"Education is key to fighting cybercrime. We attend 800+ events globally each year where we lead training and thought leadership sessions on cybersecurity. Each year we host a conference with over 2,000 IT professionals. We also offer free monthly webinars with security tips and hacks. As we grow, we'll keep educating and demonstrating to ensure everyone has access to the most robust cyber protection solutions." - Danny Jenkins
From the ThreatLocker blog
Preparedness is the difference between disruption and disaster
What you need to know: A domain used by payment and e-commerce company Treasure Global Inc. was hijacked causing its primary website and associated services to redirect to a threatening, full-screen message. The attacker gained control of the domain registrar account (Namecheap) by changing credentials and locking out legitimate access. Despite providing proof of ownership, Treasure Global was unable to regain control. They filed a lawsuit against Namecheap highlighting significant operational disruption and unresolved loss of domain control. Namecheap argued that as a neutral domain registrar, it had no legal obligation to intervene or return access to a compromised account. Treasure Global has since voluntarily dismissed its lawsuit.
Why it matters:The attack hijacked an external administrative account, underscoring the importance of third-party account security. Domain control is critical to any business and losing it can instantly disrupt operations and have a lasting impact on customer trust. This incident also highlights how legal remedies do not always align with operational needs. Treasure Global dismissing its case demonstrates the reality that registrars tend to treat restoration as a legal process rather than incident response.
Key takeaways: Domain governance must be treated as critical infrastructure, and registrar account takeovers need to be part of any incident response plan, including using secondary emergency controls, pre-established ownership documentation, and clear escalation paths that do not rely on registrar intervention.
What you need to know: In late 2024, Cierant, a Connecticut-based marketing and software services provider supporting healthcare clients, detected unauthorized activity that stemmed from a vulnerability in a third-party file-transfer tool (Cleo VLTrader). Investigators found that this flaw allowed an attacker to access sensitive files belonging to plan members processed by Cierant, affecting over 232,000 individuals. Multiple class-action lawsuits against Cierant were later consolidated, alleging negligence, delayed breach notification, and inadequate security practices, highlighting accountability even when the originating flaw resided in a supplier’s component.
Why it matters: Your vendors' vulnerabilities are your vulnerabilities. A breach like Cierant's, where the company's internal networks weren't directly compromised, can still expose client data, trigger litigation, and damage public trust. Vendor oversight is no longer just a procurement concern but also a risk management priority.
Key takeaways: Treat your third-party software and services as extensions of your own environment. Vendor oversight should be proactive and continuous rather than relying on one-time assessments or contractual assurances, and incident response plans should also account for third-party failures.
What you need to know: In early 2025, fraudsters used a cloned voice of the Italian Defense Minister in live calls to business leaders, successfully coercing at least one victim to transfer nearly €1 million before law enforcement froze the funds. In these vishing attacks, cloned voices and spoofed caller IDs are used to manipulate human trust and prompt actions such as financial transfers, credential resets, or remote support installations. AI tools have removed the realism and cost barriers previously associated with this attack vector, making scalable and highly targeted voice-based scams increasingly common.
Why it matters: Modern AI tools only require minimal voice input to generate convincing clones, making vishing a scalable social engineering vector. Successful vishing can result in financial loss, unauthorized access, and lasting reputational damage.
Key takeaways: Traditional reliance on voice recognition and basic caller ID are no longer sufficient. Employee training should explicitly cover AI-enhanced threats and emphasize verification over urgency, especially for requests involving financial transactions or access changes.
What you need to know: GB Tech, a Houston-based aerospace and IT services provider, narrowly avoided a catastrophic breach when attackers gained access to its RMM platform through a long-forgotten account that lacked multi-factor authentication. The activity did not resemble traditional malware and would have appeared legitimate to most tools. The ThreatLocker MDR team, however, identified abnormal behavior inside a trusted account, contacted GB Tech directly, and helped contain the threat before attackers could move laterally or impact customers.
Why it matters: As we've discussed in weeks past, modern attacks increasingly abuse trusted tools, credentials, and accounts rather than deploying obvious malware. In this case, a single overlooked account with elevated access highlights why visibility gaps, delayed response, or alert-only tools are no longer sufficient when attackers are operating inside legitimate systems.
Key takeaways: Assume your trusted tools like RMM platforms, admin accounts, and legacy configurations will be targeted. Alerts alone cannot stop breaches; rapid, human-driven response is necessary to identify intent, validate activity, and contain threats. Ultimately, the difference between a near miss and a business-ending incident often comes down to layered controls, real-time visibility, and the ability to act immediate when something looks wrong.
Threats you need to know
How attackers are moving around traditional defenses
Hackers exploit VMware ESXi zero-days to escape VMs and compromise hypervisors
What you need to know: A sophisticated China-linked threat actor leveraged a compromised SonicWall VPN appliance to deploy a multi-stage exploit toolkit against VMware ESXi hypervisors. The attack targets zero-day vulnerabilities in VMware ESXi to escape from a guest VM and gain control of the underlying hypervisor. Once successful, attackers bypassed traditional VM isolation and established persistence using a backdoor (VSOCKpuppet) that communicates through VMware's internal VSOCK channel, limiting visibility for traditional security tools.
Why it matters: Hypervisor compromise offers maximum impact because it can expose and manipulate all VMs hosted on the platform, collapsing isolation between workloads. The selective distribution suggests high-value targeting, reinforcing that virtualization infrastructure has become a prime objective for threat actors.
Key takeaways: Assume attackers will increasingly target shared infrastructure as endpoint defense matures, attackers will shift their focus. Hypervisors are a high-value trust layer, and compromise at this level can negate security controls across the environments. Patch velocity and visibility should be treated as risk management priorities, not simply maintenance.
Tomiris expands operations with new tools and tactics
What you need to know: Russian-speaking Tomiris has introduced new tools and techniques in an ongoing espionage campaign targeting government ministries, intergovernmental organizations, and diplomatic entities. The group is deploying multi-language reverse shells and modules built on frameworks such as Havoc and AdaptixC2. Researchers observed Tomiris using diverse programming languages (Go, Rust, Python, C/C++) and abusing public services like Discord and Telegram for command and control to evade detection and blend in with legitimate traffic.
Why it matters: By adopting open-source command-and-control frameworks and leveraging common communication platforms, Tomiris blends malicious traffic with legitimate application traffic, making detection harder. Furthermore, the use of multi-language implants makes traditional signatures or single-tool defenses less effective and signals a strategy built around adaptable tooling that can be easily repurposed. Tomiris is deliberately adopting widely available frameworks to lower development cost and blend in, reflecting a broader trend among APTs.
Key takeaways: Shift to a default-deny approach that blocks unknown tools, scripts, and behaviors. Protect sensitive workloads with Zero Trust segmentation to reduce the chance that a reverse shell reaches critical systems.
Dive deeper into why hypervisors and VMs are high value targets and get a step-by-step guide into Zero Trust for virtualized environments from CEO Danny Jenkins and CPO Rob Allen.
What we'll cover:
How to harden the hypervisor and reduce attack surface.
How to lock down VMs with default-deny controls.
What a "hardened" environment really looks like and where to start.
A cybersecurity conference like no other
What's waiting for you at this year's event:
The leading voices in cybersecurity like Jakoby, MalwareTech, Phillip Wylie, and more.
The ThreatLocker After Party straight from the Space Age.
