About Me

A brief introduction to who I am and what drives my work.

I'm a Senior Threat Researcher at Trend Micro, working with the Philippines Threat Hunting Team. My work sits at the intersection of three areas: deep-dive threat research, operational automation, and knowledge transfer.

On the research side, I track ransomware families and APT groups, analyze their evolving tradecraft, and publish findings that help defenders worldwide. I've documented everything from novel EDR evasion techniques to cross-platform ransomware targeting critical infrastructure.

Beyond research and building, I train defenders internationally — from government agencies in Japan and Oman to online sessions with INTERPOL. Sharing knowledge is how we collectively raise the bar against adversaries.

What I'm Doing

Threat Research

Deep-dive analysis of ransomware families, APT campaigns, and adversary tooling. Published findings on Trend Micro research blog.

Security Automation

Building AI-powered tools that multiply team capability — inquiry pipelines, threat intel platforms, report generators.

International Training

Training government agencies and law enforcement across Asia, the Middle East, and online for INTERPOL.

Tool Development

10+ production tools used daily — from MCP servers and AI pipelines to desktop applications and Confluence integrations.

Experience

Present

Senior Threat Researcher

Trend Micro

Leading ransomware research, publishing threat intelligence, building automation, training international defenders

Previous

Threat Analyst

Trend Micro

Threat hunting, inquiry processing, IOC enrichment, SPOT reporting

Published Research

Threat research published on Trend Micro's research blog and X/Twitter microstories. Much of my work is internal threat intelligence under TLP:AMBER.

Thread Feb 2026

Trend AI Research Thread (Feb 2026)

X/Twitter research thread from Trend AI's dedicated research account covering multiple active ransomware campaigns and threat intelligence.

Ransomware
Thread Feb 2026

Trend AI Research Thread (Feb 2026)

Solo-authored X/Twitter research thread analyzing ransomware threat intelligence and providing tactical insights for defenders.

Ransomware
Dec 2025

PureRAT via Foxit PDF DLL Side-loading

Uncovered PureRAT targeting job seekers using renamed Foxit PDF Reader for DLL side-loading and Python-based shellcode loaders.

RATSocial EngineeringDLL Sideloading
Oct 2025

Agenda Ransomware Deploys Linux Variant on Windows Systems

Discovered Agenda ransomware deploying Linux variants on Windows systems via remote management tools and BYOVD techniques for cross-platform evasion.

RansomwareCross-PlatformDefense Evasion
Oct 2025

Self-Propagating Malware Spreading Via WhatsApp

Identified an active campaign spreading self-propagating malware via WhatsApp ZIP attachments, targeting Brazilian users with persistence and account hijacking.

RATSocial Engineering
Sep 2025

Unmasking The Gentlemen Ransomware

Analysis of a new ransomware group with adaptive defense evasion — custom-patching anti-AV tools mid-attack based on target recon.

RansomwareBYOVDDefense Evasion
Sep 2025

New LockBit 5.0 Targets Windows, Linux, ESXi

Technical analysis of LockBit 5.0 — cross-platform ransomware with heavy obfuscation, anti-analysis, and geopolitical safeguards.

RansomwareCross-PlatformLockBit
Aug 2025

New Ransomware Charon Uses Earth Baxia APT Techniques

Discovered Charon ransomware using APT-grade techniques — DLL sideloading via Edge.exe, hybrid Curve25519/ChaCha20 encryption.

RansomwareAPT CrossoverDLL Sideloading
Aug 2025

Crypto24 Ransomware Blends Legitimate Tools for Stealth

Analyzed Crypto24 ransomware group's technique of blending legitimate tools with custom malware to bypass EDR and security technologies.

RansomwareDefense Evasion
Thread Aug 2025

Threat Intelligence Research Thread (Aug 2025)

X/Twitter research thread covering active threat campaigns and ransomware intelligence from the Trend Micro Threat Hunting Team.

