UNC5142

UNC5142 is a financially motivated threat actor associated with the CLEARFAKE/ClearFake activity cluster and the CLEARSHORT multistage JavaScript downloader framework. The group compromises vulnerable WordPress websites and injects malicious JavaScript into plugin files, theme files, or WordPress databases to distribute information-stealing malware to site visitors. Reported payloads include Atomic (AMOS), Lumma, Rhadamanthys (RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems. UNC5142 is notable for using EtherHiding, leveraging smart contracts on the BNB Smart Chain as resilient command-and-control or payload-delivery infrastructure. CLEARSHORT communicates with blockchain-hosted smart-contract data to retrieve next-stage payloads, and reporting describes the group evolving from a single-contract design to a three-contract architecture resembling a proxy pattern to enable rapid updates and infrastructure rotation. The campaign has also used decentralized storage methods, legitimate Web3 libraries, and encrypted payload delivery. The actor uses social-engineering lures on compromised sites, including fake Google Chrome update prompts and ClickFix-style prompts that trick users into executing malicious commands. Landing pages have been hosted on Cloudflare pages.dev, and Windows infection chains have used HTA and PowerShell stages, while macOS chains have used bash-based retrieval of Atomic Stealer. Google Threat Intelligence Group tracked approximately 14,000 injected web pages and around 6,000 compromised WordPress sites associated with UNC5142/ClearFake activity by mid-2025. Reporting states the group has operated since at least 2023 and that no UNC5142 activity was observed after July 23, 2025, possibly indicating a pause or retooling. Known alias directly mentioned in the content: ClearFake / CLEARFAKE.