How UNC5142 Hijacked WordPress & Blockchain for Next-Gen Stealer Attacks (2025)
Executive Summary
In October 2025, threat actor UNC5142 leveraged compromised WordPress sites to distribute a wave of information-stealing malware using an innovative attack method dubbed 'EtherHiding.' The adversaries abused blockchain-based smart contracts to conceal malicious code, enabling malware such as Atomic Stealer, Lumma, Rhadamanthys, and Vidar to infect both Windows and macOS endpoints. This technique allowed attackers to rapidly update payloads beyond the reach of static blocklists and frequently evade traditional security controls. Victims included a variety of enterprises and individuals, with attackers capitalizing on the popularity and trust of infected WordPress content management platforms.
This incident highlights an emerging TTP where blockchain infrastructure is repurposed to enhance delivery persistence and obfuscation for criminal campaigns. The rapid uptake of such blockchain-based methods demonstrates the need for organizations to evolve threat detection and response strategies as attackers diversify beyond conventional web infrastructure.
Why This Matters Now
The use of blockchain smart contracts for malware delivery signals a dangerous shift in attacker tactics—making threats more resilient, harder to disrupt, and less visible to traditional defenses. As financially motivated actors like UNC5142 innovate at pace, organizations must close security blind spots across cloud, web, and on-prem environments to reduce risk from such advanced distribution techniques.
Attack Path Analysis
UNC5142 initiated the attack by exploiting compromised WordPress sites and abusing blockchain smart contracts to deliver infostealer malware to user endpoints. The malware achieved initial access with the user's permission level, and in some cases elevated privilege via stolen credentials or bypassed local protections. Once installed, the payload sought to move across internal cloud or hybrid resources, leveraging east-west paths and insufficient workload segmentation. Command and control traffic was established using encrypted channels to evade detection, enabling the attacker to exfiltrate sensitive data to remote locations. The operation culminated in harvesting credentials, crypto wallets, and sensitive information, causing broad theft and reputational harm.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited compromised WordPress sites and leveraged smart contracts to deliver infostealer malware via malicious links or payloads.
Related CVEs
CVE-2025-2105
CVSS 7.2The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input, potentially allowing attackers to execute arbitrary code.
Affected Products:
Artbees Jupiter X Core – <= 4.8.11
Exploit Status:
proof of conceptCVE-2025-9501
CVSS 9The W3 Total Cache plugin for WordPress contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP commands via malicious comments.
Affected Products:
BoldGrid W3 Total Cache – < 2.8.13
Exploit Status:
exploited in the wildCVE-2025-5395
CVSS 8.8The WordPress Automatic Plugin is vulnerable to arbitrary file uploads due to insufficient file type validation, potentially leading to remote code execution.
Affected Products:
ValvePress WordPress Automatic Plugin – <= 3.115.0
Exploit Status:
proof of conceptCVE-2025-2541
CVSS 6.5The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads, allowing attackers to inject arbitrary web scripts.
Affected Products:
weDevs WP Project Manager – <= 2.6.22
Exploit Status:
proof of conceptCVE-2025-0512
CVSS 6.5The Structured Content (JSON-LD) #wpsc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sc_fs_local_business shortcode, allowing attackers to inject arbitrary web scripts.
Affected Products:
WP Speed of Light Structured Content (JSON-LD) #wpsc – <= 6.4.5
Exploit Status:
proof of conceptCVE-2025-2575
CVSS 6.5The Z Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads, allowing attackers to inject arbitrary web scripts.
Affected Products:
ZThemes Z Companion – <= 1.1.1
Exploit Status:
proof of conceptCVE-2025-0429
CVSS 7.2The 'AI Power: Complete AI Pack' plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input, potentially allowing attackers to execute arbitrary code.
Affected Products:
AI Power Complete AI Pack – <= 1.8.96
Exploit Status:
proof of conceptCVE-2025-12558
CVSS 5.3The Beaver Builder – WordPress Page Builder plugin is vulnerable to Sensitive Information Exposure via the 'get_attachment_sizes' function, allowing attackers to access private attachment data.
Affected Products:
Beaver Builder Beaver Builder – WordPress Page Builder – <= 2.9.4
Exploit Status:
proof of conceptCVE-2025-6586
CVSS 8.8The Download Plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.
Affected Products:
Metagauss Download Plugin – <= 2.2.8
Exploit Status:
proof of conceptCVE-2025-6389
CVSS 9.8The Sneeit Framework plugin for WordPress contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP functions, potentially leading to full site compromise.
Affected Products:
Sneeit Sneeit Framework – <= 8.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Phishing: Spearphishing Attachment
User Execution: Malicious File
Application Layer Protocol: Web Protocols
Impair Defenses: Disable or Modify Tools
Valid Accounts
Credentials from Password Stores
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Software Security Control Processes
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA (EU Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Identity & Access Management
Control ID: Identity Pillar, Authenticating Users and Devices
NIS2 Directive – Cybersecurity Risk-Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
WordPress compromise enabling blockchain-based malware distribution directly threatens software platforms requiring enhanced egress security and anomaly detection capabilities.
Financial Services
Information stealers targeting financial data through compromised web infrastructure necessitate zero trust segmentation and encrypted traffic protection mechanisms.
Internet
EtherHiding technique exploiting blockchain smart contracts for malware delivery undermines web service integrity requiring multicloud visibility and threat detection.
Computer/Network Security
UNC5142's sophisticated attack chain targeting multiple operating systems demonstrates critical need for inline IPS and cloud native security fabric deployment.
Sources
- Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Siteshttps://thehackernews.com/2025/10/hackers-abuse-blockchain-smart.htmlVerified
- New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malwarehttps://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware/Verified
- Hackers Spread Malware With Blockchainhttps://cybermaterial.com/hackers-spread-malware-with-blockchain/Verified
- WordPress plugin with over a million installs may have a worrying security flaw - here's what we knowhttps://www.techradar.com/pro/security/wordpress-plugin-with-over-a-million-installs-may-have-a-worrying-security-flaw-heres-what-we-knowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress controls, threat detection, encrypted traffic visibility, and inline policy enforcement would have limited exploitation, detected suspicious behavior early, and stopped outbound data theft at multiple stages of the UNC5142 attack.
Control: Cloud Firewall (ACF)
Mitigation: Blocked access to malicious domains and unapproved application downloads at the perimeter.
Control: Multicloud Visibility & Control
Mitigation: Detection of anomalous authentication or unexpected privilege use.
Control: Zero Trust Segmentation
Mitigation: Prevented unauthorized east-west traffic and contained lateral spread.
Control: Inline IPS (Suricata)
Mitigation: Detected or blocked encrypted C2 and suspicious outbound patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented or alerted on sensitive data leaving the network to untrusted endpoints.
Incident response initiated promptly on detected indicators of compromise.
Impact at a Glance
Affected Business Functions
- Website Operations
- Customer Data Management
Estimated downtime: 5 days
Estimated loss: $50,000
Potential exposure of sensitive customer data, including personal information and payment details, due to unauthorized access facilitated by exploited vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular zero trust segmentation to restrict workload-to-workload and service-to-service communication in the cloud.
- • Apply robust egress security controls, including FQDN and application-level filtering, to block malware communications and exfiltration attempts.
- • Deploy inline intrusion prevention (Suricata) and cloud-native firewalls to inspect, detect, and block malicious or suspicious traffic patterns.
- • Enhance multicloud traffic visibility and centralized policy management to accelerate threat detection and incident response.
- • Regularly audit and update security policies to ensure least privilege access and prevent lateral movement by unauthorized entities.
