UNC5142 Abuses BNB Smart Chain and EtherHiding to Spread Infostealers

TL;DR

Mandiant Threat Defense and Google Threat Intelligence Group have tracked UNC5142 since late 2023; the financially motivated group compromises WordPress sites and uses smart contracts on the BNB Smart Chain to hide and deliver infostealers. GTIG found roughly 14,000 pages with injected JavaScript by June 2025, and investigators have not observed UNC5142 activity since late July 2025.

What happened

Security teams from Mandiant and Google's Threat Intelligence Group say they have been monitoring UNC5142, a financially motivated actor that combines web compromises with blockchain-hosted infrastructure to distribute information-stealing malware. The intrusion typically starts with vulnerable WordPress installs where attackers inject a first-stage JavaScript loader into plugins, theme files, or the database. That loader (called CLEARSHORT) uses Web3 libraries to query smart contracts on the BNB Smart Chain, retrieve a secondary payload or a URL for a landing page, and then render a social-engineering prompt that tries to coax a user into running a command via the Windows Run dialog. UNC5142 shifted from an earlier CLEARFAKE approach to this multistage CLEARSHORT chain and places key artifacts inside on-chain smart contracts — a method the researchers describe as EtherHiding. GTIG reported about 14,000 infected pages as of June 2025 and noted the actor distributed several infostealer families, while cautioning that the ultimate payloads may have been supplied by other groups. Notably, researchers have not seen UNC5142 operations after late July 2025.

Why it matters

• Storing malicious components in blockchain smart contracts complicates traditional web-based detection and takedown efforts.
• The use of a first-level contract that points to secondary contracts gives the actor a way to change payloads without modifying compromised sites.
• Broad compromise of WordPress sites creates opportunistic reach across industries and geographies, increasing exposure for many site operators.
• Malicious traffic leveraging legitimate blockchain platforms can blend with normal Web3 activity, making network-level protections harder to apply.

Key facts

• UNC5142 has been tracked by Mandiant Threat Defense and Google Threat Intelligence Group since late 2023.
• The actor targets vulnerable WordPress installations and injects JavaScript into plugin directories, theme files, or the WordPress database.
• CLEARSHORT is the multistage JavaScript downloader used in recent campaigns; it replaced an earlier CLEARFAKE framework.
• CLEARSHORT stage 1 uses Web3.js libraries to query BNB Smart Chain smart contracts and retrieve further payloads or landing-page URLs.
• Researchers identified about 14,000 web pages with injected JavaScript consistent with UNC5142 activity as of June 2025.
• UNC5142 has been observed distributing infostealer families including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF; GTIG did not attribute the final payloads solely to UNC5142.
• The actor leverages a two-level smart contract design: a stable first-level contract on compromised sites that points to changeable second-level contracts.
• No observed UNC5142 activity has been reported since late July 2025, suggesting a pause or change in operations.

What to watch next

• Re-emergence or a change in UNC5142 operational patterns following the gap since late July 2025.
• New or expanded use of smart contracts on BNB Smart Chain or other blockchains as distribution/configuration backends.
• Wider adoption of EtherHiding-like techniques by other threat actors (not confirmed in the source whether this is already widespread).

Quick glossary

• EtherHiding: The practice of placing malicious code or configuration data inside public blockchain smart contracts to obscure and deliver attack components.
• Smart contract: A program stored on a blockchain that runs automatically when triggered by defined inputs or function calls.
• Infostealer: Malware designed to harvest sensitive information from an infected system, such as credentials, cookies, or payment details.
• Web3.js: A collection of JavaScript libraries used to interact with Ethereum-compatible blockchains and remote node APIs.
• WordPress compromise: Unauthorized modification of a WordPress site, often via vulnerable plugins, themes, or direct database injection.

Reader FAQ

Who is UNC5142?
A financially motivated threat actor tracked by Mandiant Threat Defense and Google's Threat Intelligence Group since late 2023.

What is CLEARSHORT?
A multistage JavaScript downloader used by UNC5142 that retrieves additional payloads from smart contracts on the BNB Smart Chain.

Which malware families were distributed?
Researchers observed distribution of ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF, though GTIG cautioned the final payloads may have been delivered on behalf of other actors.

Is UNC5142 currently active?
Researchers reported no observed activity from UNC5142 after late July 2025.

Written by: Mark Magee, Jose Hernandez, Bavi Sadayappan, Jessa Valdez Since late 2023, Mandiant Threat Defense and Google Threat Intelligence Group (GTIG) have tracked UNC5142, a financially motivated threat actor…

Sources

• New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware
• UNC5142's "EtherHiding": Threat Actors Weaponize Smart …
• North Korean threat actors turn blockchains into malware …
• 'Etherhiding' Blockchain Technique Masks Malicious Code …

Related posts

• New ROBOT Malware Family Linked to Russian State-Sponsored COLDRIVER
• Pro-Russia Influence Networks Exploit September Drone Incursion into Poland
• Vietnam-linked actors post fake job ads to deliver malware and hijack ad accounts