Security researcher focused on APT emulation, reverse engineering, vulnerability analysis and advanced malware engineering. Deep expertise in UEFI bootkit development, kernel-level rootkits, firmware attack surface analysis and exploit development grounded in real-world vulnerability chains and full infection workflows.
Alejandro Vazquez Vazquez is a security researcher operating under the handle TheMalwareGuardian, with a focus on APT emulation, reverse engineering, and advanced malware development for red team operations and adversary simulation.
In his day-to-day work, he focuses on dissecting vulnerabilities as they appear in real-world infection chains, from UEFI firmware exploitation and pre-boot persistence, through kernel-mode and userland vulnerabilities on both Windows and Linux, to developing exploits aligned with real-world attack scenarios.
This work has led him to present his research at DEF CON, as well as to actively contribute to DEF CON groups and the wider cybersecurity community. Along the way, he has disclosed multiple CVEs and developed several tools, research projects and technical publications, all centered around real-world offensive techniques and full infection chains.
In addition to his primary professional role, he also serves as an instructor in postgraduate cybersecurity master's programs, where he teaches vulnerability analysis, exploit development and reverse engineering, bringing real-world research directly into the classroom and helping prepare the next generation of cybersecurity professionals.
ImgArchStartBootApplication inside the Windows Boot Manager to intercept boot application startup, then targets the OS loader by patching OslFwpKernelSetupPhase1 and leveraging BlImgAllocateImageBuffer to prepare memory for a kernel-mode driver payload. Once execution reaches the NT kernel, it tampers with Code Integrity mechanisms through CI.dll, affecting routines related to SepInitializeCodeIntegrity, enabling execution prior to full OS security initialization.
grub_efi_start_image within the GRUB EFI stage to intercept the loading of the compressed linux kernel (vmlinuz), while patching grub_verifiers_open to bypass shim-based Secure Boot enforcement. It then targets the kernel decompression stage by intercepting ZstdDecompressDctx and unzstd, enabling controlled modification of the kernel image before execution. Once the kernel is unpacked, it patches module_sig_check to allow loading of unsigned LKMs prior to full security initialization.
DKOM for process and object concealment, Minifilter-based techniques to hide files and directories, and Keyboard Filtering for low-level input capture. At the network layer, leverages WFP (Windows Filtering Platform) for traffic control and WSK (Winsock Kernel) to establish kernel-level command-and-control communication channels, enabling persistent and stealthy attacker interaction.
ftrace-based syscall hooking to intercept execution flow, targeting getdents64 and kill for file and process concealment. Stealth capabilities are extended by patching tcp4_seq_show and inet_sk_diag_fill to hide active network connections, while leveraging dynamic symbol resolution via kallsyms_lookup_name. Provides a userspace control interface through IOCTL for runtime management.
kprobes, tracepoints, LSM hooks and XDP programs to intercept process execution, file access and network activity. Supports runtime control via eBPF maps, enabling dynamic policy updates without redeployment. Includes hooks on syscall entry points such as sys_enter_openat and sys_enter_execve, as well as packet filtering at XDP level for high-performance network control.
ImgArchStartBootApplication within the Windows Boot Manager, followed by modifications in the OS loader through OslFwpKernelSetupPhase1 and controlled memory allocation via BlImgAllocateImageBuffer, enabling the preparation of a kernel-mode driver payload before full OS initialization. At the pre-boot stage, the UEFI application was shown leveraging native firmware capabilities to stage additional components, including controlled retrieval of payloads and preparation of memory before the operating system takes control. As part of this process, the bootkit deploys a DXE runtime driver that persists beyond ExitBootServices. The DXE runtime driver was presented as a separate persistent component, effectively acting as a runtime backdoor by maintaining controlled interaction with the system after the transition to the operating system. This enables continued access to memory and execution flow even after firmware execution has officially ended. Once execution transitions into the Windows kernel, the talk showed how the implant can manipulate system behavior by modifying memory structures and enforcing stealth techniques, including DKOM, WFP and WSK-based capabilities, as well as file system (minifilter) and keyboard filtering mechanisms. These primitives enable concealment, persistence and full control from kernel space as part of a coordinated attack chain. All stages, from early boot interception to kernel-level control, were presented through multiple demonstrations, showing how each component operates independently and as part of a complete end-to-end compromise.
| CVE ID | Vulnerability | Type |
|---|---|---|
| CVE-2025-41090 |
Broken Access Control in microCLAUDIA
Improper access control in the CCN-CERT anti-ransomware platform, allowing unauthorized access to restricted functionality and actions.
|
ACCESS CTRL |
| CVE-2021-27289 |
Zigbee Replay Protection Bypass
Replay protection bypass affecting Ksix Zigbee smart devices, allowing forged or replayed messages to alter the perceived device state.
|
REPLAY ATTACK |
| CVE-2025-70330 |
File Parsing Vulnerability in Easy Grade Pro
Improper file parsing leading to memory corruption conditions during file processing, potentially affecting application stability.
|
FILE PARSING |
| CVE ID | Vulnerability | Type |
|---|---|---|
| CVE-2026-5281 |
Chrome - Use-After-Free
Use-after-free in Dawn (Google Chrome) allowing a compromised renderer process to achieve arbitrary code execution via a crafted HTML page
|
UAF RCE |
| CVE-2025-4275 |
Hydroph0bia - Secure Boot Bypass
Improper validation of NVRAM variable attributes enables signature verification bypass and execution of unsigned UEFI code under Secure Boot
|
SECURE BOOT |
| CVE-2025-3052 |
IhisiParamBuffer - Arbitrary Write
Arbitrary write vulnerability in Microsoft-signed UEFI firmware enabling controlled memory modification and execution of untrusted code
|
FW WRITE |
| CVE-2025-0288 |
Paragon Driver - Arbitrary Kernel Write
Improper input validation in
biontdrv.sys allows arbitrary kernel memory writes via memmove, leading to privilege escalation |
KERNEL WRITE |
| CVE-2024-30051 |
Windows DWM - Heap Overflow (LPE)
Heap-based memory corruption in the Desktop Window Manager Core Library leading to local privilege escalation
|
HEAP LPE |
Alejandro also serves as an instructor in postgraduate cybersecurity master's programs, teaching the kind of content most courses don't dare to cover: vulnerability analysis from binary to exploit, reverse engineering applied to real targets, and advanced malware development at kernel level.
The philosophy is simple, security professionals need to understand how attacks work from first principles, not just how to run tools. Students go from binary disassembly to building working exploits, reasoning about vulnerability classes at the architectural level.
Everything taught comes directly from active research. The same UEFI bypass chains being built in the lab appear in the classroom as part of subsequent sessions and program editions, because there is no gap between the research and the teaching.
Focused on building and analyzing full attack chains, from firmware to kernel, across Windows and Linux systems, combining vulnerability research, malware analysis and exploit development to understand how modern systems can actually be compromised. If this profile aligns with your team, research goals or technical challenges, feel free to get in touch.