I earned my first CVE credit (CVE-2025-7676) for helping with a Windows ARM vuln. So, to commemorate the credit, @reverseics presented me last week with a Trophy of Perpetual Futility, because there’s always more work to do.
https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/refs/heads/main/2025-04.txt
The Dragos 2026 Year In Review Report is live: 3 new threat groups, updates from 3 of our more active threat groups, and (my personal favorite) coverage of a subset ICS-related capabilities that we found last year.
I've spent a lot of time reversing ICS malware. Recently, I've been building it with AI tools. While there's been plenty of commentary and news about AI and malware, I'm excited to share what I learned actually trying to build some at S4x26.
Stage 2, Feb 24, 12pm.
CERT.PL's report on the coordinated attacks against Polish infrastructure. Adversaries used all manner of destructive techniques: firmware corruption, wipers, SSH commands, FTP deletes, factory resets, even booted Tiny Core Linux on KVM to DD-wipe servers.
They targeted a grid connection point, CHP plant, and a manufacturing site. The forensic reconstruction and malware analysis is excellent. Worth a read for the technical depth.
https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/
I know I'm feeling stressed out when I go back to reading Thich Nhat Hahn. His teachings calm me, and I need that reminder that happiness is available in any moment despite circumstance. I'm not even Buddhist. or maybe I am? He'd probably say the distinction isn't important.
@DaveMWilburn they haven’t released a report yet. I wasn’t personally involved in this investigation (different part of the team), but as far as I know, so far the primary public sources are the Polish PM detailing the attack:
https://www.gov.pl/web/primeminister/poland-stops-cyberattacks-on-energy-infrastructure
And ESET’s recent release on a wiper that was used:
This is the first known attack on DERs. Attackers compromised RTUs at 30 different sites. The report has an overview, defensive guidance, and a comparison to past ELECTRUM ops.
Hats off to CERT Polska for leading the charge, and kudos to our Intel team for the hard work.
I spent a couple months arguing with Claude and Copilot while building FrostyGoop variants for DNP3 (and Modbus), keeping detailed notes on what worked and what didn't. At S4, I'll share my honest assessment: where these tools actually help, where they fail, and how much skill an attacker needs to make them useful.
See you in Miami!
We have a job opening in our Community Defense Program (CDP) which gives small utilities free access to the Dragos Platform. This opening is a chance to do some truly meaningful work for the community.
Job Description: https://job-boards.greenhouse.io/dragos/jobs/4976260008
CDP Description:
https://www.dragos.com/community/community-defense-program
Had a great time presenting at LSU this week on hunting and analyzing Go and Python malware samples while hunting for ICS malware. For those who couldn't make it, you can catch a recording of this talk from Hou.Sec.Con last month with @secureloon
A lot of folks have reached out about Socket's recent report on a supply chain attack using malicious NuGet packages to target Siemens S7 protocol and other PLCs.
This is not a supply chain attack in the traditional sense. No legitimate projects were compromised, and no S7, Sharp7, or Siemens codebases were modified. Socket identified packages published by a separate user ("shanhai666") containing code that probabilistically kills host processes and causes database write failures within specific date ranges.
While I agree the code is harmful and the packages are suspicious, I'm not convinced about the supply chain attack angle -- or if it is one, it's not a particularly effective one. Several factors give me pause:
- The lure isn't particularly convincing.
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- It's unclear how or why existing projects that use legit Sharp7 or SQL would switch to the malicious dependency.
- There's no C2 code or infrastructure to confirm victims. How would an attacker even know if this worked?
- The evidence doesn't clearly rule out the alternative explanation of offensive security research.
I'd give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions based on the same data, and my assessment isn't a criticism of Socket's solid technical analysis and code breakdown.
Props to their Threat Research team for identifying and publicizing these harmful packages. If you want to understand what the code does, check out their post. Their package search tool also has a neat decompilation feature that lets you examine the code yourself.
Bottom line: Always verify your dependencies and their sources!
https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads
Learning Modbus is basically this conversation:
“I live at 502 Westport Ave.”
“Sweet, I’m sending you a package.”
“Wait! If you talk to the mail carrier, my address is 501 Westport Ave.”
“Oh. So, you live at 501 Westport?”
“No, that’s my neighbor, Bobby. I live at 502, but you have to write 501 on the package or the mail carrier brings it to the wrong house. Long story.. he has a problem.”
ICS is fun. If you’re curious, this blog post covers what I’m referring to:
https://blog.softwaretoolbox.com/topserver-modbus-offset-vs-addressing
(H/T to @reverseics for inspiring this post)
I'm speaking at S4x26 on creating a FrostyGoop-style tool using AI. This experiment has been a good avenue to explore a few questions like:
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or just solving some problems but creating new ones for a net-zero time benefit?
More simply, how easy is it?
I'm excited to share what I learn come February.
I had a great experience at #FTSCon on Monday. Both the speakers and the audience are such high caliber that an interesting discussion can be had at any point during the day. The information presented is useful for folks in any technical aspect of cybersecurity, not just DFIR folks. If you can, you should try to attend it next year.
Here are a few of the projects I enjoyed learning about this time around:
Thorium Malware Pipeline: https://github.com/cisagov/thorium
CTADL Static Taint Analysis Tool: https://github.com/sandialabs/ctadl
MinusOne, a deobfuscation engine for scripting languages: https://github.com/airbus-cert/minusone
EPIC Erebus for PCIe and DMA attack research: https://www.crowdsupply.com/securinghw/epic-erebus
MacOS 26 really kills the T2 Intel Macs. It's technically compatible, but the experience is a drag, especially just after boot with all the indexing. I'm going to put a T2 Linux distro on this thing, and hope it improves the experience. I refuse to throw away a computer that's barely 5 years old.
My cousin is raising money to go to the MLS Next Youth Showcase.
You buy tasty popcorn, and the money funds the trip with an option to donate to teachers.
Check it out and support a good cause! I just bought a bunch for our weekly board game meetup :)
Our DEF CON33 ICS Village talk is now on YouTube!
@secureloon and I share stories of malware we discovered while searching for ICS threats, and discuss our approach to assessing their reputation.
Don't Cry Wolf: Evidence-Based Assessment of ICS Threats
https://www.youtube.com/watch?v=6U_CepoMSl4
In ICS, malware analysis can feel like archaeology. I started the week with a 13 year old sample and ended the week with @secureloon pinging me about an 18 year old sample.
So, save your old Windows ISOs and VMs, you might need them!
(I couldn’t think of a picture, so here’s an image from an old show that probably planted the seed for me to become a malware analyst.)
Thanks to CYBER.SEC.CON / HOU.SEC.CON for having us last week. (and for a really unique speaker gift!) The conference has grown into a valuable industry event, and I enjoyed catching up with folks I haven't seen in quite some time. I'm looking forward to the next one!
ICYMI we posted resources from our talk here:
https://gist.github.com/mayahustle/9b686d46f531dced43e65d1150e84ff6
Well.. I can’t help but listen to this. 🤘It’s weird, and I like it.