"Everything we do is with a matter of urgency. So if you don't have this teamwork where people are willing to get on a call at 2 a.m. and help each other and collaborate, then it doesn't work." - Danny Jenkins, ThreatLocker CEO & co-founder
What happened: A former Hixon Holdings, Inc. employee alleges sensitive information (including dependents' data) was accessed during a Nov. 2024 breach. Breach notices were not sent until almost a year later, and employees were allegedly told that their info was not affected.
Why it matters:Courts evaluate not just technical protections, but also incident response—speed, transparency, accuracy, and whether messages were sent “without unreasonable delay.”
Key takeaways: Breach detection and investigation cannot be separated from communication, premature assurances are risky, corrections matter, and delays can impact liability.
What you need to know: A common malicious control point is an attacker's potential to run virtual machines locally on a compromised host, giving them an isolated environment many defenses don't see. Nearly all malicious activity occurs inside the virtualized guest operating system, so the majority of EDR products do not detect anything unusual.
Why it matters: Most threat detection engines in EDR and XDR only have visibility into host operating systems, so a more proactive approach is needed.
What you can do: Block Hyper-V by default and block all other virtualization tools unless explicitly approved.
What you need to know: The NetSupport RAT is unique among other RATs in that it used to be the NetSupport Manager, a legitimate tool, that malicious actors repurposed, but it still carries a valid certificate, allowing it to bypass certificate checks.
Why it matters: ClickFix-style attacks are becoming more prominent, but they can only succeed when the victim cooperates. Proper user training and security controls prevent these attacks from the start.
What you can do: Implement policies to capture specific commands—such as the deletion of "RunMRU"—to protect your environment from multi-stage attacks.
What you need to know: Heathrow relies on complex IT and OT systems to support a vast workforce and meet strict regulations. Zero Trust fits the need for a comprehensive security philosophy that prioritizes safety above all else.
Why it matters: Heathrow is a major target for cyberattacks because they are a high-value target, but the threats they face are similar to those encountered by many companies across other industries.
Key takeaways: Ransomware is the biggest issue Heathrow faces along with Denial of Service. To combat this, Heathrow's Zero Trust journey involved striking the right balance between securing the service without disrupting it. Running ThreatLocker in monitor mode to understand the impact on the business before putting it into action was a critical step.
Monitoring the latest ransomware attacks and tactics
Phishing scams impersonating the Internet Crime Complaint Center (IC3)
What you need to know: The FBI has documented more than 100 reports of fraudsters posing as IC3 staff and mimicking the official website almost perfectly. One such imposter site is ichelpindex[.]com.
Why it matters: These kinds of attacks exploit public trust and prey on human weaknesses to trick victims into turning over their sensitive information. The elaborate schemes include copying the layouts and imagery used on official, recognized websites. Victims are often promised account recovery and in turn hand over their personal information directly to malicious actors.
What you can do: Be on the lookout for suspicious domain names and rely on direct navigation rather than search results.
New Android-based banking trojan—FvncBot
What you need to know: A new Android-based banking trojan called FvncBot is spreading by disguising itself as a legitimate security app. Once installed, it abuses accessibility permissions to log keystrokes, watch user activity, stream the screen, and overlay fake banking login pages to steal credentials.
Why it matters: FvncBot bypasses traditional Android security with custom code, UI impersonation, and obfuscation and gives the attacker full control of the device and banking session.
What you can do: Install apps only from official sources and watch for unexpected login prompts or overlays.
Approving the applications you need and trust is step one. Next, it's important to control exactly what those applications can do and access. Learn about Zero Trust Application Control in this upcoming webinar.
What we'll cover:
ThreatLocker Ringfencing™, a critical application containment technology that stops the exploitation of trusted software by limiting how your software is allowed to behave.
How you can customize your security so trusted applications, like PowerShell, can run but not access external network destinations.
Where does application containment fit within the broader Application Control and Zero Trust strategies?
Learn how to deploy Allowlisting in hours or days instead of weeks and months. Danny Jenkins and ThreatLocker CPO Rob Allen break down how you can heighten your security and manage real-world exceptions without disrupting productivity.
A brief sampling of what was covered:
Step-by-step guidance on rolling out Allowlisting without disruption.
How to balance strong controls with daily usability.
Strategies to address special cases without weakening defense.
We demoed a live cyberattack on two computers, one with Zero Trust protection enabled and one without. See for yourself how each device responded to the threat.
What you'll see:
The multiple ways ThreatLocker stops ransomware from executing, spreading, and encrypting data.
Real-time visibility into attempted breaches and blocked actions.
Audit trails showing how threats were contained.
Calling all cybersecurity defenders worldwide
Zero Trust World returns March 4-6, 2026, and it's shaping up to be our most immersive, hands-on event yet. More labs, more attack simulations, and more practical takeaways. This event is built for you. Plus, pass the Cyber Hero Certification Exam at ZTW, and we'll refund your registration fee!
"I really love the networking. I get to meet some really interesting people from all over the world and we compare notes. I find that I learn so much in the sessions. There's also hands-on labs but also just meeting a random group of people at the lunch table. I wind up learning a lot." -Ann Westerheim, PhD, Founder & President, Ekaru
Made for cyber defenders, by cyber defenders
Each issue of Cyber Hero Frontline is packed with real-world insights, best practices, and stories from everyday defenders to help you harden your environment. In the current issue you'll find:
How to lock down PowerShell vulnerabilities.
Practical steps to harden your environment now.
NIST CSF 2.0: Ten years since the first edition, NIST has updated to match the modern threat landscape.
Read it online or subscribe to have a print copy mailed to you at no charge.
