Threat Hunting
- ICS-Adjacent Capabilities Research and Trends section, Dragos Year-in-Review 2025
- Hunting Beyond Indicators: Guest Blog for the THOR Collective.
Malware Analysis
Here are malware analysis projects I’ve worked on as a reverse engineer at Dragos:
- Fuxnet Malware (whitepaper or strategic brief)
- APT Exploits for Rockwell Automation ControlLogix
- COSMICENERGY Analysis
- Deep Dive into PIPEDREAMs OPC UA Module, MOUSEHOLE
- Measuring the Potential Impact of MOUSEHOLE
- PIPEDREAM Webinar
- The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
Vulnerability Research
For a full listing of CVEs I’ve discovered, please see my “CVEs Discovered” page.
- Suggested Practices to Defend Against DLL Hijacking
- Root Cause Analysis of Password “Cracking” Vulnerabilities Section, Dragos Year-in-Review 2022 (starts on p.37)
Conferences
I’ve presented at several in person conferences, including:
- HOU.SEC.CON: Hunting for OT Pythons and Gophers - Playbooks for Binary Triage
- DEF CON 33: Don’t Cry Wolf: Evidence-based Assessments of ICS Threats
- BSides Twin Cities: History of ICS-Specific Malware
- Dragos:
- DISC ‘24: Hunting for Future ICS Threats
- DISC’23: When Pythons Attack: The Hunting and Analysis of ICS-related, Compiled Python Samples
- DISC’23: PIPEDREAM Analysis
- DISC’22: Malware, 0 Days, and PLCs, Oh Boy!
- BSides Zurich: PLC Password Cracking Malware
Unfortunately, some of these were private conferences with sensitive information, so I am unable to share all of the slides.
I’m also one of the organizers of BSides Twin Cities, an annual conference held in Minneapolis, MN in early October. Please check out the site for more information. It’s a great con!
Webinars
I’ve also participated in a variety of webinars:
- SANS ICS: The Story of KurtLar_SCADA - From Malware Discovery to Victim Notification [Slides, Recording]
- University of New Hampshire: ICS/OT Cybersecurity, Malware Threats Examined & Explained
- Dragos 2021: Examining ICS Vulnerabilities Webinar
- Dragos 2020: Examining ICS Vulnerabilities Webinar
Media Coverage
Some of my research has been covered in the media.
Trojan Horse Password Cracking Research
- Ars Technica: Hackers are targeting industrial systems with malware
- Bleeping Computer: Password recovery tool infects industrial systems with Sality malware
- The Hacker News: Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems
- Security Week: PLC and HMI Password Cracking Tools Deliver Malware
- Industrial Cyber: Dragos details Trojan Horse malware, password cracking ecosystem affecting industrial operators
- Secure Blink: Salty malware used to infect ICS through password cracking tool
- HelpNet Security: Beware of password-cracking software for PLCs and HMIs!
- The Tech Outlook: Hackers targeting industrial PLCs with a new password cracking tool by remaining undetected