New group on the block: unc5142 leverages etherhiding to distribute malware

Intel Name: New group on the block: unc5142 leverages etherhiding to distribute malware

Date of Scan: October 20, 2025

Impact: High

Summary:
UNC5142 is a financially motivated threat actor known for distributing infostealers such as ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF using a technique called EtherHiding, which involves storing malicious code within smart contracts on the BNB Smart Chain to evade traditional detection methods. The group targets vulnerable WordPress websites, injecting them with a multistage JavaScript downloader called CLEARSHORT to facilitate payload delivery. By June 2025, over 14,000 compromised web pages had been identified. UNC5142’s use of blockchain infrastructure, particularly smart contracts, allows it to obscure its activities and enhance operational security.

More Details