Blockchain has been hailed as a decentralized, transparent technology, but in the hands of hackers it has become the perfect tool to hide malicious code. Recently, the hacker group UNC5142 was found to be using the smart contract on the BNB Smart Chain to spread malicious code that stole user information, including: Atomic Stealer, Lumma, Rhadamanthys and Vidar.

1760676101072.png

Significantly, the campaign attacked both Windows and macOS users, using the very infiltrated WordPress sites as a springboard for the spread.

Google reported that as of June 2025, there were more than 14,000 WordPress sites that had been impacted with malicious JavaScript code related to the UNC5142 group. While the group has been temporarily “silent” since July 2025, their tactics are causing particular concern among security experts.

Instead of saving the malicious code on an anonymous server or file-sharing as before, UNC5142 hides the malicious Code right in the blockchain smart contract, making it nearly impossible to remove it. Once the malicious code has been written to the blockchain, it is permanent because the data on the sequence cannot be deleted or edited.

The campaign uses a multilayer downloader called CLEARSHORT (this is a variant of ClearFake that has been discovered since 2023). In the first stage, JavaScript code is implanted into the WordPress website’s plugin or theme. This code will call the smart contract on the BNB Smart Chain, which contains the control server address and decryption data.

From there, the victim will be redirected to a website that forges a browser update, often hosted on legitimate domains such as Cloudflare.dev which makes it difficult for users to recognize. Upon access, the victim is lured to run a malicious command through the Run window in Windows or the Terminal in macOS to download and run the stolen data malware.

On Windows, malicious code downloads HTA files from MediaFire, runs PowerShell to download fileless malware that helps avoid detection by antivirus software.

Meanwhile, on macOS, users were tricked into running bash or curl commands to download Atomic Stealer (a malicious code that specializes in stealing cryptocurrency data, passwords and cookies).

Google said UNC5142 has refined over time. Originally a single smart contract, by the end of 2024 they evolved into a three – contract architecture (Router – Logic – Storage) emulating the proxy model of legitimate programming. This will allow the hacker to change the download path for the malicious code, the decryption key, or the control server with a few tweaks to the contract data, costing less than $2 per network.

This way, even if security experts intercept or remove JavaScript from the infected web, hackers can quickly “update” the campaign without having to redo the entire code, which is extremely flexible and difficult to destroy.

Google also discovered two separate infrastructure:

  • Main infrastructure, which is operational since November 2024, is regularly updated.
  • Secondary infrastructure, which appeared in February 2025, can be used to test or scale the attack.

These signs indicate that UNC5142 has achieved some success, as the size, frequency of updates, and number of websites being infiltrated have all increased steadily over the past one year.

These types of campaigns hit regular Internet users directly. Also, WordPress site administrators are important intermediaries: when a site is infected with malicious code, it can become a means of dissemination.

Risks the user will face:

  • Personal users have their log-in data stolen, their digital wallets stolen, or their browser cookies stolen.
  • Your business website or blog has been used to spread malicious code, which affects your SEO reputation.
  • Blockchain is “contaminated” by malicious data that is hard to remove.

Recommendations from cybersecurity experts:

  • Update WordPress, plugins, and themes to the latest version.
  • Delete unknown insertion code in plugin/theme file or database.
  • Be wary of the “update your browser” warning, especially if it appears on a non-root page.
  • For webmasters, periodic scans with security tools, monitoring JavaScript files, and abnormal activity are recommended.
  • Corporate organizations can use CSP (Content Security Policy) and WAF to prevent illegal insertion of code.

The UNC5142 case is a good example of how neutral technology such as blockchain can be turned into a “host” of malicious code at any time. When hackers take advantage of decentralized, hard – to – control capabilities, removing malicious code is nearly impossible. Web users and administrators need to understand that a small line of JavaScript is enough to open the door for an entire cybercriminal system to enter. In the cyber world, the most dangerous thing is not technology, but the human hand that misdirects it.

WhiteHat