Profile Offensive Research Papers Talks Vulnerabilities Training Contact
// OFFENSIVE SECURITY RESEARCH & REVERSE ENGINEERING

THE
MALWARE
GUARDIAN

Security researcher focused on APT emulation, reverse engineering, vulnerability analysis and advanced malware engineering. Deep expertise in UEFI bootkit development, kernel-level rootkits, firmware attack surface analysis and exploit development grounded in real-world vulnerability chains and full infection workflows.

UEFI
Bootkits & Firmware Exploitation
KERNEL
Windows & Linux Internals
CVE
Research & Exploit Development
APT
Adversary Simulation
TheMalwareGuardian
TMG
About

RESEARCHER
PROFILE

Alejandro Vazquez Vazquez is a security researcher operating under the handle TheMalwareGuardian, with a focus on APT emulation, reverse engineering, and advanced malware development for red team operations and adversary simulation.

In his day-to-day work, he focuses on dissecting vulnerabilities as they appear in real-world infection chains, from UEFI firmware exploitation and pre-boot persistence, through kernel-mode and userland vulnerabilities on both Windows and Linux, to developing exploits aligned with real-world attack scenarios.

This work has led him to present his research at DEF CON, as well as to actively contribute to DEF CON groups and the wider cybersecurity community. Along the way, he has disclosed multiple CVEs and developed several tools, research projects and technical publications, all centered around real-world offensive techniques and full infection chains.

In addition to his primary professional role, he also serves as an instructor in postgraduate cybersecurity master's programs, where he teaches vulnerability analysis, exploit development and reverse engineering, bringing real-world research directly into the classroom and helping prepare the next generation of cybersecurity professionals.

Full Profile → LinkedIn

Expertise

CORE
CAPABILITIES

🔬
Reverse Engineering
Deep binary analysis across Windows and Linux systems, covering firmware, drivers, malware and closed-source software.
🔍
Vulnerability Research
Discovery and analysis of vulnerabilities across firmware, operating systems and applications, with focus on real-world attack surfaces.
💣
Exploit Development
Development of reliable exploits aligned with real-world attack scenarios, from memory corruption to full infection chain execution.
🎯
APT Emulation
End-to-end adversary simulation, including implant development, persistence techniques, evasion strategies and C2 integration.
🔴
Bootkit Development
UEFI bootkits for Windows and Linux, implementing pre-boot persistence and kernel control through firmware-level manipulation.
🖥
Kernel Rootkits
Kernel-mode implants for Windows and Linux, including DKOM, WFP/WSK and ftrace-based / eBPF techniques for stealth and control.
🌐
Infrastructure Pentesting
Internal and external assessments simulating breach scenarios, covering the full attack path from initial access to post-exploitation.
📚
Training
Delivery of advanced cybersecurity training focused on vulnerability analysis, exploit development and offensive techniques.
Original Research

NEVER SEEN
BEFORE

Among all public research and open-source projects, these stand out as techniques / malware nobody had published before, full attack chains from UEFI firmware to kernel, now available to the community on GitHub.
01 / 05
⬡ Windows
ABYSS
Windows UEFI Bootkit
UEFI bootkit targeting Windows. Hooks ImgArchStartBootApplication inside the Windows Boot Manager to intercept boot application startup, then targets the OS loader by patching OslFwpKernelSetupPhase1 and leveraging BlImgAllocateImageBuffer to prepare memory for a kernel-mode driver payload. Once execution reaches the NT kernel, it tampers with Code Integrity mechanisms through CI.dll, affecting routines related to SepInitializeCodeIntegrity, enabling execution prior to full OS security initialization.
ImgArchStartBootApplication OslFwpKernelSetupPhase1 BlImgAllocateImageBuffer SepInitializeCodeIntegrity CI.dll
GitHub →
02 / 05
⬡ Linux
ANTARCTIC
Linux UEFI Bootkit
UEFI bootkit targeting Linux. Hooks grub_efi_start_image within the GRUB EFI stage to intercept the loading of the compressed linux kernel (vmlinuz), while patching grub_verifiers_open to bypass shim-based Secure Boot enforcement. It then targets the kernel decompression stage by intercepting ZstdDecompressDctx and unzstd, enabling controlled modification of the kernel image before execution. Once the kernel is unpacked, it patches module_sig_check to allow loading of unsigned LKMs prior to full security initialization.
grub_efi_start_image grub_verifiers_open ZstdDecompressDctx unzstd module_sig_check
GitHub →
03 / 05
⬡ Windows
BENTHIC
Kernel Mode Driver
Windows kernel-mode rootkit designed to operate as a post-boot payload within the ABYSS bootkit chain. Implements DKOM for process and object concealment, Minifilter-based techniques to hide files and directories, and Keyboard Filtering for low-level input capture. At the network layer, leverages WFP (Windows Filtering Platform) for traffic control and WSK (Winsock Kernel) to establish kernel-level command-and-control communication channels, enabling persistent and stealthy attacker interaction.
DKOM Minifilter Keyboard Filtering WFP WSK
GitHub →
04 / 05
⬡ Linux
GILLYWEED
Loadable Kernel Module
Linux LKM rootkit designed to operate as a post-boot payload within the ANTARCTIC bootkit chain. Implements ftrace-based syscall hooking to intercept execution flow, targeting getdents64 and kill for file and process concealment. Stealth capabilities are extended by patching tcp4_seq_show and inet_sk_diag_fill to hide active network connections, while leveraging dynamic symbol resolution via kallsyms_lookup_name. Provides a userspace control interface through IOCTL for runtime management.
ftrace kallsyms_lookup_name getdents64 tcp4_seq_show inet_sk_diag_fill
GitHub →
05 / 05
⬡ Linux
LIMINALIS
eBPF Offensive Framework
eBPF-based offensive framework operating at kernel level without traditional module loading. Uses kprobes, tracepoints, LSM hooks and XDP programs to intercept process execution, file access and network activity. Supports runtime control via eBPF maps, enabling dynamic policy updates without redeployment. Includes hooks on syscall entry points such as sys_enter_openat and sys_enter_execve, as well as packet filtering at XDP level for high-performance network control.
kprobes tracepoints LSM hooks XDP eBPF maps
GitHub →
Publications

RESEARCH
PAPERS

📄 RESEARCH PAPER
Exploiting UEFI Attack Surfaces to Bypass Secure Boot and Subvert Kernel Integrity in Windows and Linux
A deep dive into the offensive side of the UEFI trust chain, exploring how real-world vulnerabilities and design weaknesses can be combined to bypass Secure Boot and compromise kernel integrity on both Windows and Linux systems. The paper walks through practical exploitation paths, from firmware-level primitives such as NVRAM variable abuse and Security2 protocol corruption, to full bootkit-based control over the operating system.
Key Topics
UEFI trust chain and Secure Boot internals NVRAM variable shadowing and firmware abuse Security2 protocol corruption Platform key trust breakdown Bootkit-based compromise of Windows and Linux Kernel integrity subversion on fully patched systems
Read Paper →
📄 RESEARCH PAPER
Designing and Implementing UEFI Bootkits to Hijack the Boot Process and Subvert Kernel Integrity on Windows and Linux
A practical, implementation-focused study on building fully functional UEFI bootkits from the ground up. Rather than high-level theory, this work documents the actual engineering behind boot flow hijacking, Secure Boot bypass strategies, and kernel-level control on both Windows and Linux, based on the development of real-world bootkits.
Key Topics
UEFI boot flow and DXE/BDS execution model EFI application hooking and Boot Services interception Secure Boot bypass via bootloader manipulation Windows boot chain (bootmgfw → winload → kernel) subversion Linux boot chain (GRUB → shim → vmlinuz →vmlinux) hijacking Post-boot persistence and firmware ↔ kernel interaction
Read Paper →
Public Appearances

