WordPress dominates the web, powering over 43% of all websites. Its massive user base makes the recent attack campaign on WordPress sites by a new hacking operation particularly troubling.
A new report from the Google Threat Intelligence Group (GTIG) has identified this group, known by the codename UNC5142. They have been successfully breaking into WordPress sites and using a new method to spread malware online. The report explains that UNC5142 hunts for exposed WordPress sites, often ones using flawed themes, outdated plugins, or vulnerable databases.
The affected WordPress sites get infected with a CLEARSHORT, multi-stage JavaScript downloader that distributes the malicious software. This group then deploys a technique called "EtherHiding," which CLEARSHORT activates. Google calls EtherHiding "a technique used to hide malicious code or data by putting it on a public blockchain, such as the BNB Smart Chain." Using a blockchain to distribute harmful code is rare and makes stopping the malware's spread much harder.
The smart contract containing the code on the blockchain then redirects users to a CLEARSHORT landing page, generally hosted on a Cloudflare dev page. This page uses a ClickFix social engineering trick. This trick dupes the visitor into running dangerous commands on their computer using the Windows Run dialog or the Mac Terminal app.
Google says UNC5142's attacks are frequently motivated by money. GTIG has tracked UNC5142 since 2023. Still, Google reports that the group suddenly stopped all activity in July 2025.
This sudden silence could mean the hacking group, successful in its malware campaigns, simply quit. Or, it may suggest the attackers have changed their tactics, successfully obscuring their latest actions, and are still compromising vulnerable websites even now.
For expert WordPress tips, affiliate income strategies, and blogger insights, click through to https://www.oneblogger.com now.