Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

0
Medium
Malwaresmart contractsblockchaincloudflare pagesbnb smart chainatomiclummac.v2vidarinfostealersradthiefclearshortwordpressetherhidingt1059.007t1573.001t1566.002t1140t1608.001t1190t1059.001t1547.001t1027t1102.002t1071.001t1204.001
Published: Thu Oct 16 2025 (10/16/2025, 17:53:02 UTC)
Source: AlienVault OTX General

Description

UNC5142, a financially motivated threat actor, has been tracked since late 2023 for abusing blockchain technology to distribute infostealers. The group exploits vulnerable WordPress sites and employs the 'EtherHiding' technique to obscure malicious code on the BNB Smart Chain. Their infection chain involves a multistage JavaScript downloader called CLEARSHORT, compromised WordPress sites, and smart contracts. UNC5142 has evolved its tactics, using a three-level smart contract system for dynamic payload delivery and abusing legitimate services like Cloudflare Pages. The group has distributed various infostealers, including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF. Their operations have impacted multiple industries and geographic regions, with approximately 14,000 compromised web pages identified as of June 2025.

AI-Powered Analysis

AILast updated: 10/16/2025, 21:45:02 UTC

Technical Analysis

UNC5142 is a financially motivated cyber threat group tracked since late 2023 that innovatively combines traditional web exploitation with blockchain technology to distribute infostealer malware. The group targets vulnerable WordPress websites, exploiting common web application weaknesses to inject malicious JavaScript code. Their infection chain begins with a multistage JavaScript downloader called CLEARSHORT, which is designed to fetch and execute payloads dynamically. A key innovation is their use of the 'EtherHiding' technique on the BNB Smart Chain, a blockchain platform, where malicious code is embedded within smart contracts to evade traditional detection mechanisms. UNC5142 employs a sophisticated three-level smart contract system that allows dynamic and flexible payload delivery, making it harder for defenders to predict or block the malware distribution. They also abuse legitimate cloud services, notably Cloudflare Pages, to host or proxy malicious content, further complicating detection and takedown efforts. The malware payloads distributed include several well-known infostealers such as ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF, which are capable of stealing sensitive information like credentials, cookies, and system data. The group’s operations have compromised approximately 14,000 web pages globally by mid-2025, affecting multiple industries including finance, e-commerce, and technology. The use of blockchain smart contracts for malware delivery represents an evolution in threat actor tactics, blending decentralized technologies with traditional cybercrime methods. This approach allows UNC5142 to maintain persistence, evade signature-based detection, and dynamically update payloads. The threat actor’s abuse of WordPress—a widely used content management system—combined with blockchain and cloud service exploitation, poses a multifaceted challenge for defenders.

Potential Impact

For European organizations, the impact of UNC5142’s operations can be significant. The compromise of WordPress sites can lead to unauthorized access, data theft, and reputational damage, especially for businesses relying on e-commerce or customer portals. Infostealers like ATOMIC and VIDAR can exfiltrate sensitive credentials, financial information, and personal data, potentially leading to further intrusions or fraud. The use of blockchain smart contracts for malware delivery complicates detection and response, increasing dwell time and the risk of widespread infection. Organizations in finance, technology, and retail sectors are particularly vulnerable due to their reliance on web platforms and blockchain technologies. Additionally, the abuse of legitimate services such as Cloudflare Pages can hinder traditional network-based defenses, allowing malware distribution to continue undetected. The scale of compromise—approximately 14,000 web pages—indicates a broad attack surface and potential for supply chain impacts if third-party websites are affected. This threat also raises concerns about the security of blockchain-based applications and smart contracts, which are increasingly adopted in European markets. Overall, the threat could lead to significant data breaches, financial losses, and erosion of trust in digital services.

Mitigation Recommendations

1. Harden WordPress installations by applying all security patches promptly, disabling unused plugins/themes, and enforcing strong authentication mechanisms such as MFA. 2. Conduct regular vulnerability assessments and penetration testing focused on web applications to identify and remediate exploitable weaknesses. 3. Monitor JavaScript execution and network traffic for unusual patterns, especially those involving dynamic payload downloads or connections to blockchain nodes and smart contracts. 4. Implement web application firewalls (WAFs) with updated signatures and behavioral detection capabilities to block malicious payload delivery attempts. 5. Scrutinize and restrict the use of third-party cloud services like Cloudflare Pages, ensuring only trusted content is served and monitoring for abuse. 6. Employ threat intelligence feeds to detect indicators related to UNC5142 infrastructure and malware hashes. 7. Educate web administrators and developers on secure coding practices and the risks of blockchain-based malware delivery. 8. Use endpoint detection and response (EDR) tools capable of detecting infostealer behaviors and anomalous process executions. 9. Establish incident response plans that include blockchain forensic capabilities to analyze smart contract abuse. 10. Collaborate with blockchain platform providers to report and mitigate malicious smart contracts leveraging EtherHiding techniques.

