UNC5142, a financially motivated threat actor, is known to extensively deploy blockchain smart contracts. They send out anything from information-stealing malware to fake tech support through infected WordPress sites. This campaign, which has been running since July 2023, is very similar. Cybersecurity experts have been warning about its advanced use of technology and its ability to attack both Windows and now macOS systems.
UNC5142 spreads several different types of malware. These comprise Atomic (AMOS), Lumma, Rhadamanthys (also known as RADTHIEF), and Vidar. As far as technical skill and planning goes, UNC5142 is flawless. They inject the initial payload of malware into plugin files, theme files, and even WordPress database itself.
Methodology of Attack
In each of these processes, UNC5142 uses a multi-stage JavaScript downloader dubbed CLEARSHORT. This downloader was responsible for distributing the most malware by distributing malware through compromised websites. This allows the threat actor to maximize damage by reaching the widest audience possible. CLEARSHORT goes beyond just delivering stealer malware through two distinct smart contract infrastructures. This strategy increases the scope and impact of their poisoning efforts.
They exploit the dynamic nature of smart contract data to update the payload URLs. This does lead to extremely low network fees averaging between $0.25-$1.50. This change of tactic improves the bad actors’ ability to go undetected by allowing them to mask their scams behind real Web3 activity.
“UNC5142 is characterized by its use of compromised WordPress websites and ‘EtherHiding,’ a technique used to obscure malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain,” – Google Threat Intelligence Group (GTIG)
By June 2025, Google had flagged close to 14,000 web pages. These pages had UNC5142 injected JavaScript associated with them, depicting the magnitude of the threat.
Evolution of Techniques
Now, in May 2024, UNC5142 took the ClickFix tactic, which has made their operational footprint even more complicated. The group still primarily attacks macOS systems, often with highly-tailored attacks on specific targets. They deploy ClickFix decoys to trap unsuspecting users into running a malicious bash command in the Terminal. This approach demonstrates their flexibility and readiness to change methods given the target landscape.
Cybersecurity researchers and analysts agree that the underlying infrastructure enabling UNC5142’s activity can be further divided into two overall segments. Main infrastructure is the backbone of the core campaign, described by the rapid initial development and constant updates since its inception. Conversely, Secondary infrastructure is much more tactical in its deployment as it activates to support major surges of activity. It as well pilots new strategies and strengthens resilience within GO’s operations.
“The Main infrastructure stands out as the core campaign infrastructure, marked by its early creation and steady stream of updates,” – Google Threat Intelligence Group (GTIG)
Ongoing Implications
UNC5142 remains a major danger as there have been no documented attacks since July 23, 2025. This indicates that the group is either retreating, or changing its tactics. The consistent updates to their infection chain and high volume of compromised websites over the past year and a half indicate that they may have achieved significant success with their operations.
“Given the frequent updates to the infection chain coupled with the consistent operational tempo, high volume of compromised websites, and diversity of distributed malware payloads over the past year and a half, it is likely that UNC5142 has experienced some level of success with their operations,” – Google Threat Intelligence Group (GTIG)
Cybersecurity professionals from across the community are already hard at work refactoring UNC5142’s techniques and infrastructure. Organizations need to be on constant alert, as these threats continue to evolve. Cyberattacks are increasing in frequency and sophistication, employing both old and new tactics. This growing trend underscores the critical need for robust security protections across all platforms.