Cybersecurity

The cybersecurity domain has observed the emergence of advanced techniques with North Korean threat actors using EtherHiding. This method employs blockchain technology to distribute malware and facilitate cryptocurrency theft.

EtherHiding Technique

EtherHiding marks a shift in storing and delivering malicious payloads by embedding malware within smart contracts on public blockchains such as BNB Smart Chain and Ethereum. This approach turns the blockchain into a decentralized command-and-control server, offering resilience against traditional takedown efforts.

The Google Threat Intelligence Group (GTIG) has identified the North Korea-linked threat actor UNC5342 as the first nation-state group to use this technique. This development represents a significant advancement in state-sponsored cyber operations.

Attack Methodology

The method first appeared in September 2023 during the CLEARFAKE campaign by UNC5142, utilizing fake browser updates to execute malicious code. The attack process involves compromising legitimate websites and injecting JavaScript loader scripts. When users visit these websites, the loader retrieves the main payload from the blockchain without creating transactions, thus avoiding detection and gas fees.

The Strategic Advantages for Attackers

EtherHiding offers several advantages:

• The decentralized nature of blockchain prevents central server takedowns.
• The pseudonymous blockchain transactions make tracing identities difficult.
• Smart contract immutability prevents removal or alteration of malicious code.
• Attackers can update payloads easily, adapting attack methods or deploying different malware types.
• Payloads can be retrieved using read-only calls that leave no visible transaction history.

Since February 2025, GTIG has tracked UNC5342 using EtherHiding in the Contagious Interview campaign, targeting developers in the cryptocurrency and technology sectors through fake recruitment processes.

JADESNOW and Blockchain Infrastructure

JADESNOW is a malware family associated with UNC5342 that uses EtherHiding to execute payloads from smart contracts on BNB Smart Chain and Ethereum. The initial downloader accesses the BNB Smart Chain to read the JADESNOW payload stored in smart contracts. Multiple blockchains are utilized within the same operation, showing the attackers’ adaptability.

Defense Strategies and Recommendations

Mitigation strategies should include:

• Using Chrome Browser Cloud Management to enforce security policies.
• Implementing DownloadRestrictions to block dangerous file types.
• Deploying managed updates to prevent exploitation through fake update prompts.
• Utilizing URLBlocklist policies to block malicious websites or blockchain node URLs.
• Enforcing Google’s Safe Browsing for real-time threat intelligence.

The adoption of EtherHiding by nation-state actors like UNC5342 reflects the evolving cyber threat landscape, where attackers leverage new technologies for malicious purposes.

Indicators of Compromise (IOCs)