1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Thousands of web pages abused by hackers to spread malware

    From TechnologyDaily@1337:1/100 to All on Friday, October 17, 2025 16:30:08
    Thousands of web pages abused by hackers to spread malware

    Date:
    Fri, 17 Oct 2025 15:28:00 +0000

    Description:
    More than 14,000 websites were seen distributing malware with the help of blockchain technology.

    FULL STORY ======================================================================UNC5142 hacked 14,000+ WordPress sites to distribute malware Malware payloads were fetched from blockchain, boosting resilience and hindering takedowns ClickFix lures tricked users into running malicious commands

    More than 14,000 WordPress websites were hacked and used as launchpads for malware distribution, Googles Threat Intelligence Group (GTIG) said in a recent report.

    Discussing the campaign in-depth, GTIG said that it is the work of UNC5142, a relatively new threat actor that emerged in late 2023 and stopped operations in late July 2025.

    It is not yet known if the pause is temporary, permanent, or if the group simply pivoted to different techniques. Given their previous success compromising websites and deploying malware, Google believes that the group just improved their obfuscation techniques and still operates in the wild. Blockchain and ClickFix

    In the campaign, UNC5142 would indiscriminately target vulnerable WordPress sites - those with flawed plugins, theme files, and in some cases - the WordPress database itself.

    These sites would be given a multi-stage JavaScript downloader dubbed CLEARSHOT, that enabled malware distribution. This downloader fetched the stage-two payload from the public blockchain, often using BNB chain.

    The use of blockchain is interesting, the researchers found, as it improves resiliency and makes takedowns more difficult:

    The use of blockchain technology for large parts of UNC5142s infrastructure and operation increases their resiliency in the face of detection and
    takedown efforts, the report says.

    Network based protection mechanisms are more difficult to implement for Web3 traffic compared to traditional web traffic given the lack of use of traditional URLs. Seizure and takedown operations are also hindered given the immutability of the blockchain.

    From the public blockchain, the malware would pull a CLEARSHORT landing page from an external server. This landing page would serve the ClickFix social engineering tactic - prompting users to copy and paste a command into the Run program on Windows (or the Terminal app on a Mac) which ultimately downloads the malware.

    The landing pages were typically hosted on a Cloudflare .dev page, it was said, and retrieved in an encrypted format.

    Via The Hacker News

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
    Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too. You might also like Devious new ClickFix malware variant targets macOS, Android, and iOS using browser-based redirections Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/thousands-of-web-pages-abused-by-hacker s-to-spread-malware


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)