Ransomware
Aug 2025

Warlock: From SharePoint Exploit to Enterprise Ransomware

Traced the Warlock ransomware campaign from initial SharePoint vulnerability exploit through lateral movement to enterprise-wide encryption.

RansomwareDefense Evasion
Thread Jul 2025

Nitrogen Ransomware: New Threat Landscape Entry

X/Twitter thread analyzing the Nitrogen ransomware group's emergence, infection vectors, and operational characteristics.

Ransomware
Thread Jul 2025

Threat Intelligence Research Thread (Jul 2025)

X/Twitter research thread covering ransomware threat intelligence findings and tactical analysis.

Ransomware
Thread Jul 2025

Threat Intelligence Research Thread (Jul 2025)

X/Twitter research thread sharing emerging threat intelligence and analysis with the cybersecurity community.

Ransomware
Jul 2025

Proactive Security Insights for SharePoint Attacks

Provided proactive security analysis of CVE-2025-53770 and CVE-2025-53771 — SharePoint vulnerabilities enabling unauthenticated remote code execution.

Defense EvasionRed Team Tools
Jul 2025

Revisiting UNC3886 Tactics

Revisiting the tactics of UNC3886, a China-nexus threat actor targeting network edge devices and virtualization infrastructure.

APTChina-NexusEspionage
Thread Jun 2025

Threat Intelligence Research Thread (Jun 2025)

X/Twitter research thread sharing threat intelligence findings and analysis from the Trend Micro Threat Hunting Team.

Ransomware
May 2025

Agenda Ransomware Adds SmokeLoader and NETXLOADER

Uncovered Agenda ransomware group adopting SmokeLoader and a new loader named NETXLOADER for improved delivery and evasion.

RansomwareDefense EvasionCross-Platform
Apr 2025

CrazyHunter Targets Taiwanese Critical Sectors

Identified CrazyHunter targeting Taiwanese healthcare and education using 80% open-source tooling and BYOVD attacks.

RansomwareTaiwanBYOVD
Mar 2025

AI-Assisted Fake GitHub Repos Distribute LummaStealer

Uncovered AI-generated fake GitHub repositories distributing SmartLoader and LummaStealer through convincing but malicious code projects.

Social EngineeringRATDefense Evasion
Thread Mar 2025

Agenda Ransomware Adopts TrueSightKiller for EDR Evasion

X/Twitter thread detailing how Agenda ransomware operators adopted TrueSightKiller, a BYOVD tool, to disable endpoint security products.

RansomwareBYOVDEDR Evasion
Thread Mar 2025

SmokeLoader Deploys W3CryptoLocker Through Steganography

X/Twitter thread analyzing SmokeLoader's use of steganography techniques to deliver W3CryptoLocker ransomware payloads while evading detection.

RansomwareDefense Evasion
Thread Jan 2025

Morpheus Ransomware's Red Pill Strategy vs EDR

X/Twitter thread on Morpheus ransomware's advanced EDR evasion techniques and its 'Red Pill' strategy for bypassing endpoint detection.

RansomwareEDR Evasion
Thread Nov 2024

Evolving Agenda Ransomware: .NET Arsenal Expansion

X/Twitter thread analyzing Agenda (Qilin) ransomware's evolving .NET-based toolkit and expanding cross-platform capabilities.

RansomwareCross-Platform
Oct 2024

EDRSilencer Disrupting Endpoint Security

First to document EDRSilencer weaponized in the wild — a red team tool using Windows Filtering Platform to blind EDR solutions.

Red Team ToolsEDR EvasionWFP
Thread Oct 2024

MedusaLocker Ransomware's Three-Pronged Attack Strategy

X/Twitter thread detailing MedusaLocker ransomware's multi-vector attack strategy combining encryption, data theft, and extortion.

RansomwareDefense Evasion
Thread Jul 2024

Play Ransomware's Linux Variant Targets ESXi

X/Twitter thread on the discovery of Play ransomware's first Linux variant targeting ESXi virtualization environments.

