Malware Campaign Compromises Over 14,000 WordPress Sites

Gregory Zuckerman
By Gregory Zuckerman
Technology
8 Min Read

Over 14,000 WordPress sites have been infected and compromised to run the coin-miner distributed malware campaign, according to analysis from Google’s Threat Intelligence Group. The campaign, perpetrated by a financially motivated threat cluster tracked as UNC5142, mixes old-fashioned website exploitation with a rare, novel twist: hiding malicious code on a public blockchain in an effort to evade takedowns and filters.

The attackers, they say, are delivering a multistage JavaScript downloader that they call CLEARSHORT across compromised WordPress installations. Once it’s there, the code turns otherwise legitimate pages into malware delivery platforms, guiding the unsuspecting visitor through a maze of social engineering and surreptitious payload requests.

Table of Contents
WordPress hacked: malware campaign compromises 14,000+ sites

How the attack chain operates across compromised websites

That first step is often through a long-in-the-tooth site theme or plugin, weak administrator credentials, or the same old broken database configuration that security teams have been advising against with increasingly anxious rhetoric for years.

Upon entry, UNC5142 transplants CLEARSHORT to infect the visitor, retrieve second-stage code, and operate according to the device and browser of the target.

One such novel technique is EtherHiding, which saves or references malicious instructions “in the form of transactions and/or smart contracts” on BNB Smart Chain. Instead of ripping a load from an old-school server that defenders can block or knock offline, the infected site is asking the blockchain where to go next. Given that the content is stored on a publicly available ledger and can be accessed through numerous nodes, it’s much more difficult to erase or block.

From there, victims go to a sham “fix” page—and researchers have seen these on developer or staging domains at popular cloud platforms—where they encounter a ClickFix prompt that gives them instructions to paste commands into the Windows Run dialog or macOS Terminal. This gives attackers direct, privileged code execution on a victim’s computer without needing to take advantage of local software vulnerabilities.

Scope and consequences of the large-scale WordPress attacks

Telemetry from Google, as well as from independently reported defenders, shows more than 14,000 WordPress domains have been abused in this campaign alone. Not every visitor gets the same payload, but even the least effort put in can result in a fresh cache of stolen credentials, second-stage infection, and resale of access to other criminal groups.

The blast radius is expanded by the ubiquity of WordPress — industry surveys provided by W3Techs peg the platform as powering over 40 percent of the web. Site owners will suffer from a damaged reputation, penalties in search engines, blacklisting, and data leaks if admin sessions or e-commerce backends are impacted. For users, those risks can range from drive-by malware to account takeovers.

WordPress logo with alert symbols, showing malware campaign compromising 14,000+ WordPress sites

Why blockchain obfuscation helps these campaigns evade takedowns

Public blockchains are naturally resilient. Data embedded or encoded in smart contracts is decentralized and therefore cannot be taken offline by shutting down a single server (seize) or rerouting traffic (sinkhole). Even if one access point is removed, others can access the same content. For defenders, this translates to the inadequacy of the historical “follow-the-money” playbook for takedowns and detection, which now has to be focused on behaviors; nefarious on-chain lookups from a browser session, dodgy JavaScript patterns, or the ClickFix flow vs. static domain lists.

Security wonks who’ve been watching the back-and-forth in the unsavory world of JavaScript malware injection see lots of parallels. EtherHiding makes that game a more distributed chase where defenders need to mix web app hardening with fine-grained controls for blockchain content retrieval.

Who is behind the campaign and how researchers track them

Google follows the operators as UNC5142, a financially driven group that favors new delivery approaches. Activity associated with this cluster has had some periods of silence that usually announce coming changes in tooling or infrastructure — something more like retooling than retreating. A hidden content network is an indication of a willingness to pay extra costs for durability, in the case of blockchain.

What site owners can do now to protect and recover

  • Patch aggressively. If themes or plugins are not compliant or no longer supported, update WordPress core as well as themes and plugins; delete all unwanted components. Numerous compromises in this wave are connected to well-established plugin vulnerabilities and insecure admin passwords.
  • Harden the stack. First, use two-factor authentication for admin accounts; second, disable file editing from the dashboard; third, restrict write permissions; and fourth, place a web application firewall in front of the site. Service providers often used by small businesses and publishers can stop exploit attempts and alert to anomalies.
  • Hunt for persistence. Look for unknown administrators, cron jobs, complex JavaScript in your theme files (they shouldn’t have any), weird entries in the wp_options table (#1 source of hacks I’ve seen! – specifically search for autoloaded data!), and various strange things in .htaccess or wp-config modifications. CLEARSHORT-associated signals typically feature heavily encrypted script blocks, as well as conditional payloads.
  • Monitor egress. Review your web logs and client-side telemetry for any blockchain RPC endpoints, or reads from smart contracts initiated on your pages. If found, compromise should be presumed and the site isolated, after which restore from known-good backups.

In general, broader context and guidance are provided by Google Threat Intelligence Group, Wordfence Intelligence, the Sucuri Blog, and national cybersecurity agencies such as CISA and ENISA, which have released practical checklists to harden your WordPress site.

The road ahead for defenders and WordPress site operators

Expect copycats. When one method proves durable, it is likely to spread through criminal ecosystems. By combining web exploitations with on-chain obfuscations, attackers get a persistent delivery method that is far out of the reach of traditional takedown requests, and this won’t be the last instance defenders see of it.

Countering this trend will be a multi-layered effort: website operators being better custodians of their CMS security hygiene, security vendors building detections for blockchain-assisted loaders, and blockchain infrastructure providers creating methods to report and respond to abusers that maintain the fundamental tenet of openness while promoting safety. In the meantime, the best defense against that kind of unsexy compromise is still to keep your attack surface small and verifiable, and to act quickly when things smell funny.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News