WordPress is one of the most popular content management systems on the Internet. In fact, more than 43 percent of all websites run on WordPress. This makes the latest attack on WordPress sites by a new threat actor all the more concerning.
According to a new report from the Google Threat Intelligence Group (GTIG), a new threat actor codenamed UNC5142 has been successfully hacking into WordPress sites and using a brand new technique to spread malware across the web. UNC5142, according to the report, would find vulnerable WordPress websites often using flawed WordPress themes, plugins, or databases.
The targeted WordPress sites would be infected with a CLEARSHORT, multi-stage JavaScript downloader that distributes the malware. The threat group would then deploy a new technique dubbed “EtherHiding,” which is enabled by CLEARSHORT.
Google describes EtherHiding as “a technique used to obscure malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain.” This use of blockchain to spread malicious code is unique and makes stopping the spread of malware all the more difficult.
The smart contract containing the code on the blockchain would then call up a CLEARSHORT landing page, often hosted on a Cloudflare dev page, that utilizes a ClickFix social engineering tactic. This tactic tricks the website visitor into running malicious commands on their computer via the Windows Run dialog or Mac’s Terminal app.
UNC5142’s attacks are often financially motivated, according to Google. GTIG says it has been tracking UNC5142 since 2023. However, Google reports that UNC5142 suddenly stopped all activity in July 2025.
This could mean that this new threat actor group, which has been successfully carrying out its malware campaigns, just decided to call it quits. Or it could mean that the threat actor has altered its techniques, successfully obscuring its latest actions, and is still hacking into vulnerable websites today.
Content Accuracy: Keewee.News provides news, lifestyle, and cultural content for informational purposes only. Some content is generated or assisted by AI and may contain inaccuracies, errors, or omissions. Readers are responsible for verifying the information. Third-Party Content: We aggregate articles, images, and videos from external sources. All rights to third-party content remain with their respective owners. Keewee.News does not claim ownership or responsibility for third-party materials. Affiliate Advertising: Some content may include affiliate links or sponsored placements. We may earn commissions from purchases made through these links, but we do not guarantee product claims. Age Restrictions: Our content is intended for viewers 21 years and older where applicable. Viewer discretion is advised. Limitation of Liability: By using Keewee.News, you agree that we are not liable for any losses, damages, or claims arising from the content, including AI-generated or third-party material. DMCA & Copyright: If you believe your copyrighted work has been used without permission, contact us at dcma@keewee.news. No Mass Arbitration: Users agree that any disputes will not involve mass or class arbitration; all claims must be individual.
