About Me
My name is Mike, also known by my handle “Rem” in most internet circles. I am a SANS Technology Institute graduate, with a focus on digital forensics and incident response. I am also involved in the Python Software Foundation as a supporting member, and dedicate a large portion of time towards open source security.
Professionally, I work at Huntress as a senior security analyst by day and run a Cybersecurity organization of my own called Vipyr Security by night.
I can also be found on the Python Discord, where I contribute frequently towards Cybersecurity related discussions and help steer new members towards appropriate resources, answer questions, and assist in internal projects.
Experience#
Huntress
Present
Senior Security Analyst
Security analyst levying malware reverse engineering skills to detect, triage, and mitigate security
threats. Experienced in ELK, Sigma, YARA, Python, and Typescript with a focus on detection and response
in enterprise-sized domains.Vipyr Security
Present
Founder, Detection Engineer
Founder & detection engineer implementing hand-written YARA schema to detect and mitigate at-scale supply
chain security threats on the Python Package Index. Led program design specifications for cluster-based
code security engine.Wells Fargo
Risk Management Analyst
Analyzed corporate financial risk utilizing SQL & Python to perform data reconciliation and deviation analysis. Also authored secure and maintainable tooling for organizational data pipelines utilizing Python, Powershell, and M (Language), and SQL in PowerBI and Excel.
United States Air Force
Program Analyst
Performed a variety of duties including software testing, IT asset management, configuration management, software distribution lifecycles, and physical penetration testing. Managed secure systems and oversaw unit IT compliance auditing measures.
Certifications & Education#
- GIAC Enterprise Penetration Tester (GPEN)
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Certified Forensic Examiner (GCFE)
- GIAC Certified Intrusion Analyst (GCIA)
- GIAC Python Coder (GPYC)
- GIAC Certified Incident Handler (GCIH)
- GIAC Security Essentials (GSEC)
- GIAC Information Security Fundamentals (GISF)
- GIAC Foundational Cybersecurity Technologies (GFACT)
Publications & Referenced Work#
ClickFix Won't Die. Neither Will Matanbuchus. A New RAT and a Hands-on-Keyboard Intrusion
ClickFix infection deploys Matanbuchus 3.0 loader and drops a new RAT that we’ve dubbed AstarionRAT. We break down the layers and the hands-on intrusion that followed.
Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations
Huntress uncovers ransomware operations abusing employee monitoring software and SimpleHelp RMM for persistence, and ransomware deployment.
PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
Huntress is seeing threat actors exploit React2Shell (CVE-2025-55182) to deploy a Linux backdoor, a reverse proxy tunnel, and a Go-based post-exploitation implant.
How an Attacker's Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations
An attacker installed Huntress onto their operating machine, giving us a detailed look at how they’re using AI to build workflows, searching for tools like Evilginx, and researching targets like software development companies.
Huntress Threat Advisory: Active Exploitation of SonicWall VPNs
A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. Huntress advises disabling the VPN service immediately or severely restricting access via IP allow-listing. We're seeing threat actors pivot directly to domain controllers within hours of the initial breach.
Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild
Huntress discovered active exploitation of Wing FTP Server RCE (CVE-2025-47812). Learn more about the injection flaw, attack timeline, forensic artifacts, and how to protect your organization.
CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild
Huntress has observed in the wild exploitation against CVE-2025-30406, a weakness due to hardcoded cryptographic keys.
Hunt for RedCurl
Huntress discovered RedCurl activity across several organizations in Canada going back to 2023. Learn more about how this APT operates and how they aim to remain undetected while exfiltrating sensitive data.
Managed SIEM and the Art of Perfecting Cyber Defense
How Huntress Managed SIEM turns signal recognition into defensive mastery.
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
We track a campaign by Gleaming Pisces (Citrine Sleet) delivering Linux or macOS backdoors via Python packages, aiming to infiltrate supply chain vendors. We track a campaign by Gleaming Pisces (Citrine Sleet) delivering Linux or macOS backdoors via Python packages, aiming to infiltrate supply chain vendors.
Cracks in the Foundation: Intrusions of FOUNDATION Accounting Software
Threat actors have been successful in gaining entry using accounting software commonly used by construction companies.
Mapping Threats with DNSTwist and the Internet Storm Center
Mapping Threats with DNSTwist and the Internet Storm Center [Guest Diary], Author: Guy Bruneau
When Trust Becomes a Trap: How Huntress Foiled a Medical Software Update Hack
Hackers cloned a legitimate medical image viewer site to distribute malware, but thanks to Huntress, the threat was detected in time. Dive into the incident and see how we uncovered the deception and averted disaster.
APT Activity Report Q4 2023-Q1 2024: Iran-aligned Cyberattacks - Rise in Disruptive Operations
Explore the latest APT Activity Report Q4 2022-Q1 2023 to learn more about Iran-aligned groups, espionage of Russia-aligned groups, and China-aligned threat actors exploiting vulnerabilities in public-facing appliances.
Accolades#
- Deans List - SANS Institute Fall 2024
- Deans List - SANS Institute Spring 2024
- PicoCTF 2024 - 138/6957, Global Leaderboard
- NCL Spring 2024 - 33/7412, Individual
- NCL Spring 2024 - 7/4199, Team (Team Captain)
- GIAC Advisory Board
Getting in Touch#
The simplest way to contact me is through my Twitter handle @sudo_Rem.