North Korean hackers hide crypto-theft malware inside smart contracts

North Korean hackers are now using a blockchain-based method known as EtherHiding to deliver malware to facilitate their crypto theft ￰0￱ to experts, a North Korean hacker was discovered using this method, where attackers embed codes like JavaScript Payloads inside a blockchain-based smart ￰1￱ the method, the hackers turn the decentralized ledger into a resilient command-and-control (C2). According to a published blog post by Google Threat Intelligence Group (GTIG), this is the first time that it has observed an actor of this scale using this ￰2￱ claimed that using EtherHiding is convenient in the face of conventional takedown and blocklisting ￰3￱ threat intelligence group mentioned that it has been tracking threat actor UNC5342 since February 2025, integrating EtherHiding into an ongoing social engineering ￰4￱ Korean hackers turn to EtherHiding Google mentioned that it has linked the usage of EtherHiding to a social engineering campaign tracked by Palo Alto Networks as Contagious ￰5￱ Contagious Interview was carried out by North Korean ￰6￱ to Socket researchers, the group expanded its operation with a new malware loader, ￰7￱ loader has accumulated thousands of downloads, with the targets being job seekers and individuals believed to own digital assets or sensitive ￰8￱ this campaign, the North Korean hackers use JADESNOW malware to distribute a JavaScript variant of INVISIBLEFERRET, which has been used to carry out so many cryptocurrency ￰9￱ campaign targets developers in the crypto and technology industries, stealing sensitive data, digital assets, and gaining access to corporate ￰10￱ also centers around a social engineering tactic that copies legitimate recruitment processes using fake recruiters and fabricated ￰11￱ recruiters are used to lure candidates to platforms like Telegram or ￰12￱ that, the malware is then delivered to their systems and devices through fake coding tests or software downloads disguised as technical assessments or interview ￰13￱ campaign uses a multi-stage malware infection process, which usually involves malware like JADESNOW, INVISIBLEFERRET, and BEAVERTAIL, to compromise the victim’s ￰14￱ malware affects Windows, Linux, and macOS ￰15￱ detail the cons of EtherHiding EtherHiding provides a better advantage to attackers, with GTIG noting that it acts as a particularly challenging threat to ￰16￱ core element of EtherHiding that is concerning is that it is decentralized in ￰17￱ means that it is stored on a permissionless and decentralized blockchain, making it hard for law enforcement or cybersecurity firms to take it down because it has no central ￰18￱ identity of the attacker is also hard to track because of the pseudonymous nature of blockchain ￰19￱ is also hard to remove malicious code in smart contracts deployed on the blockchain if you are not the owner of the ￰20￱ attacker in control of the smart contract, in this case, the North Korean hackers, can also choose to update the malicious payload at any ￰21￱ security researchers may try to warn the community about a malicious contract by tagging it, it doesn’t stop hackers from carrying out their malicious activities using the smart ￰22￱ addition, attackers can retrieve their malicious payload using read-only calls that do not leave a visible transaction history on the blockchain, making it hard for researchers to track their activities on the ￰23￱ to the threat research report, EtherHiding represents a “shift towards next-generation bulletproof hosting” where the most glaring features of blockchain technology are being used by scammers for malicious ￰24￱ a premium crypto trading community free for 30 days - normally $100/mo.