RansomwareCross-Platform
Jul 2024

Play Ransomware Linux Variant Targets ESXi

First discovery of Play ransomware's Linux variant targeting ESXi, with infrastructure ties to Prolific Puma link-shortening service.

RansomwareCross-PlatformDefense Evasion
Mar 2024

Multistage RA World Ransomware

Analyzed RA World using GPO-distributed payloads, Safe Mode abuse for defense evasion, and Babuk-derived encryption.

RansomwareGPO AbuseSafe Mode
Thread Jan 2024

Werewolves Ransomware: A New Breed of Threat

X/Twitter thread analyzing the Werewolves ransomware group's emergence, tactics, and impact on targeted organizations.

Ransomware
Nov 2023

Cerber Ransomware Exploits Atlassian Confluence CVE-2023-22518

Documented Cerber ransomware operators rapidly weaponizing CVE-2023-22518 in Atlassian Confluence for initial access and encryption deployment.

RansomwareDefense Evasion

Tools & Automation

Production systems used daily by our threat hunting team — not side projects, operational infrastructure.

TITAs

Threat Inquiries Triage & Automation

Production

AI-powered 9-phase pipeline automating the entire threat inquiry lifecycle: intake, OSINT, IOC enrichment, response generation, visual creation, and documentation publishing.

Reduced inquiry response time from hours to minutes
PythonClaude AIVirusTotal APIConfluence API

Skadi

Threat Intelligence Platform

Production

Full-featured Streamlit platform for threat analysis, URL reputation lookups, AI-powered intelligence assessment, and automated Confluence documentation.

Unified TI workflow for the entire team
PythonStreamlitAzure OpenAIConfluence API

SPOT Report Engine

Automated Report Generation

Production

AI agent system that transforms raw threat intelligence into structured SPOT reports and publication-ready blog articles with auto-redaction.

Standardized reporting across the threat hunting team
Claude AIMarkdownObsidianMCP

Confluence Tools Suite

13+ Automation Tools

Production

Collection of 13+ tools for RAG-powered report generation, malware-as-a-service analysis, PowerPoint analysis, AI chatbot, BEC investigation, and log analysis.

Eliminated repetitive documentation tasks
PythonAzure OpenAIConfluence APIRAG

OpenCTI MCP Server

Threat Intelligence Integration

Production

Model Context Protocol server connecting AI assistants directly to OpenCTI threat intelligence platform for natural language queries against indicators and campaigns.

Bridged AI tooling with production threat intel
PythonFastMCPpyctiOpenCTI

Claude Code Desktop

AI Development Environment

Active Dev

Desktop GUI wrapping Claude CLI with autonomous pipeline orchestration, multi-model routing across 70+ models from 5 providers, and SQLite-backed sessions.

Personal dev environment for AI-assisted security research
Node.jsExpressWebSocketxterm.jsSQLite
Built for the team, used every day

Every tool here was born from a real workflow pain point. Together they save our team hundreds of hours per month on inquiry processing, report generation, and threat enrichment.

Speaking & Training

International cybersecurity trainer for government agencies and law enforcement. I don't just find threats — I teach others how to defend against them.

Advanced Threat Defense & Malware Analysis

Training

Government Agency — Japan

Multi-day hands-on training covering advanced persistent threats, malware analysis techniques, and enterprise defense strategies.

Cybersecurity Training for Government

Training

Government Agency — Oman

Cybersecurity training program covering threat detection, incident response, and security operations for government personnel.

INTL

Cybersecurity Training Program

Training

INTERPOL — Online

Online training sessions with INTERPOL on cybersecurity techniques, threat intelligence sharing, and cross-border cyber investigation.

Cybersecurity Conference Presentations

Speaker

Various Conferences — Multiple

Speaking engagements at cybersecurity conferences covering ransomware trends, threat hunting methodologies, and adversary tradecraft.

Global Reach

Training delivered across Asia, Middle East, and online for international law enforcement

5+
Countries
Gov
Agencies
INTERPOL
Partner