DPRK Malware Campaign Uses EtherHiding to Conceal Payloads on Blockchain
Google Cloud's Mandiant reported that North Korean operators adopted EtherHiding, a technique that abuses blockchain infrastructure to hide malicious content and stage malware delivery. The activity uses decentralized platforms to store or retrieve attacker-controlled data, complicating takedown efforts and making network-based detection harder because the infrastructure blends into legitimate blockchain traffic.
The report links the tradecraft to DPRK threat activity and highlights a broader shift toward resilient, hard-to-disrupt hosting for command-and-control or payload staging. By moving parts of the infection chain onto blockchain-backed services, the operators reduce reliance on traditional attacker domains and hosting, increasing the durability and stealth of malware campaigns targeting victims across the internet.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Google publishes analysis of DPRK use of EtherHiding on blockchains
Google Cloud's Mandiant Threat Intelligence blog published a report describing North Korean actors adopting the EtherHiding technique to conceal malware-related infrastructure on blockchain platforms. No earlier discrete events are available from the provided reference alone.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Hackers Employ EtherHiding to Distribute Malware via Blockchain Smart Contracts
North Korean state-sponsored hackers have adopted a novel technique known as EtherHiding to distribute malware and facilitate cryptocurrency theft. The Google Threat Intelligence Group (GTIG) has attributed this activity to a threat actor tracked as UNC5342, which is also known by several other names including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, and Void Dokkaebi. This marks the first documented instance of a state-backed hacking group leveraging EtherHiding, a method previously described by Guardio Labs in 2023. EtherHiding involves embedding malicious payloads within smart contracts on public blockchains such as Ethereum and Binance Smart Chain (BSC), allowing attackers to host and update malware in a manner that is highly resistant to takedown and difficult to trace. The campaign, codenamed Contagious Interview, targets software and web developers through social engineering, often beginning with fake job offers on LinkedIn. Attackers impersonate recruiters or hiring managers from fabricated entities like BlockNovas LLC, Angeloper Agency, and SoftGlide LLC, and eventually move conversations to platforms like Telegram or Discord. Victims are tricked into running code as part of a technical assessment, which executes a JavaScript downloader. This downloader, known as JADESNOW, interacts with the blockchain to fetch a third-stage payload, typically a JavaScript version of the InvisibleFerret malware, which is designed for long-term espionage. The payload runs in memory and may request additional components from the blockchain, such as credential stealers. The use of smart contracts for payload delivery provides anonymity, flexibility for updating malicious code, and evasion of traditional detection and takedown mechanisms. The attackers' ability to retrieve payloads from either Ethereum or BSC further complicates analysis and defense. The campaign's objectives align with North Korea's dual goals of cyber espionage and financial gain, as the malware is used to steal sensitive data and siphon cryptocurrency assets from compromised developers. The cost to update the malicious payload is minimal, averaging around $1.37 in gas fees, making the technique both economical and scalable for the threat actors. The use of read-only calls to fetch payloads leaves no visible transaction history, enhancing the stealth of the operation. This development represents a significant evolution in the tactics of North Korean cyber operations, demonstrating their increasing sophistication and willingness to exploit decentralized technologies for malicious purposes. Security researchers warn that the resilience and anonymity provided by blockchain-based malware delivery could inspire similar tactics among other threat actors. Organizations are advised to increase vigilance, especially when dealing with unsolicited job offers and technical assessments that require code execution. The campaign underscores the importance of robust security awareness training and technical controls to detect and prevent such advanced social engineering and malware delivery techniques.
Mar 21, 2026
Hackers Employ Blockchain-Based EtherHiding Technique to Conceal Malware
Hackers have adopted a novel technique called EtherHiding, which leverages public blockchain networks to conceal and control malware, making their operations highly resistant to takedown efforts. According to research from Google’s Threat Intelligence Group, at least two distinct hacking groups are utilizing this method: one is a North Korean state-sponsored actor, tracked as UNC5342, and the other is a financially motivated cybercriminal group, UNC5142. EtherHiding works by embedding malicious instructions within blockchain smart contracts, rather than relying on traditional command-and-control servers. This approach exploits the decentralized and immutable nature of blockchains, providing attackers with a resilient infrastructure that is difficult for law enforcement or defenders to disrupt. The North Korean group UNC5342 has used EtherHiding in social engineering campaigns targeting developers and cryptocurrency firms, often luring victims with job-related files or coding challenges. When a target opens a malicious file, a script connects to the blockchain to retrieve encrypted code from a smart contract, which then installs the JadeSnow loader. This loader subsequently delivers a persistent backdoor known as InvisibleFerret, which has been linked to multiple cryptocurrency thefts. Meanwhile, the financially motivated group UNC5142 has adapted EtherHiding to distribute infostealers via compromised WordPress sites. The technique allows attackers to update or replace their malware by simply modifying the smart contract, further complicating detection and remediation. Researchers note that this represents a significant escalation in the threat landscape, as blockchain’s pseudonymous and decentralized features provide a form of "bulletproof" hosting for malicious operations. EtherHiding was first observed in 2023 in a campaign called ClearFake, but its adoption by nation-state actors marks a new phase in cybercriminal innovation. The use of blockchain for malware delivery not only hinders traditional takedown strategies but also enables attackers to operate with greater anonymity. Security experts warn that this method can be easily adapted for new campaigns, increasing the risk to organizations in the cryptocurrency and technology sectors. The persistence and flexibility of blockchain-hosted malware pose a growing challenge for defenders, who must now contend with threats that cannot be neutralized by simply removing malicious servers. This development underscores the need for enhanced monitoring of blockchain activity and improved detection mechanisms for malware leveraging decentralized technologies. Organizations are advised to educate employees about social engineering tactics and to implement robust endpoint security to mitigate the risks associated with these advanced attack techniques.
Mar 21, 2026
DPRK-Linked Malware Campaigns Use Blockchain C2 to Target Crypto Firms and Developers
Researchers detailed two likely DPRK-linked malware operations that used public blockchains as resilient command-and-control infrastructure while targeting the cryptocurrency ecosystem and software developers. Elastic Security Labs said the **PHANTOMPULSE** Windows RAT, delivered through abused Obsidian plugins and the `PHANTOMPULL` loader, used multiple process-injection techniques, a `schuac`-based UAC bypass via `IElevatedFactoryServer`, hardware breakpoints to suppress **AMSI**, **WLDP**, and **ETW**, and scheduled tasks for persistence. The implant conducted host reconnaissance, screenshot capture, keylogging, and clipboard monitoring, and resolved its latest C2 by reading transaction data from **Ethereum**, **Base**, and **Optimism**, with Telegram and hardcoded-domain fallback paths also noted. A separate supply-chain intrusion attributed to **Famous Chollima** compromised the legitimate Packagist package `roberts/leads`, hiding malicious JavaScript in a development-branch `tailwind.js` file that fetched encrypted payloads from **TRON**, **Aptos**, and **BNB Smart Chain**. Socket linked the activity to prior DPRK tooling including **DEV#POPPER RAT**, **OmniStealer**, and **BeaverTail**, while public reporting and social-media tracking tied it to the broader **Contagious Interview** ecosystem. Elastic said PHANTOMPULSE's blockchain resolver failed to verify transaction senders, creating a rare opportunity for defenders to sinkhole infected hosts with a crafted transaction, and advised monitoring suspicious scheduled tasks, unusual `rundll32.exe` execution, hardware-breakpoint tampering, and Node.js access to blockchain or RPC services during builds.
Jun 6, 2026