Think consolidation when building your security approach
"When you simplify your stack and take control of what’s allowed to run, what can interact, and what has access, you are executing on a sustainable and proactive approach. Attacking speed and scale might continue to grow, but as long as you’re emphasizing control, you will significantly reduce the impact of emerging risks." - Danny Jenkins
From the ThreatLocker blog
Best practices, threat hype, and the business of cybercrime
What's happening: Cyber threats are increasing in number and becoming more varied, leading more professionals to adopt a proactive mindset. Some of the best strategies you can implement are to adopt a default-deny approach to all applications and processes, enforce least privilege access, segment your network, and deploy regular patching and updates.
Why it matters:As threats continue to evolve, relying on detection to catch known malware or suspicious behavior does not offer enough protection. Taking a proactive approach improves resilience against malware and limits the effectiveness of zero-days.
The big picture: Zero Trust is the most straightforward path to gaining control and security over your environment, and setting proactive controls is effective without being disruptive. Get the full list of proven cybersecurity best practices.
What's happening: Kim Dvash, Offensive Security Team Leader for Israel Aerospace Industries, released a proof-of-concept tool called GhostLock. He claims the GhostLock technique can "lock every file on an enterprise file server" without malware deployment, encryption, or admin writes. However, research uncovered that classifying GhostLock as "ransomware-equivalent" does not hold up because the damage caused by GhostLock disappeares once the offending session is terminated. The paper also claims GhostLock is undetectable when in actuality, it is visible but did not produce alerts during tests.
Why it matters:The GhostLock paper revealed actionable findings, but they are not novel, and the dangers posed by the tool are relatively easily debunked. The strongest points GhostLock demonstrates are that a well-understood OS behavior can be automated at scale and that storage telemetry is under-instrumented.
The big picture: Threat intelligence should be grounded in evidence, not headlines. While every claim should be investigated, defenders need to separate real operational risk from hype-driven tactics. See what GhostLock actually does.
Forums, marketing channels, phishing-as-a-service, and more
What's happening: Cybercrime has increased largely because it has been built to operate like a business itself. Underground forums where criminals sell and trade tools and stolen data, malware-as-a-service which allows less-skilled attackers to deploy advanced attacks, and Initial Access Brokers who do the work of gaining access they later sell to other criminals. As cybercrime evolves, the cybercrime economy becomes more organized, targeted, and financially successful.
Why it matters: The distribution, accessibility, and scale of cybercrime have made it easier for threat actors to cause disruption and increased the speed and volume of attacks, while countermeasures are often slower to develop.
The big picture: The evolution of the cybercrime economy shows attackers remain adaptable, capable, and unpredictable. Zero Trust is the strongest countermeasure even when cyberattacks are deployed successfully and at great speed and scale. Explore the business model behind modern attacks.
Watch now: See how granular admin controls stop privilege escalation
Watch a demo of the MiniPlasma zero-day and learn the cyber risks involved with excessive privileges and how you can control them without disrupting daily operations.
Coming up: MFA is not enough: How to stop phishing and session hijacking attacks
To stop phishing and session hijacking attacks, you need more than MFA. Join us Tuesday, June 16 to learn how to overcome MFA vulnerabilities and render stolen credentials ineffective.
The vulnerability was initially identified in 2020
What's happening: MiniPlasma is the latest Windows zero-day exploit released by a researcher known as Chaotic Eclipse. It can escalate privileges to SYSTEM on fully patched Windows 11 systems running the latest May 2026 updates. There is currently no official patch. The exploit targets CVE-2020-17103, a flaw originally reported and supposedly patched in 2020. Chaotic Eclipse stated the original proof-of-concept code worked without modifications. ThreatLocker research showed the exploit payload is blocked with Allowlisting enabled.
Why it matters: This is the sixth exploit recently released by Chaotic Eclipse, and the first three—BlueHammer, RedSun, UnDefend—have been confirmed to be exploited in real attacks after the disclosure. The window between disclosure and weaponization is very short.
The big picture: With no patch available, the most effective mitigation is to simply block any unauthorized executables from running with a default-deny allowlisting policy. You can also configure your EDR to monitor for modifications to specific registry paths. Get the registry keys and ThreatLocker Community policy.
What's happening: The Mini Shai-Hulud worm has been deployed again in a widespread supply chain attack, this time originating from the @antv npm ecosystem. Hundreds of packages have been compromised to spread malicious files and steal and exfiltrate secrets. The worm avoids detection because the malicious code executes before the legitimate package installs, allowing users to receive the expected tools while the malware runs silently in the background.
Why it matters:The popularity of the compromised packages likely means thousands of downstream users will be quietly compromised as well. Supply chain attacks have been highly impactful in recent months. This event utilizes the same tactic to breach large subsets of users in a short amount of time, and its effectiveness has been proven past any doubt.
The big picture: With the shifting focus into pushing malware through trusted sources, developers and users cannot simply blindly update packages. Patches should be tested in a controlled environment before being deployed. Read the full analysis from ThreatLocker Threat Intelligence.
ThreatLocker events
Meet the Cyber Hero Team in person at these upcoming events
Dublin Tech Summit | May 27-28 Dublin
Gartner Security & Risk Management June 1-3 | Washington D.C.
