North Korean Hackers Use EtherHiding to Hide Malware Inside Blockchain Smart Contracts

A threat actor with ties to North Korea has been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method.

Google reported that UNC5342 has been incorporating EtherHiding – a stealthy approach that embeds nefarious code within a smart contract on public blockchains like BNB Smart Chain (BSC) or Ethereum – since February 2025. This method turns the blockchain into a decentralized dead drop resolver that’s resilient to takedown efforts.

EtherHiding also abuses the pseudonymous nature of blockchain transactions, making it harder to trace the deployment of the smart contract. Additionally, attackers can update the malicious payload at any time, which opens the door to a wide spectrum of threats.

The multi-stage infection chain triggered by a social engineering attack targets Windows, macOS, and Linux systems with three different malware families. It begins with an initial downloader in the form of npm packages, followed by BeaverTail, a JavaScript stealer that exfiltrates sensitive information like cryptocurrency wallets, and JADESNOW, a JavaScript downloader interacting with Ethereum to fetch InvisibleFerret, which is a JavaScript variant of the Python backdoor used against high-value targets for remote control and long-term data theft, including targeting MetaMask and Phantom wallets, along with credentials from password managers like 1Password.

For the complete article, visit the link: The Hacker News