WordPress is without doubt one of the hottest content material administration programs on the Web. In truth, greater than 43 p.c of all web sites run on WordPress. This makes the newest assault on WordPress websites by a brand new menace actor all of the extra regarding.
In accordance with a new report from the Google Risk Intelligence Group (GTIG), a brand new menace actor codenamed UNC5142 has been efficiently hacking into WordPress websites and utilizing a model new method to unfold malware throughout the online. UNC5142, in line with the report, would discover weak WordPress web sites typically utilizing flawed WordPress themes, plugins, or databases.
Infamous hacker group doxxes ICE and FBI officers in new leak, report says
The focused WordPress websites could be contaminated with a CLEARSHORT, multi-stage JavaScript downloader that distributes the malware. The menace group would then deploy a brand new method dubbed “EtherHiding,” which is enabled by CLEARSHORT.
Mashable Gentle Pace
Google describes EtherHiding as “a way used to obscure malicious code or knowledge by putting it on a public blockchain, such because the BNB Sensible Chain.” This use of blockchain to unfold malicious code is exclusive and makes stopping the unfold of malware all of the harder.
The sensible contract containing the code on the blockchain would then name up a CLEARSHORT touchdown web page, typically hosted on a Cloudflare dev web page, that makes use of a ClickFix social engineering tactic. This tactic tips the web site customer into operating malicious instructions on their laptop by way of the Home windows Run dialog or Mac’s Terminal app.
UNC5142’s assaults are sometimes financially motivated, in line with Google. GTIG says it has been monitoring UNC5142 since 2023. Nevertheless, Google stories that UNC5142 immediately stopped all exercise in July 2025.
This might imply that this new menace actor group, which has been efficiently finishing up its malware campaigns, simply determined to name it quits. Or it might imply that the menace actor has altered its methods, efficiently obscuring its newest actions, and remains to be hacking into weak web sites as we speak.
