ClickFix lures tricked users into running malicious commands
More than 14,000 WordPress websites were hacked and used as launchpads for malware distribution, Google’s Threat Intelligence Group (GTIG) said in a recent report.
Discussing the campaign in-depth, GTIG said that it is the work of UNC5142, a relatively new threat actor that emerged in late 2023 and stopped operations in late July 2025.
It is not yet known if the pause is temporary, permanent, or if the group simply pivoted to different techniques. Given their previous success compromising websites and deploying malware, Google believes that the group just improved their obfuscation techniques and still operates in the wild.
In the campaign, UNC5142 would “indiscriminately” target vulnerable WordPress sites – those with flawed plugins, theme files, and in some cases – the WordPress database itself.
These sites would be given a multi-stage JavaScript downloader dubbed CLEARSHOT, that enabled malware distribution. This downloader fetched the stage-two payload from the public blockchain, often using BNB chain.
The use of blockchain is interesting, the researchers found, as it improves resiliency and makes takedowns more difficult:
“The use of blockchain technology for large parts of UNC5142’s infrastructure and operation increases their resiliency in the face of detection and takedown efforts,” the report says.
“Network based protection mechanisms are more difficult to implement for Web3 traffic compared to traditional web traffic given the lack of use of traditional URLs. Seizure and takedown operations are also hindered given the immutability of the blockchain.”
From the public blockchain, the malware would pull a CLEARSHORT landing page from an external server. This landing page would serve the ClickFix social engineering tactic – prompting users to copy and paste a command into the Run program on Windows (or the Terminal app on a Mac) which ultimately downloads the malware.
The landing pages were typically hosted on a Cloudflare .dev page, it was said, and retrieved in an encrypted format.
Via The Hacker News