TOP
TALKS

OFF BY ONE SECURITY · EP. 3 · Jul 2026
Off By One Security - Building the First Public Linux UEFI Bootkit Framework
For years, Linux UEFI bootkits have largely existed as theory, analysis, and scattered proof-of-concepts. In this stream, Alejandro Vazquez walks through the development of what may be the first publicly released Linux UEFI bootkit framework, including the research behind it, how it works, how it can be installed through publicly disclosed UEFI vulnerabilities, and what it means for defenders, researchers, and adversary emulation. Beyond the bootkit itself, the stream will also include the public release of a Linux kernel rootkit, scripts for setting up a complete research environment for Linux kernel and boot process analysis, and multiple standalone proof-of-concepts designed to explain each technique in isolation before combining them into a complete bootkit. From kernel-mode techniques to the hooking and patching mechanisms used to modify the Linux boot chain, every step will be broken down to help researchers understand how modern Linux bootkits are developed. The complete framework, source code, supporting tooling, research paper, and a unique learning resource designed to help beginners take their first steps into UEFI bootkit and kernel rootkit development will all be released publicly for the community.
Linux UEFI Bootkit UEFI Exploitation Kernel Module Rootkit Linux Boot Chain
DEF CON GROUPS · DCG-518 (NY) · DCG-862 (NJ)
The Path That Leads to Your First CVE
A session delivered to DEF CON Groups DCG-518 (Albany, NY) and DCG-862 (Parsippany, NJ) focused on the reality of vulnerability research and the different paths that can lead to a first CVE. The initial version, delivered to DCG-518, introduced the core idea behind this work: there is no universal methodology for discovering vulnerabilities, only the path that aligns with individual curiosity and technical interests. Rather than presenting a checklist, it explored multiple real entry points into vulnerability research, including web application analysis, source code review, reverse engineering of legacy software and even malware analysis as a pathway to uncovering previously unknown vulnerabilities, while also addressing the CVE reporting process, from initial discovery to vendor communication and coordination with CNAs. The iteration for DCG-862 expanded on this foundation by reinforcing reverse engineering as a viable and often overlooked path, supported by additional resources and practical perspectives, particularly from a beginner standpoint, showing how it can serve as a realistic entry point into vulnerability research. Across both sessions, the emphasis remained on a single idea: meaningful vulnerability research does not come from following predefined steps, but from going deep into a field that genuinely interests you. The CVE itself is not the objective, but a natural outcome of sustained curiosity, technical depth and real understanding of how systems behave, and fail.
DCG-518 DCG-862 Vulnerability Research Reverse Engineering Responsible Disclosure
Private Sessions · Materials available on GitHub →
OFF BY ONE SECURITY · EP. 2 · Nov 2025
Off By One Security - Emulating APTs: Building and Deploying Bootkits & Rootkits
Building on the initial session, this two-hour hands-on episode focused on the practical deployment of bootkits and rootkits within realistic environments, aligning the workflow with real-world adversary tradecraft. After a brief conceptual introduction, the session moved directly into execution, walking through the setup required to operate these implants in a controlled lab and showing how to configure an environment capable of running the bootkit with protections such as Secure Boot enabled, allowing the preparation of reproducible scenarios without relying on vulnerability exploitation. As the environment was established, the source code was examined in context, highlighting the adaptations required to maintain compatibility across different operating systems and configurations, which naturally led into the deployment phase within isolated virtual machines equipped with modern NGAV and EDR solutions, including CrowdStrike, where it became possible to observe how activity originating from early boot stages can remain outside the visibility of conventional security controls. This progression provided a practical, end-to-end view of how these techniques can be used to emulate advanced threat scenarios, from initial setup and deployment through to sustained kernel-level control.
APT Emulation Bootkit Deployment EDR Evasion Env Setup Live Demo
Off By One Security EP2 - Emulating APTs
▶ WATCH EPISODE
OFF BY ONE SECURITY · EP. 1 · Oct 2025
Off By One Security - UEFI Bootkits & Kernel-Mode Rootkits Development
Building on the material presented at DEF CON 33, this two-hour hands-on session focused on the practical implementation of UEFI bootkits and kernel-mode rootkits, walking through the resources and workflow step by step. Bootkits and rootkits represent some of the most complex and stealthy forms of malware, capable of achieving control both before and after the operating system is loaded. The session provided a practical introduction to how these implants are actually built, how their components interact, and how execution flows across boot stages and kernel space. The internals of a fully functional UEFI bootkit and kernel-mode rootkit were explored, including their modular design and the mechanisms used to hook critical parts of the Windows boot chain. The session also covered how these implants operate across pre-boot and post-boot phases, from early firmware-level capabilities to deep kernel control, including techniques for hiding files, processes and network activity, filtering traffic, capturing input and maintaining communication from kernel space. The full workflow was demonstrated step by step, from source code to execution, providing a concrete view of how these components behave in a real environment.
UEFI Bootkit Kernel Rootkit Boot Chain Hooking Hands-on Live Demo
Off By One Security EP1 - UEFI Bootkits and Kernel-Mode Rootkits
▶ WATCH EPISODE
ROOTEDCON MADRID · 2024 · 2025 · 2026
Bootkits Forever - Three Years of Offensive Research at RootedCON
A three-year research arc at RootedCON Madrid, each edition building directly on the last. 2024 - "At the Roots of Evil: A Deep Dive into UEFI Bootkit Development", explored the construction of a UEFI bootkit from the ground up, including boot process interception across the Boot Manager, OS loader and NT kernel, early-stage Driver Signature Enforcement bypass, and lesser-discussed techniques such as payload staging during the boot phase itself. 2025 - "From Deep Within the Kernel: How to Build an Invisible Rootkit on Windows", extended that foundation into kernel space, presenting a fully functional Windows rootkit with capabilities such as DKOM-based stealth, keyboard filtering, minifilter-driven file concealment, and network control via WFP and WSK, with all components demonstrated live in a controlled environment. 2026 - "Bootkits Forever: APT Emulation in Red Team Operations", brought the full chain together in a realistic adversary simulation: the bootkit was used live to deploy a kernel-mode ransomware payload that encrypted a machine end-to-end, evading CrowdStrike and modern EDR/NGAV solutions throughout, a complete APT emulation from firmware infection to full system compromise.
RootedCON UEFI Bootkit Kernel Rootkit Kernel Ransomware CrowdStrike Bypass APT Emulation EDR Evasion Live Demo
Vulnerability Research

