"LLMs can work through information in seconds, but speed doesn't always equal accuracy. At ThreatLocker, human analysts review and categorize websites into groups such as business, adult, gambling, and social media. Humans get it right more than 99% of the time. If the same job is left entirely to AI, accuracy can fall to about 70%.
In security, where even small errors can have big consequences, quality should outweigh cost savings. AI should be used to improve efficiency and speed, not to cut corners." - Danny Jenkins, ThreatLocker CEO & co-founder
From the ThreatLocker blog
Inside today's attack chains: tools, tactics, and defenses.
What happened: ThreatLocker Threat Intelligence captured samples of the Armillaria loader and EDR killer tool used by Akira. In this Armillaria variant, the payload content is embedded within in the loader file, which is decrypted and executed within the context of a "rundll32.exe" process. The second stage did not match any publicly available samples during initial discovery and has since been shared with the security intelligence community under the filename "owned2.dll". The primary purpose of this stage is to terminate endpoint security programs.
Why it matters:As the threat landscape evolves, new tactics will emerge, and old ones may resurface. Instead of just encrypting or exfiltrating data, this threat aims to actively kill security software. This activity also highlights the growing trend of LOTL abuse.
What you can do: Use Allowlisting to prevent any unapproved executables from running and add explicit deny policies to prevent the usage of high-risk applications or software.
The highlights:Cobalt Strike is a long-running favorite for lateral movement, C2, and malicious payload delivery. It is frequently pirated and accessed through cracked license keys. Another popular tool: Metasploit + Meterpreter. Metasploit provides a modular, sequential approach and complementary tools to deploy bespoke attacks while Meterpreter is Metasploit's remote shell for C2 operations. One more: Sliver is a modern, actively abused open source C2 framework that has become a common alternative for attackers when Cobalt Strike is detected or blocked.
The deep dive: Get the full list of 10 and learn how and when attackers use these tools.
What you need to know: Ransomware group Lynx allegedly carried out an attack on the Margaritaville at Sea cruise line in Sept. 2025, exposing passenger data and resulting in a class-action lawsuit one month later. Security researchers linked the incident to reused tools from the INC ransomware group.
Why it matters: This attack demonstrates the growing speed with which cybersecurity incidents lead to legal action. The case highlights how unprotected remote access and slow detection remain major risks in the hospitality industry.
Key takeaways: Attackers exploit convenience like RMM tools and helpdesk utilities. Detection speed matters, and legal preparedness must be built into every incident response plan.
What you need to know: PowerShell can represent a significant security risk if left unchecked, but ThreatLocker Ringfencing™ helps mitigate that risk. It prevents access to the internet and restricts lateral movement by limiting access to sensitive files and executables and blocking unauthorized changes to the Windows Registry.
Key takeaways: To build a least privilege Ringfencing policy for PowerShell, first audit what PowerShell is doing in your environment and identify legitimate paths, network calls, and scripts. Determine whether PowerShell is required on all endpoints, who should be able to use it, and what it should be able to access.
These attacks bypass traditional detection and abuse your trust in common tools.
New campaign targets VS Code developers
What you need to know: This campaign uses meticulously crafted VS Code extensions posing as legitimate packages that deploy hidden malware. Attacks abuse common dependencies like "path-is-absolute" to create a trusted gateway for malware delivery and execution. Upon launching VS code, the embedded malicious code triggers, and the modified index.js file contains a hidden class that decodes the seemingly harmless PNG file to initiate execution.
Why it matters: Attackers have developed new strategies to hide malicious payloads, showcasing a new level of sophistication. The attack is designed to stay invisible, and instead of exploiting vulnerabilities directly, attackers exploit the extensions and dependencies developers use daily.
What you can do: Audit your extensions regularly, verify sources, and use security scanning tools before installation. Investigate any sudden changes in extension behavior. ThreatLocker customers can further reduce risk by applying Ringfencing policies to limit what approved applications are allowed to access or execute.
Attack chain abuses familiar platforms Microsoft Teams and Quick Assist
What you need to know: This emerging trend is a multi-stage social engineering chain to trick victims into revealing sensitive information by taking advantage of commonly used platforms, making attackers appear more credible. Attackers spoof internal staff IDs on Teams calls then leverage Quick Assist to gain remote access of the system. Victims may be redirected to a phishing site that deploys fileless .NET malware. The malicious code is directly loaded into memory, minimizing residual evidence.
Why it matters: Traditional detection solutions are rendered largely ineffective by fileless malware with no detectable traces, making response more difficult. Furthermore, this is yet another campaign that highlights the growing shift toward LOTL attacks.
What you can do: Training employees on social engineering tactics and how to spot them is critical. Furthermore, security tools must incorporate behavior analysis and machine learning to identify attacks that deviate from the norm.
Ensure you and your team have the restful holiday you deserve. Follow along with CEO Danny Jenkins and CPO Rob Allen and learn the essential defenses you need to block threats during high-risk periods.
What you'll get:
Practical tips to shut out ransomware while you're out of the office.
A checklist for shutting down unnecessary services before you leave.
A ready-to-roll incident response playbook in case trouble strikes.
Mark your calendar: March 4-6, 2026
This ZTW is shaping up to be our biggest yet! Hands-on hacking labs, practical Zero Trust strategies, live attack demos, and real-world takeaways you can implement immediately. Don't forget: If you pass the Cyber Hero Certification Exam at ZTW, your registration fee is refunded!
"[Zero Trust World 2025] was amazing. It was very interactive, hands-on, but also at the same time the keynote speakers were very effective with the messages they were delivering. The breakout sessions were also effective. It was really nothing short of amazing."
-Rhamia Musakayi, Phoenix Defense
Made for cyber defenders, by cyber defenders
In cybersecurity, there's no room for almost. Cybercriminals only need a small gap to wreak havoc in our environments, so we must strive for 100% resiliency. In the latest edition of the ThreatLocker magazine, you'll find:
"ThreatLocker saved our business": Inside the breach that didn't happen with GB Tech.
The industrialization of cybercrime: How groups like DragonForce have changed the game.
Silent heists: The problem of data theft without disruption.
Read it online or subscribe to have a print copy mailed to you at no charge.
