Threat actors associated with the Democratic People’s Republic of Korea (also known as North Korea) have been observed leveraging the EtherHiding technique to distribute malware and enable the theft of cryptocurrencies, marking the first time a state-sponsored hacker group has employed this technique.
This activity is believed to originate from a threat cluster tracked by the Google Threat Intelligence Group (GTIG). UNC5342It is also known as CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike), Gwisin Gang (DTEX), Tenacious Pungsan (Datadog), and Void Dokkaebi (Trend Micro).
This wave of attacks is part of a long-running campaign codenamed “Contagious Interview,” in which attackers approach potential targets on LinkedIn posing as recruiters or recruiters, move the conversation to Telegram or Discord, and then use job reviews as an excuse to trick them into executing malicious code.
The ultimate goal of these efforts is to gain unauthorized access to developer machines, steal sensitive data, and siphon cryptocurrency assets, consistent with North Korea’s dual pursuit of cyberespionage and financial gain.
Google said it has been observing UNC5342 incorporating EtherHiding, a stealth approach to embed malicious code within smart contracts on public blockchains such as BNB Smart Chain (BSC) and Ethereum, since February 2025. In doing so, this attack turns the blockchain into a decentralized dead-drop resolver that is resistant to takedown efforts.
In addition to resilience, EtherHiding exploits the anonymity of blockchain transactions to make it difficult to trace who deployed a smart contract. Further complicating matters, the technology is flexible in that attackers controlling smart contracts can update malicious payloads at any time (albeit at the cost of an average $1.37 gas fee), thereby opening the door to a wide range of threats.
“This development signals an escalating threat landscape, as nation-state threat actors are now leveraging new techniques to distribute malware that can withstand law enforcement enforcement and easily be modified for new campaigns,” said Robert Wallace, Mandiant consulting leader at Google Cloud.
The infection chain that follows a social engineering attack is a multi-step process that can target Windows, macOS, and Linux systems using three different malware families.
- Initial downloader that appears in the form of an npm package
- BeaverTail is a JavaScript stealer that steals sensitive information such as cryptocurrency wallets, browser extension data, and credentials.
- JADESNOW, a JavaScript downloader that interacts with Ethereum to obtain InvisibleFerrets
- InvisibleFerret is a JavaScript variant of a Python backdoor deployed against high-value targets to enable remote control of compromised hosts and long-term data theft targeting credentials from password managers such as MetaMask and Phantom wallets and 1Password.
Briefly, the attack tricks the victim into executing code that interacts with a malicious BSC smart contract to run an initial JavaScript downloader that downloads JADESNOW. It then queries the transaction history associated with the Ethereum address to obtain the third stage payload, in this case a JavaScript version of InvisibleFerret.
The malware also attempts to install a portable Python interpreter to run an additional credential stealer component stored at a separate Ethereum address. This finding is important as threat actors are using multiple blockchains for their EtherHiding operations.
“EtherHiding represents a transition to the next generation of bulletproof hosting, where the unique capabilities of blockchain technology are repurposed for malicious purposes,” Google said. “This technique highlights the continued evolution of cyber threats as attackers adapt and use new technologies to their advantage.”
