Hackers Hide Malware in Blockchain, Target WordPress Users

• 22/10/2025

Blockchain — often praised for its transparency and decentralization — has ironically become a fertile ground for cybercriminal exploitation.

Recently, cybersecurity researchers uncovered that the hacking group UNC5142 has been abusing smart contracts on the BNB Smart Chain to distribute multiple information-stealing malware families, including Atomic Stealer, Lumma, Rhadamanthys, and Vidar. Notably, the campaign targets both Windows and macOS users, leveraging compromised WordPress websites as infection vectors.

Objective and Scale of the Campaign

The malware families involved — Atomic Stealer, Lumma, Rhadamanthys, and Vidar — are designed to steal sensitive user data such as cryptocurrency wallets, passwords, and browser cookies.
According to a Google report, as of June 2025, over 14,000 WordPress websites had been injected with malicious JavaScript linked to the UNC5142 campaign — indicating a wide-reaching and fast-spreading operation.

Attack Methodology (Summary)

Malicious code injection into WordPress:
Attackers compromise WordPress plugins or themes to insert malicious JavaScript.

Smart contract as data source:
The injected script communicates with a BNB Smart Chain smart contract, which stores the attacker’s command-and-control (C2) server addresses and decryption data.

Payload delivery via legitimate domains:
Victims are redirected to fake browser update pages hosted on legitimate-looking domains (e.g., Cloudflare.dev), tricking them into executing malicious commands that download and run malware.

Cross-platform and fileless techniques:

• On Windows, the attack uses HTA files and PowerShell to execute code directly in memory (fileless).

• On macOS, victims are tricked into running bash/curl commands to fetch payloads such as Atomic Stealer.

Evolving and Flexible Attack Architecture

Over time, UNC5142 refined its tactics. Initially using a single smart contract, by late 2024, the group deployed a three-layer architecture — Router, Logic, and Storage — mimicking a legitimate proxy pattern.
This design allows attackers to update payload URLs, decryption keys, or C2 servers simply by editing on-chain data — all for under $2 per update.
Such adaptability enables the campaign to continue even if infected websites are cleaned, making it extremely resilient and cost-efficient.

Google’s telemetry also identified two distinct infrastructures supporting the campaign:

• A main infrastructure, active since November 2024, maintained regularly.

• A secondary infrastructure, observed from February 2025, likely used for testing or scaling operations.

Impacts and Unique Risks

The UNC5142 campaign highlights two major cybersecurity concerns:

1. Blockchain as a permanent malware repository:
   Once information (addresses, payload paths, encryption keys) is recorded on-chain, it cannot be deleted or altered.

2. Abuse of legitimate infrastructure for malware delivery:
   By using reputable domains and JavaScript redirects, attackers evade conventional website scanning and detection methods.

These factors allow UNC5142 to adjust and expand its attacks rapidly without modifying the source code of each compromised site — a significant advantage in persistence and stealth.

Timeline of Activity

Indicators of compromise and related infrastructure have been active since late 2024, with continuous updates throughout the first half of 2025.
While the group has shown signs of being “quiet” since July 2025, its tactics and frameworks remain a pressing concern within the cybersecurity community.

Source: Google Threat Analysis Report and open security research on UNC5142 campaign.