North Korean Hackers Use EtherHiding to Hide Malware Inside Blockchain Smart Contracts

Steven

North Korean Hackers Use EtherHiding to Hide Malware Inside Blockchain Smart Contracts

Summary

Author style: Punchy — this piece flags a clear escalation: a DPRK-linked group has adopted EtherHiding to host and update malware from public smart contracts.

Google’s Threat Intelligence Group attributes the activity to UNC5342 (known by multiple vendor names). Since February 2025 the cluster has been embedding malicious payloads inside smart contracts on public chains (Ethereum, BSC) — a technique known as EtherHiding — turning blockchains into resilient, updateable dead-drops for malware. The campaign ties back to social-engineering recruitment lures on LinkedIn that shift to Telegram/Discord and trick developers into running malicious code. The multi-stage infection targets Windows, macOS and Linux and uses npm packages as the initial vector, followed by JavaScript stealers and backdoors (BeaverTail, JADESNOW, InvisibleFerret) to exfiltrate wallet data and credentials. EtherHiding’s low gas-cost updates (around US$1.37 per update) and pseudonymous deployment make takedown and attribution harder, marking the first observed use of this technique by a state-sponsored actor.

Key Points

  • UNC5342 (DPRK-linked) is using EtherHiding to store and deliver malware via public smart contracts.
  • The attack chain starts with social-engineering (LinkedIn) and malicious npm packages as the initial downloader.
  • Malware families observed: BeaverTail (JS stealer), JADESNOW (JS downloader), and InvisibleFerret (JS backdoor) plus additional credential stealers delivered via an embedded portable Python runtime.
  • Smart contracts act as decentralised, updateable dead-drops — attackers can change payloads cheaply and avoid traditional takedowns.
  • Multiple blockchains (Ethereum, BSC) were abused, increasing resilience and complicating investigation.
  • The end goals are credential/wallet theft and long-term access to high-value developer targets.

Content summary

The article outlines how a DPRK-affiliated threat cluster has operationalised EtherHiding to host malicious code in smart contracts, then uses social-engineering to get targets to run a downloader which queries blockchain transactions to retrieve further payloads. The approach leverages blockchain pseudonymity and immutability to resist takedowns and enable rapid payload updates. Google and Mandiant commentary emphasise this as an escalation in nation-state tactics, blending financial theft and espionage.

Context and relevance

This matters because it demonstrates attackers repurposing decentralised infrastructure for persistent malware delivery. Organisations that build software, integrate third‑party packages or custody crypto assets face heightened risk: attackers can stage payloads off‑site on public chains, hop across blockchains, and update campaigns cheaply. It’s a convergence of supply‑chain/social engineering and blockchain abuse that aligns with trends in financially motivated nation‑state operations.

Why should I read this?

Short version: if you work with dev tools, npm packages, crypto wallets or supply chains — this is your wake-up call. The article explains a clever new staging trick that makes malware harder to takedown and easier to refresh. Read it so you can stop someone else losing funds or IP because they ran a dodgy recruiter test on LinkedIn.

Source

Source: https://thehackernews.com/2025/10/north-korean-hackers-use-etherhiding-to.html