Affected Countries

GermanyGermany
United KingdomUnited Kingdom
FranceFrance
NetherlandsNetherlands
ItalyItaly
SpainSpain
PolandPoland
BelgiumBelgium
SwedenSweden
SwitzerlandSwitzerland
Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware"]
Adversary
UNC5142
Pulse Id
68f130fe56a14a2de8f391b4
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip80.64.30.238
ip82.115.223.9
ip83.217.208.130
ip91.240.118.2

Hash

ValueDescriptionCopy
hash7456f63a46cc318334a70159aa3c4291
hashe94affb98148fc4e0cfb9a486bb37160
hash3cf9cbca48ed9e36a0ccd17cf97f6e4b96c14a24
hash53fd54f55c93f9bcca471cd0ccbabc3acbd3e4aa
hash8fba1667bef5eda433928b220886a830488549bd
hash9179dda8b285040bf381aabb8a1f4a1b8c37ed53
hash091f9db54382708327f5bb1831a4626897b6710ffe11d835724be5c224a0cf83
hash27105be1bdd9f15a1b1a2b0cc5de625e2ecd47fdeaed135321641eea86ad6cb0
hash3023b0331baff73ff894087d1a425ea4b2746caf514ada624370318f27e29c2c
hash4b47b55ae448668e549ffc04e82aee41ac10e3c8b183012a105faf2360fc5ec1
hash72d8fa46f402dcc4be78306d0535c9ace0eb9fabae59bd3ba3cc62a0bdf3db91
hash88019011af71af986a64f68316e80f30d3f57186aa62c3cef5ed139eb49a6842
hashbcbdb74f97092dfd68e7ec1d6770b6d1e1aae091f43bcebb0b7bce6c8188e310

Url

ValueDescriptionCopy
urlhttp://83.217.208.130/xfiles/Ohio.mp4
urlhttp://83.217.208.130/xfiles/VIDA.mp3
urlhttp://83.217.208.130/xfiles/VIDA.mp4
urlhttp://83.217.208.130/xfiles/trip.mp4
urlhttp://83.217.208.130/xfiles/trip.psd
urlhttp://ads.green-pickle-jo.shop/1.m4a
urlhttp://ai.fdswgw.shop/one.mp4
urlhttp://app.bytevista.cloud/wfree
urlhttp://betiv.fun/7456f63a46cc318334a70159aa3c4291.txt
urlhttp://black.hologramm.us/
urlhttp://block.a-1-a1a.shop/drive.mp3
urlhttp://bridge.tree-sock-rain.today/
urlhttp://butanse.shop/
urlhttp://bytes.microstorage.shop/
urlhttp://captcha-cdn.com/verify.sh
urlhttp://captcha-verify-6r4x.com/verify.sh
urlhttp://def.ball-strike-up.shop/
urlhttp://discover-travel-agency.pro/1.m4a
urlhttp://discover-travel-agency.pro/joke.m4a
urlhttp://discover-travel-agency.pro/walking.mp3
urlhttp://dns-verify-me.pro/xfiles/train.mp4
urlhttp://e.overallwobbly.ru/era-stc
urlhttp://entrinidad.cfd/1/verify.sh
urlhttp://human-verify-4r.pro/xfiles/human.cpp
urlhttp://human-verify-4r.pro/xfiles/verify.mp4
urlhttp://human-verify.shop/xfiles/verify.mp4
urlhttp://hur.bweqlkjr.shop/1a.m4a
urlhttp://hur.bweqlkjr.shop/m41.mp4
urlhttp://items.kycc-camera.shop/
urlhttp://jdiazmemory.com/4/verify.sh
urlhttp://kimbeech.cfd/cap/verify.sh
urlhttp://lammysecurity.com/4/verify.sh
urlhttp://lapkimeow.icu/check
urlhttp://lumichain.pro/
urlhttp://message.zoo-ciry.shop/
urlhttp://mnjk-jk.bsdfg-zmp-q-n.shop/1.mp4
urlhttp://nbhg-v.iuksdfb-f.shop/ajax.mp3
urlhttp://note1.nz7bn.pro/nnp.mp4
urlhttp://ok.fish-cloud-jar.us/
urlhttp://power.moon-river-coin.xyz/
urlhttp://privatunis.cfd/1/verify.sh
urlhttp://recaptcha-manual.shop/kangarooing.m4a
urlhttp://recaptcha-verify-4h.pro/kangarooing.m4a
urlhttp://recaptcha-verify-4h.pro/xfiles/kangarooing.vsdx
urlhttp://recaptcha-verify-4h.pro/xfiles/verify.mp4
urlhttp://rengular11.today/
urlhttp://run.fox-chair-dust.xyz/
urlhttp://salorttactical.top/2/verify.sh
urlhttp://sandbox.silver-map-generator.shop/
urlhttp://sandbox.yunqof.shop/macan.mp3
urlhttp://security-2k7q-check.com/1/verify.sh
urlhttp://security-2u6g-log.com/1/verify.sh
urlhttp://security-7f2c-run.com/2/verify.sh
urlhttp://security-9y5v-scan.com/3/verify.sh
urlhttp://security-9y5v-scan.com/7/verify.sh
urlhttp://security-a2k8-go.com/6/verify.sh
urlhttp://security-check-l2j4.com/verify.sh
urlhttp://security-check-u8a6.com/2/verify.sh
urlhttp://start.cleaning-room-device.shop/sha589.m4a
urlhttp://stat.bluetroniq.vip/
urlhttp://tofukai.cfd/2/verify.sh
urlhttp://tumbl.design-x.xyz/glass.mp3
urlhttp://xxx.retweet.shop/
urlhttp://yob.yrwebsdf.shop/1a.m4a
urlhttp://yob.yrwebsdf.shop/3t.mp4
urlhttps://browser-storage.com/update
urlhttps://saaadnesss.shop/check'