CVEs &
EXPLOIT DEV

▸ Disclosed Vulnerabilities
CVE ID Vulnerability Target Type Reference
CVE-2025-41090
Broken Access Control in microCLAUDIA
Improper access control in the CCN-CERT anti-ransomware platform, allowing unauthorized access to restricted functionality and actions.
microCLAUDIA · CCN-CERT ACCESS CTRL GitHub →
CVE-2021-27289
Zigbee Replay Protection Bypass
Replay protection bypass affecting Ksix Zigbee smart devices, allowing forged or replayed messages to alter the perceived device state.
Zigbee Protocol · IoT Devices REPLAY ATTACK GitHub →
CVE-2025-70330
File Parsing Vulnerability in Easy Grade Pro
Improper file parsing leading to memory corruption conditions during file processing, potentially affecting application stability.
Easy Grade Pro · Legacy Software FILE PARSING GitHub →
▸ Exploits Developed for Known CVEs
Note: In professional contexts such as red team engagements, exploit development is often performed under restricted conditions and cannot be publicly disclosed. The vulnerabilities shown here represent personal research, where I have independently developed exploitation approaches outside of those limitations.

CVE ID Vulnerability Target Type Reference
CVE-2026-5281
Chrome - Use-After-Free
Use-after-free in Dawn (Google Chrome) allowing a compromised renderer process to achieve arbitrary code execution via a crafted HTML page
Google Chrome · Browser UAF RCE GitHub →
CVE-2025-4275
Hydroph0bia - Secure Boot Bypass
Improper validation of NVRAM variable attributes enables signature verification bypass and execution of unsigned UEFI code under Secure Boot
UEFI Secure Boot SECURE BOOT GitHub →
CVE-2025-3052
IhisiParamBuffer - Arbitrary Write
Arbitrary write vulnerability in Microsoft-signed UEFI firmware enabling controlled memory modification and execution of untrusted code
UEFI Firmware FW WRITE GitHub →
CVE-2025-0288
Paragon Driver - Arbitrary Kernel Write
Improper input validation in biontdrv.sys allows arbitrary kernel memory writes via memmove, leading to privilege escalation
Paragon Software · Kernel Driver KERNEL WRITE GitHub →
CVE-2024-30051
Windows DWM - Heap Overflow (LPE)
Heap-based memory corruption in the Desktop Window Manager Core Library leading to local privilege escalation
Windows · DWM HEAP LPE GitHub →
Training

INSTRUCTOR &
ADVANCED TRAINING

Alejandro also serves as an instructor in postgraduate cybersecurity master's programs, teaching the kind of content most courses don't dare to cover: vulnerability analysis from binary to exploit, reverse engineering applied to real targets, and advanced malware development at kernel level.

The philosophy is simple, security professionals need to understand how attacks work from first principles, not just how to run tools. Students go from binary disassembly to building working exploits, reasoning about vulnerability classes at the architectural level.

Everything taught comes directly from active research. The same UEFI bypass chains being built in the lab appear in the classroom as part of subsequent sessions and program editions, because there is no gap between the research and the teaching.

Curriculum

CORE
MODULES

01
Vulnerability Analysis & Research
Systematic approaches to finding vulnerabilities in binaries, firmware and protocols, from static analysis to dynamic fuzzing and root-cause identification.
02
Exploit Development
Building working exploits from identified vulnerabilities, memory corruption, control flow hijacking and privilege escalation chains on modern targets.
03
Reverse Engineering
Binary analysis across firmware, kernel and userland components, focusing on reconstructing program logic and understanding execution flow in complex real-world systems..
04
Advanced Malware Development
Malware engineering for red teams: persistence mechanisms, rootkit techniques, evasion and building tools that emulate real threat actor TTPs at kernel level.
Contact

GET IN
TOUCH

Focused on building and analyzing full attack chains, from firmware to kernel, across Windows and Linux systems, combining vulnerability research, malware analysis and exploit development to understand how modern systems can actually be compromised. If this profile aligns with your team, research goals or technical challenges, feel free to get in touch.

Message

SEND A
MESSAGE