North Korea’s UNC5342 APT Uses EtherHiding to Store Malware in Blockchain Smart Contracts for Stealthy C2

Google Threat Intelligence Group (GTIG) has uncovered a new campaign by the North Korean threat actor UNC5342, marking the first known instance of a nation-state actor leveraging “EtherHiding” — a sophisticated technique that embeds malware within blockchain transactions to evade takedowns and detection.

Originally seen in financially motivated campaigns like CLEARFAKE, EtherHiding is a blockchain-based malware hosting method that stores malicious JavaScript payloads directly inside smart contracts on networks such as BNB Smart Chain and Ethereum.

This approach allows attackers to use the blockchain itself as a decentralized command-and-control (C2) infrastructure, resistant to traditional takedowns.

“EtherHiding involves embedding malicious code within a smart contract on a public blockchain… turning the blockchain into a decentralized and highly resilient command-and-control server,” GTIG explained.

Unlike conventional malware campaigns that rely on web servers, EtherHiding exploits the immutability, decentralization, and pseudonymity of blockchains — making malicious content permanent, anonymous, and difficult to remove.

According to GTIG, UNC5342 adopted EtherHiding as part of its “Contagious Interview” social engineering campaign — previously documented by Palo Alto Networks.

1. Initial Compromise: The attackers pose as recruiters, offering fake job opportunities to software and cryptocurrency developers.
2. Malicious Test or Tool: Victims are asked to download code samples or “test projects,” which contain the JADESNOW JavaScript downloader malware.
3. Blockchain Fetch: When executed, JADESNOW fetches further payloads directly from smart contracts stored on BNB Smart Chain or Ethereum using read-only eth_call functions, which do not leave on-chain traces.
4. Payload Execution: The downloaded malware runs in memory, deploying additional backdoors and data stealers such as INVISIBLEFERRET.

“The input data stored in the smart contract may be Base64-encoded and XOR-encrypted. The final payload in the JADESNOW infection chain is usually a more persistent backdoor like INVISIBLEFERRET.JAVASCRIPT,” GTIG said.

The final stage of the attack involves INVISIBLEFERRET, a Python-based backdoor capable of remote command execution and exfiltrating files, browser data, and cryptocurrency wallets.

GTIG analysts found that the malware communicates over MySQL port 3306, sending hostnames, operating systems, and user details to attacker-controlled servers.

“The backdoor proceeds to run in the background, listening for incoming commands… capable of executing built-in commands to change directories and exfiltrate files,” the report noted.

In some cases, the malware installs a portable Python interpreter to execute a credential stealer that targets MetaMask, Phantom, Chrome, and Edge, sending stolen data via Telegram or remote servers.

The campaign serves two strategic purposes — espionage and financial gain — in line with North Korea’s ongoing use of cyber operations to evade international sanctions.

“A primary objective is the theft of cryptocurrency and other financial assets to generate revenue for the regime… By compromising developers, the campaign aims to gather valuable intelligence and potentially gain a foothold in technology companies for future operations,” GTIG observed.

The use of elaborate fake job interviews, complete with video meetings, coding challenges, and fake recruitment websites, showcases the DPRK’s growing sophistication in social engineering.

EtherHiding represents a paradigm shift in threat infrastructure, turning blockchain’s strengths — immutability, transparency, and decentralization — into tools for persistence and anonymity.

“In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” GTIG concluded.

Because smart contracts cannot be easily modified or deleted, the malware remains live as long as the blockchain exists. Attackers can update payloads by simply sending a new blockchain transaction, for less than $2 in gas fees per update.

Despite EtherHiding’s decentralized power, GTIG found exploitable weaknesses in the attackers’ approach.

UNC5342 doesn’t directly interact with the blockchain through its own nodes; instead, it uses centralized API service providers like Binplorer, Etherscan, and Ethplorer.

“Neither UNC5342 nor UNC5142 are interacting directly with BNB Smart Chain… both are utilizing centralized services akin to Web2 hosting. This affords defenders the opportunity to mitigate such threats through blocking or account suspensions,” the report explained.

This reliance on centralized intermediaries gives defenders and regulators a critical interception point to monitor, flag, or suspend malicious blockchain activity.

Related Posts:

• ClearFake Malware Variant Exploits Web3 in New Attacks
• Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
• Blockchain’s Once-Feared 51% Attack is becoming more common