Plus: Red Hat compromise, AI support bot abuse ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
Zero Trust Weekly

This week in Zero Trust

AI is as useful as it is dangerous

Estimated reading time: 5-6 minutes

 

In this issue:

  • LLMShare campaign abuses Google Ads and ChatGPT
  • The growing threat of business email compromise
  • Your complete guide to ISO 27001
  • Threats you need to know: Attackers trick AI support bot and Miasma variant of Mini Shai-Hulud
  • Where to meet the ThreatLocker team 
  • Latest issue of Cyber Hero Frontline is out now
View in browser

Manage preferences

From the CEO

CEOs now agree: Cyber risk is a business problem

 

"New data from The Conference Board and The Business Council shows 65% of blue-chip CEOs now rank cyberattacks as a top business risk, outpacing every other threat category. That's up from 56% just one quarter ago. Cybersecurity now ranks ahead of inflation, geopolitical instability, trade disruptions, and broader economic uncertainty risks. For years, cybersecurity professionals have argued that cyber risk is a business problem, not just an IT problem. Based on this data, CEOs now strongly agree."  - Danny Jenkins

From the ThreatLocker blog

LLMShare, business email compromise, and ISO 27001 guide

 

LLMShare campaign abuses trust in ChatGPT

Attackers exploit ChatGPT's conversation sharing feature

  • What's happening: The LLMShare campaign is a malvertising campaign that abuses Google Ads to send users searching for ChatGPT to a malicious page hosted on chatgpt.com. Clicking on the ad took users to a legitimate chatgpt.com/s/ URL, a shared content link from OpenAI which displayed a fake outage notice, and encouraged users to download the desktop app instead. Push Security noted the fake outage notice was generated from custom HTML and CSS rendered by a ChatGPT prompt, making it a web page inside a web page.
  • Why it matters: The domain belongs to OpenAI, so reputation-based controls and domain-focused rules are less likely to flag the content as suspicious. The infrastructure was also designed to evade vulnerability scanners. When tools like URLScan visited the site, they were directed to a harmless website. Real users on the other hand were directed to the malicious content. 
  • The big picture: Trust is a liability, and attackers will exploit it wherever possible. That is why Zero Trust focuses on what can execute, not only where it originates. 
    See how Zero Trust could stop the LLMShare campaign.

How to protect your organization from business email compromise (BEC)

What makes BEC unique and devastating

  • What's happening: BEC is one of the most financially devastating cyberattacks, and the fact that attacks often originate from legitimate accounts makes it especially dangerous. BEC attacks often involved executive impersonation and fraudulent invoices. They are more targeted than phishing campaigns and rely on deception and urgency rather than malware deployment. Common indicators include urgent payment or wire transfer requests, contact outside business hours, and instructions to bypass standard approvals.
  • Why it matters: Remote work and the reliance on cloud email platforms have made BEC more successful and more profitable for attackers compared to technical exploits. Attackers are exploiting people more than software. 
  • The big picture: Containing BEC requires Zero Trust. Training employees to recognize common threats is not enough in the face of AI-generated, highly personalized phishing emails or voice phishing attacks. 
    How Zero Trust can help contain BEC.

ISO 27001 compliance and certification requirements explained

Who needs it and how to get certified

  • What's happening: ISO 27001 is a globally recognized framework for information security. It is a risk-based standard that instructs companies to assess their specific risks and apply the controls that apply most directly. Companies maintain compliance internally by following the standard's rules, and to achieve certification, an accredited third-party auditor must review your Information Security Management System (ISMS). Finance and healthcare organizations often use ISO 27001 as the foundation of their legal requirements, and SaaS companies often need certification to work with enterprise organizations.
  • Why it matters: Being ISO 27001 certified, rather than just compliant, offers a competitive advantage. It signals to prospects and customers that you take security seriously, and it can reduce friction in sales cycles. ISO 27001 also maps cleanly to GDPR, CCPA, HIPPA, and NIST CSF, reducing compliance effort. 
  • The big picture: While customers and partners want to see certifications like ISO 27001, attackers don't care. Obtaining ISO 27001 certification is a long, complicated process, but defense doesn't stop once it's achieved. 
    Your complete guide to ISO 27001 compliance and certification.

