A financially motivated threat actor codenamed UNC5142, has been observed utilizing blockchain smart contracts to distribute multiple information-stealing malware strains, including Atomic (AMOS), Lumma, Rhadamanthys, and Vidar, targeting both Windows and Apple macOS systems.
Leveraging Blockchain for Stealth
UNC5142 is known for compromising vulnerable WordPress websites and employing a technique called EtherHiding. This technique obscures malicious code by hiding it on a public blockchain, specifically the BNB Smart Chain (BSC). By June 2025, Google had flagged about 14,000 infected web pages showing UNC5142's signature behavior, indicating an indiscriminate targeting of WordPress sites. However, activity seems to have ceased since July 23, 2025.
The attack relies on a multi-stage JavaScript downloader named CLEARSHORT. The first stage is a small JavaScript snippet injected into website files. This snippet interacts with a malicious smart contract on the BSC blockchain to retrieve the second stage. Using a smart contract allows the attackers to rapidly update the payload URL or decryption key without having to modify the JavaScript on the thousands of compromised websites, making the campaign agile and highly resistant to takedowns.
Multi-Stage Infection Chain
The smart contract fetches a CLEARSHORT landing page, which typically uses the ClickFix social engineering tactic. This tricks victims into running a malicious command in the Windows Run dialog or the macOS Terminal app, ultimately leading to the execution of the stealer malware.
On Windows systems, the malicious command executes an HTML Application (HTA) file that drops a PowerShell script. This script fetches the final, encrypted payload from services like GitHub or MediaFire and runs the stealer directly in memory to evade defenses. For macOS attacks, a bash command is executed to retrieve a shell script, which then uses the curl command to pull the Atomic Stealer payload from a remote server. The consistent, high-volume nature and the operational agility provided by the blockchain infrastructure suggest that UNC5142 has had significant success with its operations over the past year and a half.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
