North Korea’s hackers have once again found a way to stay ahead of the curve, this time by hiding malware inside blockchain smart contracts.
Google’s Threat Intelligence Group (GTIG) has confirmed that the DPRK-linked group UNC5342 has begun using a technique known as EtherHiding to deliver malicious payloads and steal cryptocurrency. It’s the first recorded instance of a nation-state actor adopting this blockchain based method, marking an escalation in the use of decentralised infrastructure for offensive cyber operations.
What Is EtherHiding?
First observed in late 2023 as part of a financially-motivated campaign dubbed CLEARFAKE, EtherHiding involves embedding malicious JavaScript payloads inside smart contracts on public blockchains such as Ethereum and BNB Smart Chain.
Think of it as turning a blockchain into a command-and-control server that can’t be taken down. Because smart contracts are immutable and publicly accessible, the attacker’s code effectively gains permanent hosting in a decentralised, censorship-resistant environment.
Here’s how a typical EtherHiding attack unfolds:
- Initial breach – The attackers compromise a legitimate website, often a WordPress instance, or dupe victims through fake job interviews and crypto-themed games.
- Loader injection – A tiny JavaScript “loader” is quietly added to the site’s code.
- Blockchain fetch – When a visitor loads the page, the script issues a read-only call (
eth_call) to a blockchain contract, retrieving the hidden payload without creating a traceable transaction or paying gas fees. - Execution – The malware executes locally, opening the door to credential theft, fake login overlays, or more invasive backdoors.
Because the blockchain acts as the hosting layer, there’s no domain to seize, no server to block, and no single point of failure. It’s malware distribution with built-in redundancy, wrapped in decentralisation’s ideological armour.
North Korea’s “Contagious Interview”
UNC5342’s use of EtherHiding isn’t random opportunism, it’s part of a broader social-engineering campaign researchers have dubbed Contagious Interview.
Since early 2025, DPRK operators posing as recruiters have approached software developers and crypto professionals on LinkedIn, Telegram, or Discord. Their pitch: an enticing job opportunity and a short technical assessment.
The “assessment” usually involves downloading what appears to be a harmless coding test from GitHub or npm. In reality, it’s a multi-stage infection chain designed to compromise the victim’s machine and extract valuable data.
The campaign serves two state priorities:
- Financial gain, generating hard currency through crypto theft to circumvent sanctions; and
- Intelligence gathering, embedding within tech firms to access sensitive codebases and tools.
The technique’s sophistication shows how far North Korea’s cyber units have evolved from blunt ransomware operations to targeted, research-grade espionage.
The Malware Line-up
The attack typically unfolds in three stages, involving a family of interlinked malware components:
- JADESNOW – a JavaScript downloader that uses EtherHiding to retrieve further payloads from the blockchain.
- BEAVERTAIL – an information stealer focused on browser data, crypto wallets, and extensions.
- INVISIBLEFERRET – the final backdoor, originally Python-based, now rewritten in JavaScript for stealth and portability.
Once active, INVISIBLEFERRET establishes remote control over the victim’s system, exfiltrating credentials from browsers like Chrome and Edge, as well as wallets such as MetaMask and Phantom. The data is compressed, encrypted, and shipped to attacker-controlled servers and private Telegram channels.
Google’s analysis found the group rotating payloads across multiple blockchains—a clever obfuscation tactic that also lets them chase lower gas fees. In one instance, UNC5342 switched from Ethereum to BNB Smart Chain mid-campaign, likely to cut costs while maintaining operational agility.
Why EtherHiding Works
Several attributes make EtherHiding uniquely resilient:
- Decentralisation – With no central infrastructure, takedowns are virtually impossible. The malicious contract persists as long as the blockchain does.
- Anonymity – The pseudonymous nature of blockchain transactions obscures who deployed the code.
- Immutability – Once a smart contract is published, its contents are almost impossible to alter or delete.
- Stealth – Read-only blockchain queries leave no traceable on-chain transactions.
- Flexibility – Attackers can update payloads with minimal cost (roughly $1–2 in gas fees), enabling continuous iteration.
In short, it’s a form of “bulletproof hosting 2.0”, repurposing decentralised technology for covert command-and-control.
Centralised Weak Links
Despite the decentralised veneer, EtherHiding operations still rely on centralised choke points. Both DPRK’s UNC5342 and the earlier CLEARFAKE cluster use API services and RPC endpoints – Web2 gateways that connect scripts to blockchain networks.
This is the defenders’ silver lining. By monitoring and restricting these API calls, providers can disrupt malicious traffic. Some firms, like Binplorer, acted swiftly when alerted by Google. Others have yet to respond, underscoring how inconsistent cooperation leaves gaps that adversaries can exploit.
Chrome Enterprise and the User Layer
Because EtherHiding often masquerades as fake browser updates, enterprise administrators can pre-empt the ruse through centralised browser management.
- Block malicious file types (.exe, .msi, .bat) using Chrome’s
DownloadRestrictionspolicy. - Automate legitimate updates, so users never have to click a “Chrome needs updating” prompt.
- Reinforce user training: if you’re asked to update Chrome manually, it’s a scam.
- Deploy Safe Browsing and URL blocklists to limit exposure to compromised sites.
It’s a reminder that, even against next-generation threats, well-managed digital hygiene still matters.
On-Chain Forensics
GTIG traced one of UNC5342’s smart contracts on the BNB Smart Chain, address 0x8eac3198dd72f3e07108c4c7cff43108ad48a71c, which had been updated over twenty times in four months, each revision costing about $1.37. The contract’s function calls fetched obfuscated JavaScript that decrypted into further payloads stored on Ethereum.
Each new transaction acted as a dead drop, embedding fresh instructions within transaction metadata. This agility allows the attackers to reseed their malware campaign through a single blockchain transaction, without touching the compromised website again.
Analysts believe this hybrid multi-chain approach reflects operational compartmentalisation, different DPRK cyber units running parallel components of the same infrastructure.
A Glimpse of the Future
The adoption of EtherHiding by a sanctioned nation-state is a turning point. What began as a criminal trick for hosting malicious updates has evolved into a strategic cyber weapon, one that exploits the very properties that make blockchains trustworthy.
It also raises uncomfortable questions for the Web3 industry. Blockchains pride themselves on permanence, but that same permanence can now enshrine malware indefinitely. Labelling contracts as “malicious” on explorers like BscScan is a start, but it’s hardly a solution.
As decentralisation continues to blur the boundaries between legitimate and illicit code hosting, defenders will need to think differently, combining on-chain analysis, API-level controls, and smarter endpoint policies to counter an adversary that’s learned to weaponise immutability itself.
In the DPRK’s hands, EtherHiding isn’t just a new hacking tool. It’s a glimpse into how cyberwarfare will evolve when the battlefield is written directly into the blockchain ledger.
The Implications of EtherHiding
The adoption of EtherHiding by nation-state actors marks a shift in the cyber threat landscape, from transient exploits to self-sustaining, on-chain operations. By embedding malicious payloads within immutable smart contracts, these actors have effectively sidestepped traditional takedown mechanisms, signalling the arrival of a threat model that evolves as fluidly as the networks it inhabits.
Financial advice disclaimer: This article is for informational purposes only and should not be considered financial advice.
