Stay updated with the latest Cybersecurity News on our TecnetBlog.

North Korean Hackers Use Blockchain to Hide Malware with EtherHiding

Written by Eduardo Morales | Oct 17, 2025 1:15:00 PM

Cyberattack groups linked to the North Korean regime have taken their sophistication to a new level. According to a report by Google Threat Intelligence Group (GTIG), researchers have identified a novel technique called EtherHiding, which allows attackers to hide malware inside smart contracts on public blockchains such as BNB Smart Chain and Ethereum.

This is the first known case of a state-sponsored group using EtherHiding, signaling a new era in global cybercrime and increasing the risk for both individuals and organizations operating in the crypto ecosystem.

 

Operation Attributed to a North Korean Group

 

The activity is attributed to the UNC5342 group, also known under various names by cybersecurity firms: CL‑STA‑0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), Famous Chollima (CrowdStrike), and Void Dokkaebi (Trend Micro). All these aliases refer to the same attackers tied to North Korea.

EtherHiding was deployed as part of a broader campaign called Contagious Interview, active for months. The operation starts with fake LinkedIn recruiters or HR managers offering attractive job opportunities — mainly to software developers.

Once trust is established, the conversation moves to Telegram or Discord, where victims are asked to download a supposed “technical test” or “code assessment.” That file contains the initial malware dropper that begins the infection chain.

The goal: gain access to developers’ systems, steal crypto wallets and credentials, and in some cases, exfiltrate sensitive data — combining social engineering, technical sophistication, and financial and political motives.

 

What Is EtherHiding and How It Works

 

EtherHiding exploits public blockchain features to embed malicious code inside smart contracts.

Instead of storing malware on a traditional server, attackers store fragments of code within blockchain contracts, hosted on networks like BNB Smart Chain or Ethereum.

This means the blockchain itself becomes an unremovable storage layer — data recorded onchain cannot be deleted.

Researchers found that UNC5342 has been using EtherHiding since February 2025, leveraging it to distribute malware updates and manage stolen data directly through blockchain transactions.

 

Similar titles: North Korean Hackers Use Deepfakes on Zoom to Infect Macs

 

Why EtherHiding Is Nearly Impossible to Stop

 

EtherHiding is considered one of the most complex and persistent attack methods due to several factors:

 

  1. Full decentralization: There’s no central server that can be taken down.

 

  1. Anonymity: Blockchain transactions are pseudonymous, making it hard to trace malicious contract creators.

 

  1. Dynamic updates: Attackers can change malware code in real time for less than $2 in gas fees.

 

  1. Persistence: Once deployed, a contract remains permanently accessible — even if detected.

 

As Robert Wallace, consulting lead at Mandiant (Google Cloud), stated:

“This represents a serious escalation. State‑sponsored actors are now deploying malware that’s resistant to takedown and adaptable for future campaigns.”

 

The Infection Chain: From LinkedIn to Crypto Theft

 

The campaign combines social engineering, modular malware, and persistent access. The full attack chain unfolds as follows:

 

  1. Initial contact: The hacker poses as a recruiter on LinkedIn, offering a coding test.

 

  1. Malware delivery: The victim downloads an npm package or file containing a malicious dropper.

 

  1. Data theft: The file installs BeaverTail, a JavaScript infostealer that extracts crypto wallets, passwords, and browser cookies.

 

  1. Secondary payload: The JADESNOW module uses EtherHiding to retrieve the next component — InvisibleFerret.

 

  1. Remote control: InvisibleFerret (written in Python) enables full remote control, targeting wallets like MetaMask and Phantom, as well as password managers such as 1Password.

 

This modular design allows crossplatform infection across Windows, macOS, and Linux.

 


The infection chain (Source: The Hacker News)

 

A Cyberattack with Economic and Political Motives

 

Cryptocurrency theft remains a key funding source for the North Korean government, helping finance its military and nuclear programs under heavy international sanctions.

Groups like Lazarus, APT38, and now UNC5342 have executed major crypto heists across DeFi platforms and exchanges. EtherHiding, however, marks a technological leap — the first time a state actor weaponizes blockchain for malware delivery.

Their goals extend beyond financial theft to intelligence gathering from tech and defense companies — especially those developing AI or cybersecurity tools.

 

You might also be interested in: North Korean Hackers Use GitHub to Distribute LNK Malware

 

How to Protect Against EtherHiding and Similar Attacks

 

At TecnetOne, we advise companies and IT professionals to strengthen internal protocols against such evolving threats. Key recommendations include:

 

  1. Verify job offers carefully.
    Confirm recruiters’ identities directly through official company channels. Never download files without verification.

 

  1. Secure your wallets and passwords.
    Use hardware wallets and dedicated password managers; avoid storing credentials in browsers.

 

  1. Monitor endpoint activity.
    Detect suspicious script executions (e.g., PowerShell) and block connections to unknown or blockchainrelated domains.

 

  1. Keep all systems updated.
    Regularly patch software, development environments (npm, GitHub, VS Code), and operating systems.

 

  1. Train your teams.
    Social engineering remains the top entry vector. Awareness is your best defense.

 

EtherHiding: A New Cybersecurity Turning Point

 

Experts agree: EtherHiding marks a turning point in the evolution of cyber threats. What was once a trusted decentralized environment — the blockchain — is now being exploited as a permanent malware host.

At TecnetOne, we continue to monitor these hybrid threats, helping organizations protect their digital assets through advanced threat detection, security audits, and incident response strategies.

The lesson is clear: cybercriminals evolve as fast as the technology they exploit.

As malware moves to the blockchain and phishing takes on the guise of recruiters, visibility and prevention are your strongest allies.

 
View full post