Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC5142 EtherHiding WordPress stealer campaign

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The UNC5142 campaign is abusing compromised WordPress sites and BNB Smart Chain smart contracts to deliver information stealers to Windows and macOS users, making the delivery chain harder to disrupt. By routing payload retrieval through EtherHiding and multi-stage loaders, the operation can change infrastructure without rewriting code on the infected sites. Google flagged about 14,000 web pages tied to the activity by June 2025, showing broad abuse of vulnerable sites. The campaign had not been seen since July 23, 2025, suggesting either a pause or an operational pivot.

Related Happenings

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...

WeedHack YouTube and SEO poisoning campaign targeting Minecraft players

Campaign
H score73 First: 03.06.2026 00:54 Last: 03.06.2026 00:54 Sources 1

About this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
H score33 First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
H score38 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
H score37 First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Timeline

  1. 16.10.2025 17:52 2 articles · 8mo ago

    Initial report: UNC5142 EtherHiding WordPress stealer campaign

    Initial Disclosure

    In the first observed phase, **UNC5142** used a **single smart-contract setup** to pull malicious content from **compromised WordPress pages** and route victims into a hidden delivery chain. Early activity established the **CLEARSHORT** loader pattern that later expanded into a more resilient **EtherHiding** workflow.

    Show sources