UNC5142 EtherHiding WordPress stealer campaign
Campaign
Summary
Hide ▲
Show ▼
The UNC5142 campaign is abusing compromised WordPress sites and BNB Smart Chain smart contracts to deliver information stealers to Windows and macOS users, making the delivery chain harder to disrupt. By routing payload retrieval through EtherHiding and multi-stage loaders, the operation can change infrastructure without rewriting code on the infected sites. Google flagged about 14,000 web pages tied to the activity by June 2025, showing broad abuse of vulnerable sites. The campaign had not been seen since July 23, 2025, suggesting either a pause or an operational pivot.
Related Happenings
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
H score46
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
About this happening:
Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/MitigationAbout this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
Campaign
H score73
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
CampaignAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
H score33
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
H score38
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
H score37
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
Timeline
-
16.10.2025 17:52 2 articles · 8mo ago
Initial report: UNC5142 EtherHiding WordPress stealer campaign
Initial DisclosureIn the first observed phase, **UNC5142** used a **single smart-contract setup** to pull malicious content from **compromised WordPress pages** and route victims into a hidden delivery chain. Early activity established the **CLEARSHORT** loader pattern that later expanded into a more resilient **EtherHiding** workflow.
Show sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites — thehackernews.com — 16.10.2025 17:52