A financially motivated threat actor codenamed UNC5142 has been observed abusing blockchain smart contracts as a way to facilitate the distribution of information stealers such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems.
“UNC5142 is characterized by its use of compromised WordPress websites and ‘EtherHiding,’ a technique used to obscure malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain,” Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News.
As of June 2025, Google said it flagged about 14,000 web pages containing injected JavaScript that exhibit behavior associated with an UNC5142, indicating indiscriminate targeting of vulnerable WordPress sites. However, the tech giant noted that it has not spotted any UNC5142 activity since July 23, 2025, either signaling a pause or an operational pivot.
EtherHiding was first documented by Guardio Labs in October 2023, when it detailed attacks that involved serving malicious code by utilizing Binance’s Smart Chain (BSC) contracts via infected sites serving fake browser update warnings.
A crucial aspect that underpins the attack chains is a multi-stage JavaScript downloader dubbed CLEARSHORT that enables the distribution of the malware via the hacked sites. The first stage is a JavaScript malware that’s inserted into the websites to retrieve the second-stage by interacting with a malicious smart contract stored on the BNB Smart Chain (BSC) blockchain. The first stage malware is added to plugin-related files, theme files, and, in some cases, even directly into the WordPress database.
The smart contract, for its part, is responsible for fetching a CLEARSHORT landing page from an external server that, in turn, employs the ClickFix social engineering tactic to deceive victims into running malicious commands on the Windows Run dialog (or the Terminal app on Macs), ultimately infecting the system with stealer malware. The landing pages, typically hosted on a Cloudflare .dev page, are retrieved in an encrypted format as of December 2024.
| CLEARSHORT infection chain |
On Windows systems, the malicious command entails the execution of an HTML Application (HTA) file downloaded from a MediaFire URL, which then drops a PowerShell script to sidestep defenses, fetch the encrypted final payload from either GitHub or MediaFire, or their own infrastructure in some cases, and run the stealer directly in memory without writing the artifact to disk.
In attacks targeting macOS in February and April 2025, the attackers have been found to utilize ClickFix decoys to prompt the user to run a bash command on Terminal that retrieved a shell script. The script subsequently uses the curl command to obtain the Atomic Stealer payload from the remote server.
| UNC5142 final payload distribution over time |
CLEARSHORT is assessed to be a variant of ClearFake, which was the subject of an extensive analysis by French cybersecurity company Sekoia in March 2025. ClearFake is a rogue JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. It’s known to be active since July 2023, with the attacks adopting ClickFix around May 2024.
The abuse of blockchain offers several advantages, as the clever technique not only blends in with legitimate Web3 activity, but also increases the resiliency of UNC5142’s operations against detection and takedown efforts.
Google said the threat actor’s campaigns have witnessed considerable evolution over the past year, shifting from a single-contract system to a more sophisticated three-smart contract system beginning in November 2024 for better operational agility, with further refinements observed earlier this January.
“This new architecture is an adaptation of a legitimate software design principle known as the proxy pattern, which developers use to make their contracts upgradable,” it explained.
“The setup functions as a highly efficient Router-Logic-Storage architecture where each contract has a specific job. This design allows for rapid updates to critical parts of the attack, such as the landing page URL or decryption key, without any need to modify the JavaScript on compromised websites. As a result, the campaigns are much more agile and resistant to takedowns.”
UNC5142’s accomplishes this by taking advantage of the mutable nature of a smart contract’s data (it’s worth noting that the program code is immutable once it’s deployed) to alter the payload URL, costing them anywhere between $0.25 and $1.50 in network fees to perform these updates.
Further analysis has determined the threat actor’s use of two distinct sets of smart contract infrastructures to deliver stealer malware via the CLEARSHORT downloader. The Main infrastructure is said to have been created on November 24, 2024, whereas the parallel Secondary infrastructure was funded on February 18, 2025.
“The Main infrastructure stands out as the core campaign infrastructure, marked by its early creation and steady stream of updates,” GTIG said. “The Secondary infrastructure appears as a parallel, more tactical deployment, likely established to support a specific surge in campaign activity, test new lures, or simply build operational resilience.”
“Given the frequent updates to the infection chain coupled with the consistent operational tempo, high volume of compromised websites, and diversity of distributed malware payloads over the past year and a half, it is likely that UNC5142 has experienced some level of success with their operations.”
