WordPress is an extensively utilized content management system on the internet, serving over 43 percent of all websites. This renders the recent breach of WordPress sites by a new threat actor especially concerning.

A report from the Google Threat Intelligence Group (GTIG) indicates that a threat actor identified as UNC5142 has been infiltrating WordPress sites with an innovative approach to disseminate malware. UNC5142 focuses on susceptible WordPress sites, frequently leveraging vulnerabilities in themes, plugins, or databases.

The infected WordPress sites are compromised by a multi-layered JavaScript downloader known as CLEARSHORT, which propagates the malware. The group utilizes a method termed “EtherHiding,” enabled by CLEARSHORT.

EtherHiding entails hiding harmful code or data on a public blockchain, such as the BNB Smart Chain, complicating efforts to stop the malware’s propagation. The smart contract on the blockchain activates a CLEARSHORT landing page, usually hosted on a Cloudflare development page, employing a ClickFix social engineering strategy. This strategy misleads visitors into executing harmful commands on their devices via the Windows Run dialog or Mac’s Terminal application.

As per Google, UNC5142’s attacks are frequently motivated by financial gain. GTIG has been tracking UNC5142 since 2023, but Google notes that the group terminated all activities in July 2025.

This termination might suggest that the group has concluded its operations or possibly altered its tactics, continuing to exploit vulnerable sites undetected.