UNC5142

UNC5142 is a financially motivated threat actor that has used the EtherHiding technique since 2023 to distribute information-stealing malware. The group compromises vulnerable WordPress websites and injects malicious JavaScript into plugin files, theme files, or WordPress databases, using those sites to deliver malware to visitors. Google tracked approximately 14,000 injected web pages and about 6,000 compromised WordPress sites associated with this activity, and reported no observed UNC5142 activity after July 23, 2025. UNC5142 is associated with the JavaScript frameworks CLEARSHORT and ClearFake. CLEARSHORT is described as a multistage JavaScript downloader that bridges compromised browsers with blockchain infrastructure. The group uses BNB Smart Chain smart contracts as a control layer to retrieve next-stage payloads, and evolved from a single-contract design to a three-smart-contract architecture resembling a proxy pattern, enabling rapid updates to payload URLs, lures, and encryption without changing the injected site code. Reported supporting infrastructure includes Cloudflare pages.dev landing pages and public blockchain/RPC access. The actor uses social-engineering lures including fake Google Chrome update pop-ups, fake Cloudflare verification, and ClickFix-style prompts that trick users into executing malicious commands. On Windows, reported delivery has included HTA and PowerShell-based chains fetching payloads from GitHub, MediaFire, or attacker infrastructure. On macOS, ClickFix decoys have been used to deliver Atomic Stealer. Malware families attributed in the content to UNC5142 include Atomic (AMOS), Lumma, Vidar, and Rhadamanthys/RADTHIEF, targeting both Windows and Apple macOS systems. The group is described as operating at high tempo, maintaining parallel Main and Secondary smart-contract infrastructures, and using blockchain-based delivery to improve resiliency against takedown and detection.