In a significant escalation of cyber threats, a North Korean state-sponsored hacking group has been identified utilizing a novel technique known as EtherHiding to distribute malware and facilitate cryptocurrency theft. This marks the first documented instance of a nation-state actor employing this method, highlighting the evolving sophistication of cyber adversaries.
The group, tracked by Google’s Threat Intelligence Group (GTIG) as UNC5342, is also recognized under various aliases, including CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike), Gwisin Gang (DTEX), Tenacious Pungsan (Datadog), and Void Dokkaebi (Trend Micro). Their recent activities are part of an ongoing campaign dubbed Contagious Interview, wherein attackers masquerade as recruiters on LinkedIn to lure developers into executing malicious code under the guise of job assessments, often transitioning conversations to platforms like Telegram or Discord.
The primary objective of these operations is to gain unauthorized access to developers’ systems, exfiltrate sensitive information, and siphon cryptocurrency assets. This aligns with North Korea’s dual focus on cyber espionage and financial gain, strategies that have been well-documented in previous campaigns.
Since February 2025, UNC5342 has been observed incorporating EtherHiding—a stealthy technique that embeds malicious code within smart contracts on public blockchains such as the BNB Smart Chain (BSC) and Ethereum. By leveraging the decentralized and immutable nature of blockchain technology, the attackers transform the blockchain into a resilient command-and-control infrastructure, making takedown efforts exceedingly challenging.
EtherHiding exploits the pseudonymous characteristics of blockchain transactions, complicating the tracing of the malicious smart contract’s origin. Furthermore, this method offers flexibility, allowing attackers to update the malicious payload at any time, albeit incurring minimal gas fees averaging $1.37. This adaptability opens the door to a wide array of potential threats, as the payload can be modified to suit various malicious objectives.
Robert Wallace, consulting leader at Mandiant, Google Cloud, emphasized the gravity of this development:
This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs and can be easily modified for new campaigns.
The infection chain initiated by these social engineering attacks is a multi-stage process capable of targeting Windows, macOS, and Linux systems. The attack sequence involves several distinct malware families:
1. Initial Downloader: This component is often delivered through malicious npm packages, serving as the entry point for the attack.
2. BeaverTail: A JavaScript-based stealer designed to exfiltrate sensitive information, including cryptocurrency wallets, browser extension data, and user credentials.
3. JADESNOW: A JavaScript downloader that interacts with the Ethereum blockchain to retrieve additional payloads.
4. InvisibleFerret: A JavaScript variant of a previously identified Python backdoor, this malware provides remote control over the compromised host and facilitates long-term data theft by targeting cryptocurrency wallets like MetaMask and Phantom, as well as credentials stored in password managers such as 1Password.
The attack sequence unfolds as follows:
– The victim is enticed to execute code that initiates the initial JavaScript downloader.
– This downloader interacts with a malicious BSC smart contract to fetch JADESNOW.
– JADESNOW then queries the transaction history associated with a specific Ethereum address to retrieve the third-stage payload, InvisibleFerret.
Additionally, the malware attempts to install a portable Python interpreter to execute an extra credential-stealing component stored at a different Ethereum address. Notably, this campaign demonstrates the threat actor’s use of multiple blockchains to facilitate EtherHiding activities, showcasing a sophisticated understanding of blockchain technology for malicious purposes.
Google’s analysis underscores the significance of this technique:
EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends. This technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage.
The adoption of EtherHiding by state-sponsored actors like UNC5342 signifies a notable advancement in cyberattack methodologies. By embedding malicious code within blockchain smart contracts, these adversaries exploit the decentralized and immutable nature of blockchain technology to create resilient and adaptable command-and-control infrastructures. This evolution presents significant challenges for cybersecurity professionals, as traditional takedown strategies become less effective against such decentralized and pseudonymous platforms.
As the cyber threat landscape continues to evolve, it is imperative for organizations to remain vigilant and adapt their defensive strategies accordingly. Understanding and mitigating the risks associated with emerging techniques like EtherHiding will be crucial in safeguarding sensitive information and financial assets from increasingly sophisticated adversaries.
