Hackers Employ Blockchain-Based EtherHiding Technique to Conceal Malware
Hackers have adopted a novel technique called EtherHiding, which leverages public blockchain networks to conceal and control malware, making their operations highly resistant to takedown efforts. According to research from Google’s Threat Intelligence Group, at least two distinct hacking groups are utilizing this method: one is a North Korean state-sponsored actor, tracked as UNC5342, and the other is a financially motivated cybercriminal group, UNC5142. EtherHiding works by embedding malicious instructions within blockchain smart contracts, rather than relying on traditional command-and-control servers. This approach exploits the decentralized and immutable nature of blockchains, providing attackers with a resilient infrastructure that is difficult for law enforcement or defenders to disrupt. The North Korean group UNC5342 has used EtherHiding in social engineering campaigns targeting developers and cryptocurrency firms, often luring victims with job-related files or coding challenges. When a target opens a malicious file, a script connects to the blockchain to retrieve encrypted code from a smart contract, which then installs the JadeSnow loader. This loader subsequently delivers a persistent backdoor known as InvisibleFerret, which has been linked to multiple cryptocurrency thefts. Meanwhile, the financially motivated group UNC5142 has adapted EtherHiding to distribute infostealers via compromised WordPress sites. The technique allows attackers to update or replace their malware by simply modifying the smart contract, further complicating detection and remediation. Researchers note that this represents a significant escalation in the threat landscape, as blockchain’s pseudonymous and decentralized features provide a form of "bulletproof" hosting for malicious operations. EtherHiding was first observed in 2023 in a campaign called ClearFake, but its adoption by nation-state actors marks a new phase in cybercriminal innovation. The use of blockchain for malware delivery not only hinders traditional takedown strategies but also enables attackers to operate with greater anonymity. Security experts warn that this method can be easily adapted for new campaigns, increasing the risk to organizations in the cryptocurrency and technology sectors. The persistence and flexibility of blockchain-hosted malware pose a growing challenge for defenders, who must now contend with threats that cannot be neutralized by simply removing malicious servers. This development underscores the need for enhanced monitoring of blockchain activity and improved detection mechanisms for malware leveraging decentralized technologies. Organizations are advised to educate employees about social engineering tactics and to implement robust endpoint security to mitigate the risks associated with these advanced attack techniques.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers describe blockchain malware hosting as takedown-resistant
In the October 2025 disclosure, Google said the use of Ethereum and BNB Smart Chain for malware delivery represented a shift toward 'next-generation bulletproof hosting' because the decentralized, immutable infrastructure is difficult to remove or disrupt.
Google discloses EtherHiding abuse by state and criminal groups
On October 16, 2025, Google's Threat Intelligence Group publicly reported that at least two hacking groups, including North Korea-linked UNC5342, were using the EtherHiding technique to embed malicious instructions in public blockchain smart contracts.
UNC5142 uses vulnerable WordPress sites for EtherHiding delivery
Google's research also identified financially motivated group UNC5142 using vulnerable WordPress sites to distribute infostealers while relying on blockchain smart contracts as resilient command-and-delivery infrastructure.
UNC5342 deploys JadeSnow and InvisibleFerret via smart contracts
In the campaign observed from February 2025, the fetched blockchain-hosted code installed the JadeSnow loader, which then deployed the persistent InvisibleFerret backdoor associated with multiple cryptocurrency thefts.