Zero Trust World 2027

Zero Trust World isn't your average cybersecurity conference. At ZTW27, you'll get:

  • More hands-on labs, learning experiences, and CPE credit opportunities 

  • The industry's leading speakers, podcast hosts, and hackers 
  • Networking with 2,000+ security and IT professionals

Join us February 17-19 at Loews Universal Orlando:

Secure your spot for ZTW27

Hotel booking info to be announced in the coming weeks.

 

 

Threats you need to know

Attackers manipulate AI and Mini Shai-Hulud is back again

 

Attackers manipulate Meta's AI support to compromise accounts

AI support bot is easily fooled

  • What's happening: Instructions on how to trick Meta's AI support assistant recently circulated on Telegram, and shortly after, the official Instagram accounts for the Obama White House and Chief Master Sergeant of the U.S. Space Force were compromised. The exploit is remarkably simple. The attack involved a VPN connection and IP address in or near the target's location, requesting a password reset, and telling the support bot to send the reset code to a new email. Meta announced that the issue was resolved and no back-end database was breached. 

  • Why it matters: AI support bots are heavily used in the context of account recovery, both on social media and elsewhere, and this incident highlights how they can be socially engineered just as easily as people. 
  • The big picture: Maintaining control and visibility into AI tools remains a weak point for many organizations, and its importance grows daily. 

Miasma campaign compromises Red Hat packages

@redhat-cloud-services packages backdoored with credential-stealing worm

  • What's happening: On June 1, multiple packages under the Red Hat npm namespace were backdoored to target npm tokens, GitHub tokens, cloud credentials, and secrets. The campaign, codenamed Miasma, closely resembles the Mini Shai-Hulud project from TeamPCP. Red Hat confirmed the compromise affected hundreds of Node.js components but stated that no compromised versions are used by any Red Hat software. 

  • Why it matters: It is not yet known who is behind the attack. TeamPCP open-sourced attack tools linked to the Shai-Hulud worm making it easier for threat actors to replicate similar attacks and harder for defenders to identify them. Evolving from previous versions, this malware has been found to generate a uniquely encrypted payload for each infection, making detection and tracking more challenging.

  • The big picture: This is a notable evolution in the cybercrime ecosystem where threat actors learn from previous campaigns and modify them to evade defenses. It also highlights a growing trend of attacking CI/CD pipelines, workflows, and more processes that support enterprise and Dev/Ops environments.
    Read the full Miasma threat analysis from ThreatLocker Threat Intelligence.

ThreatLocker events

Meet the Cyber Hero Team in person at these upcoming events

  • Identiverse | June 15-18
    Las Vegas, Nevada
  • Kaseya DattoCon Europe | June 16–18
    Prague, CZ
  • RMISC | June 23-25
    Denver, Colorado
  • SANSFIRE | July 14–15
    Washington D.C.
  • Black Hat USA | August 1–6
    Las Vegas, Nevada
  • Technology in Government | August 4–5
    Canberra, AU
See more upcoming events
Cyber Hero Frontline, a magazine by ThreatLocker

Cyber Hero Frontline has a simple goal: Cut through the noise and focus on what Zero Trust looks like in practice.

 

The latest print edition of Cyber Hero Frontline is currently being shipped, and you can request your copy or read the digital version now:

Get the next issue of Cyber Hero Frontline
ThreatLocker: Zero Trust Platform | Zero Trust Weekly

ThreatLocker, 1901 Summit Tower Blvd, Orlando, Florida 32810, United States

Manage preferences

Connect with us

                             

©2026 ThreatLocker Inc., All Rights Reserved