More than 14,000 WordPress sites hacked, used to spread malware

WordPress is one of the most popular content management systems on the Internet. In fact, more than 43 percent of all websites run on WordPress. This makes the latest attack on WordPress sites by a new threat actor all the more concerning.

According to a new report from the Google Threat Intelligence Group (GTIG), a new threat actor codenamed UNC5142 has been successfully hacking into WordPress sites and using a brand new technique to spread malware across the web. UNC5142, according to the report, would find vulnerable WordPress websites often using flawed WordPress themes, plugins, or databases.

The targeted WordPress sites would be infected with a CLEARSHORT, multi-stage JavaScript downloader that distributes the malware. The threat group would then deploy a new technique dubbed "EtherHiding," which is enabled by CLEARSHORT.

Google describes EtherHiding as "a technique used to obscure malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain." This use of blockchain to spread malicious code is unique and makes stopping the spread of malware all the more difficult.

The smart contract containing the code on the blockchain would then call up a CLEARSHORT landing page, often hosted on a Cloudflare dev page, that utilizes a ClickFix social engineering tactic. This tactic tricks the website visitor into running malicious commands on their computer via the Windows Run dialog or Mac's Terminal app.

UNC5142's attacks are often financially motivated, according to Google. GTIG says it has been tracking UNC5142 since 2023. However, Google reports that UNC5142 suddenly stopped all activity in July 2025.

This could mean that this new threat actor group, which has been successfully carrying out its malware campaigns, just decided to call it quits. Or it could mean that the threat actor has altered its techniques, successfully obscuring its latest actions, and is still hacking into vulnerable websites today.