UNC5342 begins blockchain-backed social engineering campaign
By February 2025, the North Korea-linked group UNC5342 was using job-themed lures and coding challenges to trick developers into executing scripts that retrieved encrypted malware components from smart contracts on Ethereum and BNB Smart Chain.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Nation-state hackers deliver malware from “bulletproof” blockchains
arstechnica.com
Open sourceHackers Use Blockchain to Hide Malware in Plain Sight
bankinfosecurity.com
Open sourceHackers Use Blockchain to Hide Malware in Plain Sight
govinfosecurity.com
Open sourceNorth Korean hackers seen using blockchain to hide crypto-stealing malware
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Hackers Employ EtherHiding to Distribute Malware via Blockchain Smart Contracts
North Korean state-sponsored hackers have adopted a novel technique known as EtherHiding to distribute malware and facilitate cryptocurrency theft. The Google Threat Intelligence Group (GTIG) has attributed this activity to a threat actor tracked as UNC5342, which is also known by several other names including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, and Void Dokkaebi. This marks the first documented instance of a state-backed hacking group leveraging EtherHiding, a method previously described by Guardio Labs in 2023. EtherHiding involves embedding malicious payloads within smart contracts on public blockchains such as Ethereum and Binance Smart Chain (BSC), allowing attackers to host and update malware in a manner that is highly resistant to takedown and difficult to trace. The campaign, codenamed Contagious Interview, targets software and web developers through social engineering, often beginning with fake job offers on LinkedIn. Attackers impersonate recruiters or hiring managers from fabricated entities like BlockNovas LLC, Angeloper Agency, and SoftGlide LLC, and eventually move conversations to platforms like Telegram or Discord. Victims are tricked into running code as part of a technical assessment, which executes a JavaScript downloader. This downloader, known as JADESNOW, interacts with the blockchain to fetch a third-stage payload, typically a JavaScript version of the InvisibleFerret malware, which is designed for long-term espionage. The payload runs in memory and may request additional components from the blockchain, such as credential stealers. The use of smart contracts for payload delivery provides anonymity, flexibility for updating malicious code, and evasion of traditional detection and takedown mechanisms. The attackers' ability to retrieve payloads from either Ethereum or BSC further complicates analysis and defense. The campaign's objectives align with North Korea's dual goals of cyber espionage and financial gain, as the malware is used to steal sensitive data and siphon cryptocurrency assets from compromised developers. The cost to update the malicious payload is minimal, averaging around $1.37 in gas fees, making the technique both economical and scalable for the threat actors. The use of read-only calls to fetch payloads leaves no visible transaction history, enhancing the stealth of the operation. This development represents a significant evolution in the tactics of North Korean cyber operations, demonstrating their increasing sophistication and willingness to exploit decentralized technologies for malicious purposes. Security researchers warn that the resilience and anonymity provided by blockchain-based malware delivery could inspire similar tactics among other threat actors. Organizations are advised to increase vigilance, especially when dealing with unsolicited job offers and technical assessments that require code execution. The campaign underscores the importance of robust security awareness training and technical controls to detect and prevent such advanced social engineering and malware delivery techniques.
Mar 21, 2026
DPRK Malware Campaign Uses EtherHiding to Conceal Payloads on Blockchain
Google Cloud's Mandiant reported that North Korean operators adopted **EtherHiding**, a technique that abuses blockchain infrastructure to hide malicious content and stage malware delivery. The activity uses decentralized platforms to store or retrieve attacker-controlled data, complicating takedown efforts and making network-based detection harder because the infrastructure blends into legitimate blockchain traffic. The report links the tradecraft to DPRK threat activity and highlights a broader shift toward resilient, hard-to-disrupt hosting for command-and-control or payload staging. By moving parts of the infection chain onto blockchain-backed services, the operators reduce reliance on traditional attacker domains and hosting, increasing the durability and stealth of malware campaigns targeting victims across the internet.
May 25, 2026
ClearFake Uses BSC Smart Contracts and ClickFix Lures to Deliver Info-Stealers
Researchers reported that the long-running **ClearFake/EtherHiding** campaign is using compromised legitimate websites, fake **Google reCAPTCHA** pages, and **ClickFix** social-engineering lures to deliver malware through **BNB Smart Chain testnet** smart contracts rather than conventional staging servers. Analysis from Trend Micro and Censys found the attackers embedded obfuscated JavaScript and `ethers.js` on hacked sites, performed browser and OS checks, and retrieved victim-specific payload logic from on-chain contracts tied to a single deployer wallet. The infrastructure included contracts for anti-analysis dispatching, separate Windows and macOS delivery, and victim tracking, making traditional takedowns and URL blocking far less effective. The campaign delivered **SectopRAT** and **ACRStealer** to steal passwords, cookies, browser sessions, credit card data, and cryptocurrency wallet information, while macOS infections also used dynamic resolver techniques through external web services to locate command-and-control endpoints and collect host data. A related stealer campaign described by Gurucul used software-search redirection, fake MEGA Transfer pages, a Go-based loader, and an **Ethereum dead-drop resolver** to obtain command-and-control infrastructure, underscoring a broader shift toward blockchain-backed malware delivery and resilient C2. Defenders were advised to monitor for unexpected `ethers.js` usage, fake CAPTCHA assets, clipboard-driven execution prompts, and access to BSC testnet JSON-RPC services, while training users to avoid fraudulent CAPTCHA and ClickFix prompts.
May 29, 2026