Threat actors associated with the Democratic People’s Republic of Korea (also known as North Korea) have been observed leveraging the EtherHiding technique to distribute malware and enable the theft of cryptocurrencies, marking the first time a state-sponsored hacker group has employed this technique.
This activity has been attributed to the threat cluster tracked by the Google Threat Intelligence Group (GTIG) as UNC5342. This cluster is also known as CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike), Gwisin Gang (DTEX), and Tenacious Pungsan (Datadog). Boyd Dokkaebi (Trend Micro).
This wave of attacks is part of a long-running campaign codenamed “Contagious Interview,” in which attackers approach potential targets on LinkedIn posing as recruiters or recruiters, move the conversation to Telegram or Discord, and then use job reviews as an excuse to trick them into executing malicious code.
The ultimate goal of these efforts is to gain unauthorized access to developer machines, steal sensitive data, and siphon cryptocurrency assets, consistent with North Korea’s dual pursuit of cyberespionage and financial gain.
Google said it has been observing UNC5342 incorporating EtherHiding, a stealth approach to embed malicious code within smart contracts on public blockchains such as BNB Smart Chain (BSC) and Ethereum, since February 2025. In doing so, this attack turns the blockchain into a decentralized dead-drop resolver that is resistant to takedown efforts.
In addition to resilience, EtherHiding exploits the anonymity of blockchain transactions to make it difficult to trace who deployed a smart contract. Further complicating matters, the technology is flexible in that attackers controlling smart contracts can update malicious payloads at any time (albeit at the cost of an average $1.37 gas fee), thereby opening the door to a wide range of threats.
“This development signals an escalating threat landscape, as nation-state threat actors are now leveraging new techniques to distribute malware that can withstand law enforcement enforcement and easily be modified for new campaigns,” said Robert Wallace, Mandiant consulting leader at Google Cloud.
The infection chain that follows a social engineering attack is a multi-step process that can target Windows, macOS, and Linux systems using three different malware families.
Initial downloader that appears in the form of npm packages BeaverTail, a JavaScript stealer responsible for leaking sensitive information such as cryptocurrency wallets, browser extension data, credentials, etc. JADESNOW, a JavaScript downloader that uses EtherHiding to obtain InvisibleFerret InvisibleFerret, a Python backdoor deployed against high-value targets that allows remote control MetaMask, Phantom wallets, passwords such as 1Password Long-term data theft targeting credentials from managers as well as information from compromised hosts.
“EtherHiding represents a transition to the next generation of bulletproof hosting, where the unique capabilities of blockchain technology are repurposed for malicious purposes,” Google said. “This technique highlights the continued evolution of cyber threats as attackers adapt and use new technologies to their advantage.”
Source link
