A threat actor with ties to the Democratic People’s Republic of Korea (aka North Korea) has been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method.
The activity has been attributed by Google Threat Intelligence Group (GTIG) to a threat cluster it tracks as UNC5342, which is also known as CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike), Gwisin Gang (DTEX), Tenacious Pungsan (Datadog), and Void Dokkaebi (Trend Micro).
The attack wave is part of a long-running campaign codenamed Contagious Interview, wherein the attackers approach potential targets on LinkedIn by posing as recruiters or hiring managers, and trick them into running malicious code under the pretext of a job assessment after shifting the conversation to Telegram or Discord.
The end goal of these efforts is to gain unauthorized access to developers’ machines, steal sensitive data, and siphon cryptocurrency assets – consistent with North Korea’s twin pursuit of cyber espionage and financial gain.
Google said it has observed UNC5342 incorporating EtherHiding – a stealthy approach that involves embedding nefarious code within a smart contract on a public blockchain like BNB Smart Chain (BSC) or Ethereum – since February 2025. In doing so, the attack turns the blockchain into a decentralized dead drop resolver that’s resilient to takedown efforts.
Besides resilience, EtherHiding also abuses the pseudonymous nature of blockchain transactions to make it harder to trace who has deployed the smart contract. Complicating matters further, the technique is also flexible in that it allows the attacker who is in control of the smart contract to update the malicious payload at any time (albeit costing an average of $1.37 in gas fees), thereby opening the door to a wide spectrum of threats.
“This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs and can be easily modified for new campaigns,” Robert Wallace, consulting leader at Mandiant, Google Cloud, said in a statement shared with The Hacker News.
The infection chain triggered following the social engineering attack is a multi-stage process that’s capable of targeting Windows, macOS, and Linux systems with three different malware families –
- An initial downloader that manifests in the form of npm packages
- BeaverTail, a JavaScript stealer that’s responsible for exfiltrating sensitive information, such as cryptocurrency wallets, browser extension data, and credentials
- JADESNOW, a JavaScript downloader that uses EtherHiding to fetch InvisibleFerret
- InvisibleFerret, a Python backdoor deployed against high-value targets to allow remote control of the compromised host, as well as long-term data theft by targeting MetaMask and Phantom wallets, as well as credentials from password managers like 1Password
“EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google said. “This technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage.”
