Threat Research

New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

GoogleCloudIntel
New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

Since late 2023, UNC5142 has used compromised WordPress sites and a multistage JavaScript downloader called CLEARSHORT that leverages BNB Smart Chain smart contracts (EtherHiding) to deliver infostealers such as VIDAR, LUMMAC.V2, RADTHIEF, and ATOMIC. The actor evolved from single-contract Base64 delivery to a three-level AES-encrypted smart contract architecture, abused Cloudflare Pages for lures, and paused observable activity after July 23, 2025. #UNC5142 #CLEARSHORT #EtherHiding #VIDAR #RADTHIEF #LUMMAC.V2 #ATOMIC

Keypoints

  • UNC5142 abuses vulnerable WordPress sites to inject CLEARSHORT stage-1 JavaScript that interacts with BNB Smart Chain smart contracts to retrieve subsequent payloads and landing pages.
  • The actor implemented EtherHiding by storing payload configuration and encrypted landing pages in a three-level smart contract system (router/logic/storage) for agility and takedown resistance.
  • CLEARSHORT evolved from Base64-based single-contract delivery (CLEARFAKE) to AES-GCM encrypted landing pages and dynamic contract pointers, enabling rapid URL and key rotations with low on-chain costs.
  • UNC5142 abused Cloudflare Pages (*.pages.dev) and legitimate hosting services (GitHub, MediaFire, Backblaze) to host lures and encrypted payload blobs, blending malicious traffic with legitimate infrastructure.
  • The infection chain typically uses an .hta dropper (disguised as .xll), a PowerShell loader that decrypts and executes payloads in-memory, and final infostealer payloads (VIDAR, LUMMAC.V2, RADTHIEF, ATOMIC) for credential theft.
  • Actor reconnaissance and check-in mechanisms evolved (STUN server → cookie tracking → staged POST check-ins) and the smart contracts performed victim fingerprinting via dedicated contract functions.
  • On-chain analysis shows Main and Secondary parallel infrastructures with identical contract code and linked funding paths (intermediary wallet associated with OKX), indicating a single operator; last observed updates were July 23, 2025.

MITRE Techniques

  • [T1218.005 ] Mshta – UNC5142 used mshta to execute the first-stage remote HTML Application (.hta) dropper; quoted content: “…mshta hxxps[:]//…pages.dev…”
  • [T1059.001 ] Command and Scripting Interpreter (PowerShell) – PowerShell loaders download, decrypt in-memory, and execute final payloads: “…The PowerShell loader’s primary role is to download and execute a second-stage PowerShell script…”
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys and Startup Folder – CLEARSHORT templates prompt users to run commands via Windows Run dialog as part of ClickFix social engineering to launch persistence/execution: “…luring victims to locally run a malicious command using the Windows Run dialog box.”
  • [T1071.001 ] Application Layer Protocol – UNC5142 leveraged HTTP(S) to retrieve payloads hosted on services (MediaFire, GitHub, Cloudflare Pages) and to perform staged POST check-ins: “…staged POST requests to the domain ratatui[.]today, beaconing at each phase of the lure interaction…”
  • [T1608 ] Abuse of Web Services – Abuse of legitimate platforms (BNB Smart Chain, Cloudflare Pages, GitHub, MediaFire) to host and serve malicious components and lures: “…abuse of Cloudflare Pages service (*.pages.dev) to host their landing pages…”
  • [T1027 ] Obfuscated Files or Information – Use of Base64, pako compression, and AES-GCM encryption to hide payloads and contract-stored ABI/content: “…ABI is Base64 decoded and then decompressed…”; “…introduced AES encryption for the CLEARSHORT landing page…”
  • [T1110 ] Brute Force / Credential Access (implied distribution of infostealers) – Distribution of credential-stealing malware families to harvest credentials: “…campaigns distribute infostealers including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF.”

Indicators of Compromise

  • [File Hash ] Final payload samples – bcbdb74f9…e310 (VIDAR), 72d8fa46f…db91 (LUMMAC.V2)
  • [Domains ] CLEARSHORT landing and payload hosts – yie-cpj.pages.dev, stat.bluetroniq.vip, and many other *.pages.dev lures (list includes n51v.pages.dev, lightsoi.pages.dev, tnop.pages.dev)
  • [URLs ] Next-stage payload URLs – hxxps://kimbeech.cfd/cap/verify.sh, hxxps://entryinidad.cfd/1/verify.sh, and multiple verify.sh/verify.txt endpoints hosted across .cfd/.top/.shop/.pro domains
  • [IP Addresses ] Payload/C2 hosts – 80.64.30[.]238 (payload hosting), 83[.]217[.]208[.]130 (media/payload), 95.217.240[.]67 (VIDAR C2)
  • [Smart Contract Addresses ] BNB Smart Chain contracts – 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53 (First-Level), 0x8FBA1667BEF5EdA433928b220886A830488549BD (Second-Level), 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA (Third-Level)
  • [Wallet Addresses ] Operator and funding wallets – 0xF5B962Cca374de0b769617888932250363C5971B (Main operator), 0x9AAe9A373CECe9Ef8453fa2dEAF4bf7B8aFBfac9 (Secondary operator), 0x3b5a23f6…23b32D (intermediary OKX-associated funding wallet)
  • [File Names ] Dropper and hosted blobs – BEGIMOT.xll, evix.xll (first-stage xll/hta), and hosted media-named blobs like glass.mp3/glass.mp4 used to disguise encrypted payloads

Read more: https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint