Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites

Steven

Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites

Summary

Google’s Threat Intelligence Group (GTIG) has documented a financially motivated actor tracked as UNC5142 that leverages compromised WordPress sites plus a technique called “EtherHiding” to distribute information-stealer malware (Atomic/AMOS, Lumma, Rhadamanthys/RADTHIEF, Vidar) to Windows and macOS victims. The campaign inserts first-stage JavaScript (part of a multi-stage downloader named CLEARSHORT) into plugin, theme files and sometimes the WordPress database. That JavaScript queries malicious smart contracts on the BNB Smart Chain (BSC) which return encrypted landing pages. The landing pages use a ClickFix social-engineering lure to trick users into running commands (Run dialog on Windows or Terminal on macOS) that fetch and execute stealer payloads — often in-memory to avoid disk detection.

GTIG observed roughly 14,000 injected pages as of June 2025 but reported no observed UNC5142 activity after 23 July 2025, suggesting a pause or operational shift. The actor evolved from a single-contract approach to a robust three-contract Router-Logic-Storage (proxy-pattern) architecture from November 2024 onward, enabling stealthy updates to payload URLs or decryption keys at very low on-chain cost. Two parallel smart-contract infrastructures (Main and Secondary) were used to increase resilience and support campaign surges.

Key Points

  1. UNC5142 uses compromised WordPress sites to serve injected JavaScript that starts the multi-stage CLEARSHORT downloader.
  2. Malicious smart contracts on BNB Smart Chain (EtherHiding) store pointers and encrypted data, making the campaign blend with legitimate Web3 activity.
  3. Attack flow: injected JS → smart contract → encrypted landing page → ClickFix social-engineering lure → user-run command → in-memory stealer execution.
  4. Payloads include information-stealers: Atomic (AMOS), Lumma, Rhadamanthys (RADTHIEF), and Vidar targeting Windows and macOS.
  5. Windows infections rely on HTA + PowerShell to run payloads in memory; macOS attacks use bash/curl to fetch the Atomic stealer.
  6. The threat actor moved to a three-contract proxy-style design (Router-Logic-Storage) to update campaign parameters without changing site JS, costing cents in chain fees.
  7. GTIG flagged ~14,000 infected pages by June 2025; activity wasn’t observed after 23 July 2025 — could indicate a pause or pivot.
  8. CLEARSHORT is a variant of ClearFake, a malicious JS framework previously analysed in 2025 for drive-by downloads and ClickFix lures.

Context and Relevance

This is important because it demonstrates a creative shift: attackers are abusing decentralised infrastructure to make malware distribution more resilient and harder to takedown. Using smart contracts as a persistent, tamper-resistant pointer to encrypted landing content lets operators update lures or payload URLs with tiny on-chain transactions, while keeping the injected website JavaScript unchanged — a major operational advantage.

For organisations and site owners, this intersects two persistent risks: insecure/unchanged WordPress installs (themes/plugins) and evolving social-engineering techniques that trick legitimate users into bypassing basic safeguards. The campaign also emphasises the need for endpoint defences that detect in-memory execution and for web defenders to monitor for rogue JS in themes, plugins and the database.

Why should I read this?

Short version: clever crooks are using blockchain to hide their instructions, so your hacked WordPress site could silently point users to malware. It’s worth five minutes if you manage sites or handle security — you’ll want to know the lure (ClickFix), the delivery (CLEARSHORT + smart contracts), and the simple fixes (patch, scan, restrict Run/Terminal prompts).

Author style

Punchy — this is flagged as highly relevant. Read the detail if you run WordPress, manage endpoints, or defend networks: the technique raises the bar for takedown and shows how Web3 tools can be repurposed for persistent malware campaigns.

Source

Source: https://thehackernews.com/2025/10/hackers-abuse-blockchain-smart.html