Domain

ValueDescriptionCopy
domainactiothreaz.com
domainbetiv.fun
domainblast-hubs.com
domainblastikcn.com
domainbreedertremnd.com
domainbrowser-storage.com
domainbutanse.shop
domaincaptcha-cdn.com
domaincaptcha-verify-6r4x.com
domaincxheerfulriver.pics
domaindecreaserid.world
domaindiscover-travel-agency.pro
domaindns-verify-me.pro
domaindsfljsdfjewf.info
domainentrinidad.cfd
domainfleebunga.sbs
domaingarulouscuto.com
domainhfdjmoedkjf.asia
domainhoyoverse.blog
domainhuman-verify-4r.pro
domainhuman-verify.shop
domainimportenptoc.com
domaininputrreparnt.com
domainjdiazmemory.com
domainkimbeech.cfd
domainlammysecurity.com
domainlapkimeow.icu
domainlumichain.pro
domainopbafindi.com
domainorange-service.xyz
domainpasteflawwed.world
domainpolovoiinspektor.shop
domainprivatunis.cfd
domainratatui.today
domainrebeldettern.com
domainrecaptcha-manual.shop
domainrecaptcha-verify-4h.pro
domainrengular11.today
domainsaaadnesss.shop
domainsalorttactical.top
domainsecurity-2k7q-check.com
domainsecurity-2u6g-log.com
domainsecurity-7f2c-run.com
domainsecurity-9y5v-scan.com
domainsecurity-a2k8-go.com
domainsecurity-check-l2j4.com
domainsecurity-check-u8a6.com
domainstchkr.rest
domainstormlegue.com
domaintechnavix.cloud
domaintlfiyat.shop
domaintofukai.cfd
domaintorpdidebar.com
domainvoicesharped.com
domainzenrichyourlife.tech
domainads.green-pickle-jo.shop
domainai.fdswgw.shop
domainblack.hologramm.us
domainblock.a-1-a1a.shop
domainbridge.tree-sock-rain.today
domainbytes.microstorage.shop
domaindef.ball-strike-up.shop
domaine.overallwobbly.ru
domaingoogleapis-n-cdn3s-server.willingcapablepatronage.shop
domainhur.bweqlkjr.shop
domainitems.kycc-camera.shop
domainkangla.klipxytozyi.shop
domainmessage.zoo-ciry.shop
domainmnjk-jk.bsdfg-zmp-q-n.shop
domainnbhg-v.iuksdfb-f.shop
domainnote1.nz7bn.pro
domainok.fish-cloud-jar.us
domainpower.moon-river-coin.xyz
domainrbk.scalingposturestrife.shop
domainrun.fox-chair-dust.xyz
domainsandbox.silver-map-generator.shop
domainsandbox.yunqof.shop
domainstart.cleaning-room-device.shop
domainstat.bluetroniq.vip
domaintext.cherry-pink.shop
domaintumbl.design-x.xyz
domainty.klipxytozyi.shop
domainw1.discoverconicalcrouton.shop
domainxxx.retweet.shop
domainyob.yrwebsdf.shop

Threat ID: 68f163919f8a5dbaea0bfdd7

Added to database: 10/16/2025, 9:28:49 PM

Last enriched: 10/16/2025, 9:45:02 PM

Last updated: 12/2/2025, 10:02:12 AM

Views: 245

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

ThreatFox IOCs for 2025-12-01

Medium
MalwareTue Dec 02 2025

Arkanix Stealer: Newly discovered short term profit malware

Medium
CampaignMon Dec 01 2025

New Albiriox Android Malware Developed by Russian Cybercriminals

Medium
MalwareMon Dec 01 2025

Webinar: The "Agentic" Trojan Horse: Why the New AI Browsers War is a Nightmare for Security Teams

Medium
MalwareMon Dec 01 2025

New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control

Medium
MalwareMon Dec 01 2025

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats