Google's Threat Intelligence Group (GTIG) has recently flagged a new malware deployment technique called "EtherHiding," which involves embedding malicious code within smart contracts on public blockchains to steal cryptocurrency and sensitive data. This marks the first time a nation-state actor has been observed utilizing this method. GTIG attributes this activity to UNC5342, a threat cluster linked to North Korea.

How EtherHiding Works

EtherHiding leverages the decentralized and immutable nature of blockchain technology to create a resilient and difficult-to-disrupt malware delivery system. Attackers embed malicious code, often in the form of JavaScript payloads, within smart contracts on blockchains like Ethereum and BNB Smart Chain. This effectively transforms the blockchain into a decentralized command-and-control (C2) server.

The typical attack chain involves several stages:

1. Compromise: Victims are often lured through social engineering tactics, such as fake job interviews or coding challenges, to download malicious files.
2. Loader Script: Once executed, these files deploy a lightweight loader script.
3. Blockchain Interaction: The loader script interacts with the malicious smart contract on the blockchain, using read-only calls to retrieve the encrypted malicious code. Because these calls are read-only, they don't create a transaction on the blockchain, making the retrieval stealthy and avoiding gas fees.
4. Payload Execution: The retrieved payload is then executed on the victim's computer. This can lead to various malicious activities, including displaying fake login pages, installing information-stealing malware, or deploying ransomware. In many cases, the loader script deploys the JADESNOW loader, which then fetches the INVISIBLEFERRET backdoor.
5. Data Theft and Persistence: The malware steals sensitive information, cryptocurrency, and gains persistent access to corporate networks.

Advantages for Attackers

EtherHiding offers several advantages to attackers:

• Decentralization and Resilience: The malicious code is stored on a decentralized blockchain, making it nearly impossible to take down. As long as the blockchain is operational, the code remains accessible.
• Anonymity: The pseudonymous nature of blockchain transactions makes it difficult to trace the identity of the attackers.
• Immutability: Smart contracts are immutable, meaning their code cannot be easily altered or removed.
• Flexibility: Attackers can update or replace their malware by modifying the smart contract.
• Stealth: The use of read-only calls to retrieve the malicious payload makes the activity harder to track.

North Korean Connection and "Contagious Interview" Campaign

GTIG has linked the use of EtherHiding to UNC5342, a North Korean threat actor. Since February 2025, UNC5342 has been incorporating EtherHiding into a social engineering campaign known as "Contagious Interview". In this campaign, the attackers pose as recruiters from legitimate companies, targeting developers in the cryptocurrency and technology sectors. They lure victims into fake job interviews or coding challenges, tricking them into downloading malware-laden files.

Impact and Mitigation

The use of EtherHiding represents a significant escalation in the threat landscape, as it allows attackers to leverage the inherent features of blockchain technology for malicious purposes. Traditional security measures, such as domain blocklisting and disrupting malicious file downloads, are less effective against this technique.

Recommended defenses include:

• Centralized control measures, especially in enterprise environments.
• Enforcing download restrictions on dangerous file types.
• Managing browser updates automatically.
• Configuring enhanced Safe Browsing and URL blocklists within browsers.