this isn't a criticism of Socket's solid technical analysis.
5/6
I’d give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions, and this isn't a criticism of Socket's solid technical analysis.
5/6
November 11, 2025 at 5:31 PM
The evidence also doesn't rule out security research as an explanation.
I’d give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions, and this isn't a criticism of Socket's solid technical analysis.
5/6
I’d give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions, and this isn't a criticism of Socket's solid technical analysis.
5/6
- The lure isn't convincing.
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- Why would existing projects switch to the malicious dependencies?
- There's no C2 code to confirm victims. How would an attacker know if this worked?
4/6
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- Why would existing projects switch to the malicious dependencies?
- There's no C2 code to confirm victims. How would an attacker know if this worked?
4/6
November 11, 2025 at 5:31 PM
- The lure isn't convincing.
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- Why would existing projects switch to the malicious dependencies?
- There's no C2 code to confirm victims. How would an attacker know if this worked?
4/6
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- Why would existing projects switch to the malicious dependencies?
- There's no C2 code to confirm victims. How would an attacker know if this worked?
4/6
While I agree the code is harmful and the packages are suspicious, I'm not convinced about the supply chain attack angle -- or if it is one, it’s not a particularly effective one. Several factors give me pause:
3/6
3/6
November 11, 2025 at 5:31 PM
While I agree the code is harmful and the packages are suspicious, I'm not convinced about the supply chain attack angle -- or if it is one, it’s not a particularly effective one. Several factors give me pause:
3/6
3/6
No legitimate projects were compromised, and no S7, Sharp7, or Siemens codebases were modified. Socket identified packages published by a separate user ("shanhai666") containing code that probabilistically kills host processes and causes database write failures within specific date ranges.
2/6
2/6
November 11, 2025 at 5:30 PM
No legitimate projects were compromised, and no S7, Sharp7, or Siemens codebases were modified. Socket identified packages published by a separate user ("shanhai666") containing code that probabilistically kills host processes and causes database write failures within specific date ranges.
2/6
2/6
A lot of folks have reached out about Socket’s recent report on a supply chain attack using malicious NuGet packages to target Siemens S7 protocol and other PLCs.
This is not a supply chain attack in the traditional sense.
1/6
This is not a supply chain attack in the traditional sense.
1/6
November 11, 2025 at 5:30 PM
A lot of folks have reached out about Socket’s recent report on a supply chain attack using malicious NuGet packages to target Siemens S7 protocol and other PLCs.
This is not a supply chain attack in the traditional sense.
1/6
This is not a supply chain attack in the traditional sense.
1/6
“No, that’s my neighbor, Bobby. I live at 502, but you have to write 501 on the package or the mail carrier brings it to the wrong house. He has a problem.”
ICS is fun. This blog covers the problem:
blog.softwaretoolbox.com/topserver-mo...
(H/T to Reid Wightman for inspiring this post)
(2/2)
ICS is fun. This blog covers the problem:
blog.softwaretoolbox.com/topserver-mo...
(H/T to Reid Wightman for inspiring this post)
(2/2)
Modbus Offset vs. Addressing: Why Does It Matter?
Discover the relationship between the Modbus address used by TOP Server and the physical offset in a device when enabling/disabling Zero-Based Addressing.
blog.softwaretoolbox.com
October 31, 2025 at 5:18 PM
“No, that’s my neighbor, Bobby. I live at 502, but you have to write 501 on the package or the mail carrier brings it to the wrong house. He has a problem.”
ICS is fun. This blog covers the problem:
blog.softwaretoolbox.com/topserver-mo...
(H/T to Reid Wightman for inspiring this post)
(2/2)
ICS is fun. This blog covers the problem:
blog.softwaretoolbox.com/topserver-mo...
(H/T to Reid Wightman for inspiring this post)
(2/2)
Learning Modbus is basically this conversation:
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
(1/2)
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
(1/2)
October 31, 2025 at 5:18 PM
Learning Modbus is basically this conversation:
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
(1/2)
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
(1/2)
Other questions I'm exploring:
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or solving some problems but creating new ones for a net-zero benefit?
2/2
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or solving some problems but creating new ones for a net-zero benefit?
2/2
October 27, 2025 at 2:04 PM
Other questions I'm exploring:
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or solving some problems but creating new ones for a net-zero benefit?
2/2
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or solving some problems but creating new ones for a net-zero benefit?
2/2
I'm speaking at S4x26 on creating a FrostyGoop-style tool using AI. This experiment has been a good avenue for tackling a few questions I've had about AI-enabled software development. Most importantly, just how easy is it?
I'm excited to share what I learn come February!
1/2
I'm excited to share what I learn come February!
1/2
October 27, 2025 at 2:04 PM
I'm speaking at S4x26 on creating a FrostyGoop-style tool using AI. This experiment has been a good avenue for tackling a few questions I've had about AI-enabled software development. Most importantly, just how easy is it?
I'm excited to share what I learn come February!
1/2
I'm excited to share what I learn come February!
1/2
MinusOne, a deobfuscation engine for scripting languages: github.com/airbus-ce...
EPIC Erebus for PCIe and DMA attack research: www.crowdsupply.com/...
3/3
EPIC Erebus for PCIe and DMA attack research: www.crowdsupply.com/...
3/3
GitHub - airbus-cert/minusone: Powershell Linter
Powershell Linter. Contribute to airbus-cert/minusone development by creating an account on GitHub.
github.com
October 24, 2025 at 7:58 PM
MinusOne, a deobfuscation engine for scripting languages: github.com/airbus-ce...
EPIC Erebus for PCIe and DMA attack research: www.crowdsupply.com/...
