North Korean state-backed hackers tracked by Google Threat Intelligence Group (GTIG) as UNC5342 have used a smart-contract technique known as “EtherHiding” to host and deliver malware in social engineering campaigns that target cryptocurrency, according to GTIG and.
The technique, first described by Guardio Labs in 2023, embeds malicious payloads inside smart contracts on public blockchains such as Ethereum and the BNB Smart Chain. The article says researchers warned EtherHiding offers anonymity, resistance to takedown and low-cost, flexible payload updates, and that read-only calls can fetch payloads without creating visible transaction history.
GTIG says the campaigns begin with fake job interviews conducted by fabricated entities including BlockNovas LLC, Angeloper Agency and SoftGlide LLC, which target software and web developers. Victims are induced to run code as part of a technical assessment that executes a JavaScript downloader; the smart contract hosts a downloader named JADESNOW that interacts with Ethereum to fetch a third-stage JavaScript payload identified as a version of the InvisibleFerret malware used for long-term espionage.
The researchers report JADESNOW can retrieve payloads from either Ethereum or the BNB Smart Chain, which complicates analysis, and said it is unusual for a threat actor to use multiple blockchains and may indicate operational compartmentalization. GTIG explains that the related contract was updated more than 20 times in the first four months at an average gas cost of $1.37 per update, illustrating how easily the campaign configuration can be changed.
The malware runs in memory, listens for commands from its command-and-control infrastructure and can execute arbitrary commands and exfiltrate files in ZIP form to external servers or Telegram, the article says. A credential-stealing component targets passwords, credit cards and cryptocurrency wallets such as MetaMask and Phantom stored in browsers including Chrome and Edge.
GTIG and recommends caution for individuals contacted with job offers that request downloads and testing files in isolated environments, and suggest administrators limit risky file downloads, control browser updates and enforce strict web access and script execution policies.