Ethical Hacking News
North Korean hackers have been spotted using the EtherHiding technique to distribute malware via blockchain smart contracts. This marks a significant escalation in the threat landscape, as nation-state actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs and can be easily modified for new campaigns.
The attack wave is part of a long-running campaign codenamed Contagious Interview, wherein attackers pose as recruiters or hiring managers on LinkedIn. The goal of these efforts is to gain unauthorized access to developers' machines, steal sensitive data, and siphon cryptocurrency assets. Google has observed UNC5342 incorporating EtherHiding since February 2025.
The infection chain triggered by the social engineering attack is a multi-stage process that targets Windows, macOS, and Linux systems with three different malware families. This development highlights the need for increased vigilance among developers and organizations to protect themselves against such threats.
North Korean hackers have been spotted using the EtherHiding technique on BNB Smart Chain and Ethereum. The attack is attributed to a threat cluster known as UNC5342, tracked by Google Threat Intelligence Group (GTIG) and other security firms. The goal of these efforts is to gain unauthorized access to developers' machines, steal sensitive data, and siphon cryptocurrency assets. EtherHiding abuses the pseudonymous nature of blockchain transactions to make it harder to trace who has deployed the smart contract. A multi-stage infection chain uses three different malware families: downloader, JavaScript stealer, and Python backdoor.
North Korean hackers have been spotted using the EtherHiding technique, a stealthy approach that involves embedding malicious code within a smart contract on a public blockchain like BNB Smart Chain (BSC) or Ethereum. This technique marks the first time a state-sponsored hacking group has embraced it.
Google Threat Intelligence Group (GTIG) has attributed this activity to a threat cluster known as UNC5342, also tracked by other security firms under various names. The attack wave is part of a long-running campaign codenamed Contagious Interview, wherein attackers pose as recruiters or hiring managers on LinkedIn and trick potential targets into running malicious code.
The goal of these efforts is to gain unauthorized access to developers' machines, steal sensitive data, and siphon cryptocurrency assets. Google has observed UNC5342 incorporating EtherHiding since February 2025. This approach turns the blockchain into a decentralized dead drop resolver that's resilient to takedown efforts.
EtherHiding abuses the pseudonymous nature of blockchain transactions to make it harder to trace who has deployed the smart contract. The technique is also flexible, allowing the attacker in control of the smart contract to update the malicious payload at any time. This opens the door to a wide spectrum of threats.
The infection chain triggered by the social engineering attack is a multi-stage process that targets Windows, macOS, and Linux systems with three different malware families:
1. An initial downloader that manifests as npm packages
2. BeaverTail, a JavaScript stealer responsible for exfiltrating sensitive information such as cryptocurrency wallets, browser extension data, and credentials
3. JADESNOW, a JavaScript downloader that interacts with Ethereum to fetch InvisibleFerret
InvisibleFerret is a JavaScript variant of the Python backdoor deployed against high-value targets to allow remote control of the compromised host, as well as long-term data theft by targeting MetaMask and Phantom wallets and credentials from password managers like 1Password.
This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs and can be easily modified for new campaigns. Robert Wallace, consulting leader at Mandiant, Google Cloud, said in a statement shared with The Hacker News: "This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs and can be easily modified for new campaigns."
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Leverage-EtherHiding-Technique-to-Distribute-Malware-via-Blockchain-Smart-Contracts-ehn.shtml
https://thehackernews.com/2025/10/north-korean-hackers-use-etherhiding-to.html
Published: Thu Oct 16 13:44:12 2025 by llama3.2 3B Q4_K_M
