editorially independent. We may make money when you click on links
to our partners.
Learn More
Google security researchers have identified a new wave of North Korean cyberattacks leveraging blockchain technology to conceal malware and facilitate cryptocurrency theft.
The researchers noted this was the first case they’ve seen of a nation-state actor using decentralized networks as part of a malware delivery infrastructure.
DPRK’s adoption of EtherHiding
According to Google’s Threat Intelligence Group (GTIG), the North Korea–linked hacking group UNC5342 has begun using a technique known as EtherHiding to embed malicious code within smart contracts on public blockchains such as Ethereum and BNB Smart Chain.
The tactic allows malicious code to remain accessible as long as the blockchain is operational.
Unlike traditional hosting servers that can be shut down or blocklisted, smart contracts are immutable and decentralized.
This resilience makes EtherHiding particularly difficult to disrupt and represents what Google researchers describe as a shift toward “next-generation bulletproof hosting.”
How EtherHiding works
EtherHiding enables attackers to store JavaScript-based payloads directly on a blockchain, effectively transforming it into a decentralized command-and-control system.
When a victim visits a compromised website or opens a malicious file, a lightweight loader script retrieves encrypted code from the blockchain via a read-only call.
Because no blockchain transaction is created, this retrieval is stealthy and incurs no gas fees.
Once downloaded, the payload executes locally, often deploying the JADESNOW loader, which fetches the INVISIBLEFERRET backdoor.
This multilayered infection chain gives attackers long-term access to the target’s system, enabling data theft, espionage, and cryptocurrency wallet compromise.
EtherHiding’s design offers multiple advantages to threat actors: decentralization and immutability prevent takedowns, pseudonymity conceals identities, and flexibility allows constant updates to the payload. Together, these traits make EtherHiding a resilient malware delivery mechanism.
Social engineering campaign
Since February 2025, UNC5342 has integrated EtherHiding into a broader social engineering campaign known as Contagious Interview, targeting developers in cryptocurrency and technology sectors.
Posing as recruiters from legitimate companies, attackers lure victims into fake job interviews or coding challenges.
During these interactions, the victims are asked to download files from GitHub or npm repositories—files that contain malware disguised as coding assessments or technical exercises.
Once executed, these malicious files initiate a three-stage infection process.
The JADESNOW downloader first collects basic system data and fetches additional components, followed by deployment of the INVISIBLEFERRET backdoor.
This backdoor enables remote access, data exfiltration, and lateral movement within networks.
In some intrusions, the malware can steal credentials, browser data, and cryptocurrency wallet keys from systems running Windows, macOS, or Linux.
Beyond financial gain, these operations align with North Korea’s dual objectives: generating revenue to evade international sanctions and gathering technical intelligence for future espionage operations.
Although EtherHiding leverages decentralized networks, researchers note that North Korean attackers still depend on centralized web services to interact with the blockchain.
These intermediaries—such as public API providers and explorer platforms—represent key points where defenders can monitor, flag, and potentially block malicious activity.
Google emphasized that coordinated action from these service providers is essential to curb EtherHiding’s proliferation.
Defensive strategies
Traditional security measures like IP blocking or domain takedowns are largely ineffective against blockchain-based threats.
However, organizations can reduce exposure through a combination of technical and policy-based controls.
- Restrict risky downloads: Block downloads of executable file types (.exe, .msi, .bat, .dll) through centralized browser management policies.
- Automate browser updates: Use enterprise management tools to push secure updates automatically, reducing susceptibility to fake “update” prompts.
- Enforce strict authentication: Require multi-factor authentication (MFA) and least-privilege access for all administrative accounts.
- Enable enhanced safe browsing: Activate real-time phishing and malware protection across managed browsers.
- Monitor blockchain activity: Collaborate with threat intelligence providers to identify and flag suspicious smart contracts or blockchain transactions.
- Train users on social engineering: Reinforce awareness that legitimate recruiters will not require downloading executable files or manual software updates.
Chrome Enterprise policies, such as DownloadRestrictions, Managed Updates, and Safe Browsing enforcement, can effectively disrupt EtherHiding campaigns by automating user protections and limiting attacker opportunities.
North Korea’s use of EtherHiding demonstrates how state-sponsored hackers continue to exploit emerging technologies to evade detection and expand their reach.
By embedding malicious code within blockchain smart contracts, DPRK threat actors have achieved a new level of persistence and resilience in their operations.
To counter evolving threats like this, organizations should adopt a zero-trust security model.
