Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC5142 EtherHiding WordPress stealer campaign

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The UNC5142 campaign is abusing compromised WordPress sites and BNB Smart Chain smart contracts to deliver information stealers to Windows and macOS users, making the delivery chain harder to disrupt. By routing payload retrieval through EtherHiding and multi-stage loaders, the operation can change infrastructure without rewriting code on the infected sites. Google flagged about 14,000 web pages tied to the activity by June 2025, showing broad abuse of vulnerable sites. The campaign had not been seen since July 23, 2025, suggesting either a pause or an operational pivot.

Related Happenings

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

Open Happening

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Open Happening

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

Timeline

  1. 16.10.2025 17:52 2 articles · 7mo ago

    Initial report: UNC5142 EtherHiding WordPress stealer campaign

    Initial Disclosure

    In the first observed phase, **UNC5142** used a **single smart-contract setup** to pull malicious content from **compromised WordPress pages** and route victims into a hidden delivery chain. Early activity established the **CLEARSHORT** loader pattern that later expanded into a more resilient **EtherHiding** workflow.

    Show sources
    Open in new tab