UNC5142 Abuses Blockchain Smart Contracts to Spread Malware via Compromised WordPress Sites
Summary
Hide ▲
Show ▼
A financially motivated threat actor, UNC5142, has been exploiting blockchain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys, and Vidar on Windows and macOS systems. The attacks leverage compromised WordPress websites and a technique called 'EtherHiding' to hide malicious code on public blockchains. The campaign uses a multi-stage JavaScript downloader named CLEARSHORT to deliver malware, with the first stage interacting with a malicious smart contract on the BNB Smart Chain. The smart contract retrieves a landing page from an external server, which then employs social engineering tactics to infect the system. Google Threat Intelligence Group (GTIG) flagged about 14,000 web pages containing injected JavaScript associated with UNC5142, indicating a broad targeting of vulnerable WordPress sites. However, no activity has been observed since July 23, 2025.
Timeline
-
16.10.2025 17:52 1 articles · 11h ago
UNC5142 Campaign Evolves with Blockchain Smart Contracts
UNC5142 has been observed using compromised WordPress sites and blockchain smart contracts to distribute information stealers. The campaign employs a multi-stage JavaScript downloader named CLEARSHORT, which interacts with malicious smart contracts on the BNB Smart Chain. The attacks target both Windows and macOS systems, using social engineering tactics to infect victims. The campaign has evolved from a single-contract system to a more sophisticated three-smart contract system, allowing for rapid updates and increased resilience. The threat actor uses two distinct sets of smart contract infrastructures, with the Main infrastructure serving as the core campaign infrastructure and the Secondary infrastructure supporting specific surges in activity or testing new lures.
Show sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
Information Snippets
-
UNC5142 uses compromised WordPress sites and 'EtherHiding' to obscure malicious code on public blockchains, specifically the BNB Smart Chain.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
The campaign targets both Windows and macOS systems with information stealers such as Atomic, Lumma, Rhadamanthys, and Vidar.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
CLEARSHORT, a multi-stage JavaScript downloader, is used to distribute malware via compromised websites.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
The first stage of CLEARSHORT interacts with a malicious smart contract on the BNB Smart Chain to retrieve a landing page from an external server.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
The landing pages are typically hosted on Cloudflare .dev pages and retrieved in an encrypted format.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
On Windows, the attack involves executing an HTML Application (HTA) file that drops a PowerShell script to fetch and run the stealer malware in memory.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
On macOS, the attack uses a bash command to retrieve a shell script that fetches the Atomic Stealer payload.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
CLEARSHORT is a variant of ClearFake, a rogue JavaScript framework known for delivering malware through drive-by downloads.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
The abuse of blockchain provides resiliency to UNC5142's operations, blending with legitimate Web3 activity and increasing resistance to detection and takedown efforts.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
UNC5142's campaigns have evolved from a single-contract system to a more sophisticated three-smart contract system for better operational agility.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
The new architecture uses a Router-Logic-Storage design, allowing for rapid updates to critical parts of the attack without modifying the JavaScript on compromised websites.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
UNC5142 uses two distinct sets of smart contract infrastructures to deliver stealer malware, with the Main infrastructure created on November 24, 2024, and the Secondary infrastructure funded on February 18, 2025.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
-
The Main infrastructure is the core campaign infrastructure, while the Secondary infrastructure appears to be a parallel, more tactical deployment.
First reported: 16.10.2025 17:521 source, 1 articleShow sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52