UNC5142 is a financially driven threat group that has been secretly distributing malware, including information thieves like Atomic and Vidar, to Windows and macOS users by using compromised WordPress websites and public blockchain smart contracts, particularly on the BNB Smart Chain. This advanced attack chain, called EtherHiding, makes identification and takedown operations much more difficult by interacting with malicious smart contracts that provide encrypted payloads through JavaScript that is injected into WordPress websites. UNC5142 has developed a scalable, covert, and extremely flexible malware delivery mechanism by taking advantage of the decentralized and robust nature of blockchain infrastructure. This poses an increasing cybersecurity risk to both web platforms and enterprises.

Technical Description

UNC5142 injects a multi-stage JavaScript downloader (CLEARSHORT) into WordPress plugin/theme files and the database to call malicious smart contracts on the BNB Smart Chain. These contracts (migrating to a three-contract Router-Logic-Storage proxy pattern) provide encrypted Cloudflare.dev landing pages that use ClickFix decoys to trick users into running HTA/PowerShell on Windows or bash/curl on macOS. The landing pages execute encrypted stealer payloads (Atomic/AMOS, Lumma, Rhadamanthys/RADTHIEF, Vidar) from MediaFire, GitHub, or attacker hosts in-memory to avoid disk artifacts. Mutable contract storage (updated for cents in fees) and parallel Main/Secondary infrastructures provide rapid, resilient control and high-volume reach (approximately 14,000 injected pages flagged by June 2025). The details and technicalities of the attack campaign are discussed further:

Delivery and Infection Chain:

Infected WordPress sites contain CLEARSHORT JavaScript that queries malicious smart contracts on the BNB Smart Chain to retrieve encrypted Cloudflare-hosted landing pages. These landing pages use ClickFix social engineering lures to get victims to run HTA/PowerShell (Windows) or bash/curl (macOS), which then pull and decrypt stealer payloads from MediaFire, GitHub, or attacker servers and execute them often in-memory to avoid disk artifacts and maximize stealth. The Infection chain was identified as follows:

• Vulnerable WordPress plugin/theme files or the DB are modified to include the first?stage CLEARSHORT JavaScript.
• A visitor loads the compromised page, executing the injected JS in the browser.
• The JS interacts with a malicious smart contract on BNB Smart Chain (Router?Logic?Storage proxy pattern) to obtain pointers/keys for the next stage.
• The contract returns an encrypted URL/landing page which the JS fetches (typically hosted on Cloudflare .dev) and decrypts client?
• The landing page displays a decoy (fake browser/update/security prompt) that instructs the user to run a provided command (HTA/PowerShell or bash/curl).
• The command downloads an HTA or shell script (often from MediaFire/GitHub/attacker infra); the HTA launches PowerShell on Windows or the shell executes on macOS.
• The stager retrieves the encrypted final stealer payload, decrypts it, and executes it in memory (avoiding disk writes) to deploy information?stealer malware.
• Stealer exfiltrates credentials/data; attacker can update smart?contract storage (for cents in fees) to pivot landing pages or payloads without changing site JS.

Technical Capabilities:

UNC5142 uses a multi-stage JavaScript framework (CLEARSHORT, linked to the ClearFake lineage) injected into WordPress plugin/theme files and occasionally the database to perform an on-chain lookup against malicious smart contracts deployed on the BNB Smart Chain. The contracts use a Router-Logic-Storage proxy pattern to store mutable pointers and decryption keys and return encrypted Cloudflare-hosted landing pages to the victim browser.

The landing web page is retrieved and decrypted by the client-side JavaScript script. ClickFix social engineering decoys are used to trick the user into executing an HTA/PowerShell command on Windows or a bash/curl command on macOS. The stagers then download, and decrypt encrypted stealer payloads from MediaFire, GitHub, or attacker infrastructure, and then execute them (usually in-memory to avoid disk-based detection). Meanwhile, the actor updates smart-contract storage for cents in gas to quickly pivot landing URLs or keys across parallel Main and Secondary infrastructures for resilience and takedown resistance.

Attribution and Evolution:

With its transition from a single-contract setup to a three-contract Router-Logic-Storage proxy pattern (Nov. 24, 2024) and subsequent improvements, as well as its parallel Main and Secondary smart-contract infrastructures (Main created Nov. 24, 2024; Secondary funded Feb. 18, 2025), Google evaluates UNC5142 as operationally mature and financially motivated. modifications that indicate intentional design decisions for operational robustness, agility, and upgradeability as opposed to haphazard experimentation.

Active Campaign and Geographic Spread:

About 14,000 web pages with injected JavaScript linked to UNC5142 were flagged by Google as of June 2025, indicating indiscriminate, high-volume targeting of vulnerable WordPress sites worldwide. Although the report doesn't fully list all the victim geographies, the cross-platform payloads and public hosting options (Cloudflare, GitHub, MediaFire) suggest a broadly scoped, global campaign footprint until observed inactivity after July 23, 2025.

Conclusion:

UNC5142 has created a robust, inexpensive, and agile malware distribution pipeline that is hard to remove and detect by fusing common WordPress compromises with smart-contract-backed payload delivery (EtherHiding) and a modular CLEARSHORT downloader. This shows how Web3 primitives can be repurposed for scalable cybercrime and emphasizes the necessity of integrated web, host, and blockchain-aware defenses.

Impact

UNC5142's campaigns have enabled large-scale credential and data theft by covertly distributing information-stealers (Atomic/AMOS, Lumma, Rhadamanthys/RADTHIEF, Vidar) to both Windows and macOS endpoints, increasing risk of account takeover, financial fraud, and lateral compromise across organizations; the use of blockchain-backed delivery and in?memory execution reduces forensic visibility and extends the operational life of malicious infrastructure, amplifying potential business and privacy damages.

IOC and Context Details

Recommended Actions

• Regularly update and patch WordPress core, plugins, and themes to minimize vulnerabilities attackers exploit for JavaScript injection.
• Conduct continuous monitoring and scanning of WordPress files and databases for unauthorized code changes, especially suspicious JavaScript in plugin, theme files, and DB entries.
• Implement Content Security Policy (CSP) headers to restrict execution of untrusted JavaScript and block calls to unauthorized external domains, including suspicious blockchain smart contracts.
• Deploy web application firewalls (WAF) with custom rules to detect and block malicious JavaScript injections and abnormal outbound requests to blockchain nodes or suspicious hosting platforms like MediaFire or Cloudflare .dev.
• Educate users about social engineering tactics like ClickFix and warn against executing unexpected commands prompted by browser pop-ups or update notifications.
• Leverage endpoint detection and response (EDR) solutions capable of detecting in-memory execution of suspicious scripts (HTA, PowerShell, bash) and anomalous network connections to attacker infrastructure.
• Monitor public blockchain smart contract activity related to your organization's domains or suspicious contracts to identify potential malicious payload hosting or control infrastructure.
• Maintain incident response and digital forensics readiness to rapidly investigate and remediate infections, including identifying affected WordPress sites, extracting malicious JavaScript, and tracing blockchain-based command infrastructure.

References

https://cubexgroup.com/rss_feeds/hackers-abuse-blockchain-smart-contracts-to-spread-malware-via-infected-wordpress-sites/