""UNC5142 is characterized by its use of compromised WordPress websites and 'EtherHiding,' a technique used to obscure malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. As of June 2025, Google said it flagged about 14,000 web pages containing injected JavaScript that exhibit behavior associated with an UNC5142, indicating indiscriminate targeting of vulnerable WordPress sites."
"A crucial aspect that underpins the attack chains is a multi-stage JavaScript downloader dubbed CLEARSHORT that enables the distribution of the malware via the hacked sites. The first stage is a JavaScript malware that's inserted into the websites to retrieve the second-stage by interacting with a malicious smart contract stored on the BNB Smart Chain (BSC) blockchain. The first stage malware is added to plugin-related files, theme files, and, in some cases, even directly into the WordPress database."
UNC5142 is a financially motivated threat actor that abuses blockchain smart contracts and compromised WordPress sites to distribute information stealers such as Atomic (AMOS), Lumma, Rhadamanthys (RADTHIEF), and Vidar to Windows and macOS. The actor uses EtherHiding to obscure malicious code or data by placing it on public blockchains like the BNB Smart Chain. Tens of thousands of web pages with injected JavaScript exhibiting UNC5142 behavior were identified by June 2025, reflecting widespread exploitation of vulnerable WordPress sites. A multi-stage JavaScript downloader named CLEARSHORT retrieves payloads via malicious smart contracts and uses a ClickFix landing page to trick users into executing commands on Windows Run or macOS Terminal.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]