CLEARSHORT smart-contract stealer delivery chain
Malware Activity
Summary
Hide ▲
Show ▼
The CLEARSHORT downloader is actively delivering Atomic (AMOS), Lumma, Rhadamanthys, and Vidar through hacked sites, putting Windows and Apple macOS users at risk. The chain matters because it hides payload delivery behind BNB Smart Chain smart contracts and compromised WordPress pages, making disruption and takedown harder. The delivery flow also uses ClickFix lures to push victims into running malicious commands.
Related Happenings
Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw
Vulnerability
H score39
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
About this happening:
Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...
Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw
VulnerabilityAbout this happening: Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...
WordPress malware campaign using Steam profile C2 concealment
Campaign
H score37
First: 01.06.2026 20:04
Last: 01.06.2026 20:04
Sources 1
About this happening:
A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...
WordPress malware campaign using Steam profile C2 concealment
CampaignAbout this happening: A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware Activity
H score39
First: 26.05.2026 08:19
Last: 26.05.2026 08:19
Sources 1
About this happening:
The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware ActivityAbout this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
H score34
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
RoshniNaveenaS's account hit by network compromise
Incident
H score18
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...
RoshniNaveenaS's account hit by network compromise
IncidentAbout this happening: The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...
Timeline
-
16.10.2025 17:52 1 articles · 8mo ago
UNC5142 main smart-contract infrastructure created
Campaign Scope UpdateUNC5142 established its main smart-contract infrastructure for the CLEARSHORT delivery chain on November 24, 2024, creating the core campaign setup used to route stealer payload delivery through the BNB Smart Chain.
Show sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
16.10.2025 17:52 1 articles · 8mo ago
UNC5142 secondary smart-contract infrastructure funded
Campaign Scope UpdateUNC5142 funded a parallel Secondary smart-contract infrastructure for the CLEARSHORT delivery chain on February 18, 2025, adding a tactical deployment that could support campaign surges, new lures, or operational resilience.
Show sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
16.10.2025 17:52 1 articles · 8mo ago
UNC5142 activity last observed on July 23, 2025
Detection Ioc UpdateUNC5142 activity was last observed on July 23, 2025, after which no further activity had been spotted, suggesting a pause or an operational pivot in the smart-contract-based delivery chain.
Show sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
16.10.2025 17:52 2 articles · 8mo ago
CLEARSHORT smart-contract stealer delivery chain disclosed
Initial DisclosureUNC5142 is publicly disclosed as a financially motivated campaign that abuses compromised WordPress sites and BNB Smart Chain smart contracts via EtherHiding to distribute Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar to Windows and Apple macOS systems through the CLEARSHORT downloader and ClickFix social engineering.
Show sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52