3/3
EPIC Erebus for PCIe and DMA attack research: www.crowdsupply.com/...
3/3
Here are a few of the projects I enjoyed learning about this time around:
Thorium Malware Pipeline: github.com/cisagov/t...
CTADL Static Taint Analysis Tool: github.com/sandialab...
2/3
Thorium Malware Pipeline: github.com/cisagov/t...
CTADL Static Taint Analysis Tool: github.com/sandialab...
2/3
GitHub - cisagov/thorium: A scalable file analysis and data generation platform that allows users to easily orchestrate arbitrary docker/vm/shell tools at scale.
A scalable file analysis and data generation platform that allows users to easily orchestrate arbitrary docker/vm/shell tools at scale. - cisagov/thorium
github.com
October 24, 2025 at 7:58 PM
Here are a few of the projects I enjoyed learning about this time around:
Thorium Malware Pipeline: github.com/cisagov/t...
CTADL Static Taint Analysis Tool: github.com/sandialab...
2/3
Thorium Malware Pipeline: github.com/cisagov/t...
CTADL Static Taint Analysis Tool: github.com/sandialab...
2/3
I had a great experience at #FTSCon on Monday. Both the speakers and the audience are such high caliber that an interesting discussion can be had at any point during the day. The information presented is useful for folks in any technical aspect of cybersecurity, not just DFIR folks.
1/3
1/3
October 24, 2025 at 7:58 PM
I had a great experience at #FTSCon on Monday. Both the speakers and the audience are such high caliber that an interesting discussion can be had at any point during the day. The information presented is useful for folks in any technical aspect of cybersecurity, not just DFIR folks.
1/3
1/3
MacOS 26 really kills the T2 Intel Macs. It's technically compatible, but the experience is a drag, especially just after boot with all the indexing. I'm going to put a T2 Linux distro on this thing, and hope it improves the experience. I refuse to throw away a computer that's barely 5 years old.
October 21, 2025 at 6:49 PM
MacOS 26 really kills the T2 Intel Macs. It's technically compatible, but the experience is a drag, especially just after boot with all the indexing. I'm going to put a T2 Linux distro on this thing, and hope it improves the experience. I refuse to throw away a computer that's barely 5 years old.
My cousin is raising money to go to the MLS Next Youth Showcase.
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
s.dgpopup.com/0o409evs/rp
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
s.dgpopup.com/0o409evs/rp
Giovanni’s Pop-Up Store - Double Good Online Fundraising
Click here to buy our delicious popcorn and 50% of your purchase benefits this fundraiser. #doublegood #dgpopup
s.dgpopup.com
October 18, 2025 at 9:19 PM
My cousin is raising money to go to the MLS Next Youth Showcase.
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
s.dgpopup.com/0o409evs/rp
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
s.dgpopup.com/0o409evs/rp
Our DEF CON33 ICS Village talk is now on YouTube!
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
DEF CON 33 - Don’t Cry Wolf: Evidence based assessments of ICS Threats - Jimmy Wylie & Sam Hanson
CS Malware is rare. Yet, ICS Malware like FrostyGoop and TRISIS, and related discoveries like COSMICENERGY, were all found on VirusTotal, so analysts still hunt for novel ICS Malware in public malware repositories. In the process, they discover all kinds of tools: research, CTFs, obfuscated nonsense
www.youtube.com
October 16, 2025 at 7:18 PM
Our DEF CON33 ICS Village talk is now on YouTube!
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
@sam-hans0n.bsky.social and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
I couldn’t think of a picture, so here’s an image from an old show that probably planted the seed for me to become a malware analyst.
October 10, 2025 at 6:40 PM
I couldn’t think of a picture, so here’s an image from an old show that probably planted the seed for me to become a malware analyst.
In ICS, malware analysis can feel like archaeology. I started the week with a 13 year old sample and ended the week with @sam-hans0n.bsky.social pinging about an 18 years old sample.
So, save your old Windows ISOs and VMs, you might need them!
So, save your old Windows ISOs and VMs, you might need them!
October 10, 2025 at 6:40 PM
In ICS, malware analysis can feel like archaeology. I started the week with a 13 year old sample and ended the week with @sam-hans0n.bsky.social pinging about an 18 years old sample.
So, save your old Windows ISOs and VMs, you might need them!
So, save your old Windows ISOs and VMs, you might need them!
I enjoyed it, but I’ll readily admit, it’s not for everyone.
October 8, 2025 at 4:45 PM
I enjoyed it, but I’ll readily admit, it’s not for everyone.
Thanks to @cybrseccon.bsky.social / HOU.SEC.CON for having us last week. (and for a really unique speaker gift!) The conference has grown into a valuable industry event, and I'm looking forward to the next one!
ICYMI, we posted resources from our talk here:
gist.github.com/maya...
ICYMI, we posted resources from our talk here:
gist.github.com/maya...
October 8, 2025 at 3:51 PM
Thanks to @cybrseccon.bsky.social / HOU.SEC.CON for having us last week. (and for a really unique speaker gift!) The conference has grown into a valuable industry event, and I'm looking forward to the next one!
ICYMI, we posted resources from our talk here:
gist.github.com/maya...
ICYMI, we posted resources from our talk here:
gist.github.com/maya...
Well.. I can’t help but listen to this. 🤘It’s weird, and I like it.
deathmeta.bandcamp.com/album/malware
deathmeta.bandcamp.com/album/malware
MALWARE | DEATH META
10 track album
deathmeta.bandcamp.com
October 7, 2025 at 6:14 PM
Well.. I can’t help but listen to this. 🤘It’s weird, and I like it.
deathmeta.bandcamp.com/album/malware
deathmeta.bandcamp.com/album/malware