More than 14,000 WordPress sites were hacked and used to spread malware

WordPress is one of the most popular content management systems on the Internet. In fact, more than 43 percent From all websites running on WordPress. This makes the recent attack on WordPress sites by a new threat actor even more alarming.

According to A New report From the Google Threat Intelligence Group (GTIG), a new threat actor codenamed UNC5142 has successfully compromised WordPress sites and used an entirely new technique to spread malware across the web. UNC5142, according to the report, you will find vulnerable WordPress sites often using faulty WordPress themes, plugins, or databases.

Targeted WordPress sites will be infected with the CLEARSHORT multi-stage JavaScript downloader that distributes malware. The threat group will then deploy a new technology dubbed “EtherHiding,” which is enabled by CLEARSHORT.

Google describes EtherHiding as “a technology used to hide malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain.” Using blockchain to spread malicious code is unique and makes stopping the spread of malware more difficult.

The smart contract containing the code on the blockchain will then call a CLEARSHORT landing page, which is often hosted on Cloudflare’s development page, and which uses the ClickFix social engineering tactic. This tactic tricks a website visitor into running malicious commands on their computer via the Windows Run dialog box or Mac Terminal application.

According to Google, UNC5142 attacks are often financially motivated. GTIG says it has been following UNC5142 since 2023. However, Google reports that UNC5142 suddenly stopped all activities in July 2025.

This could mean that this new threat group, which has successfully executed its malware campaigns, has decided to stop working. Or it could mean that the threat actor has changed its techniques, successfully concealed its most recent actions, and is still compromising vulnerable websites today.