North Korean hackers hide crypto-theft malware inside smart contracts

North Korean hackers are now using a blockchain-based method known as EtherHiding to deliver malware to facilitate their crypto theft operations. According to experts, a North Korean hacker was discovered using this method, where attackers embed codes like JavaScript Payloads inside a blockchain-based smart contract.

Using the method, the hackers turn the decentralized ledger into a resilient command-and-control (C2). According to a published blog post by Google Threat Intelligence Group (GTIG), this is the first time that it has observed an actor of this scale using this method. It claimed that using EtherHiding is convenient in the face of conventional takedown and blocklisting efforts. The threat intelligence group mentioned that it has been tracking threat actor UNC5342 since February 2025, integrating EtherHiding into an ongoing social engineering campaign.

North Korean hackers turn to EtherHiding

Google mentioned that it has linked the usage of EtherHiding to a social engineering campaign tracked by Palo Alto Networks as Contagious Interview. The Contagious Interview was carried out by North Korean actors. According to Socket researchers, the group expanded its operation with a new malware loader, XORIndex. The loader has accumulated thousands of downloads, with the targets being job seekers and individuals believed to own digital assets or sensitive credentials.

In this campaign, the North Korean hackers use JADESNOW malware to distribute a JavaScript variant of INVISIBLEFERRET, which has been used to carry out so many cryptocurrency thefts. The campaign targets developers in the crypto and technology industries, stealing sensitive data, digital assets, and gaining access to corporate networks. It also centers around a social engineering tactic that copies legitimate recruitment processes using fake recruiters and fabricated companies.

Fake recruiters are used to lure candidates to platforms like Telegram or Discord. After that, the malware is then delivered to their systems and devices through fake coding tests or software downloads disguised as technical assessments or interview fixes. The campaign uses a multi-stage malware infection process, which usually involves malware like JADESNOW, INVISIBLEFERRET, and BEAVERTAIL, to compromise the victim’s devices. The malware affects Windows, Linux, and macOS systems.

Researchers detail the cons of EtherHiding

EtherHiding provides a better advantage to attackers, with GTIG noting that it acts as a particularly challenging threat to mitigate. One core element of EtherHiding that is concerning is that it is decentralized in nature. This means that it is stored on a permissionless and decentralized blockchain, making it hard for law enforcement or cybersecurity firms to take it down because it has no central server. The identity of the attacker is also hard to track because of the pseudonymous nature of blockchain transactions.

It is also hard to remove malicious code in smart contracts deployed on the blockchain if you are not the owner of the contract. The attacker in control of the smart contract, in this case, the North Korean hackers, can also choose to update the malicious payload at any time. While security researchers may try to warn the community about a malicious contract by tagging it, it doesn’t stop hackers from carrying out their malicious activities using the smart contract.

In addition, attackers can retrieve their malicious payload using read-only calls that do not leave a visible transaction history on the blockchain, making it hard for researchers to track their activities on the blockchain. According to the threat research report, EtherHiding represents a “shift towards next-generation bulletproof hosting” where the most glaring features of blockchain technology are being used by scammers for malicious purposes.

Join a premium crypto trading community free for 30 days - normally $100/mo.