Analysts from the Google Threat Intelligence Group (GTIG) reported that North Korean hackers have begun using the EtherHiding technique and smart contracts to host and deliver malware.
According to researchers, the group tracked as UNC5342 has been using the EtherHiding technique since February 2025 as part of Contagious Interview operations aimed at stealing cryptocurrency. It is noted that this is the first time the “state-sponsored” hackers have used this tactic.
EtherHiding attacks were described by Guardio Labs experts in 2023, when researchers noticed that attackers were hiding malicious code in Binance Smart Chain (BSC) smart contracts.
This malware distribution technique involves embedding payloads into smart contracts on a public blockchain (Binance Smart Chain or Ethereum), enabling attackers to host malicious scripts and retrieve them as needed.
Thanks to the principles of how the blockchain operates, EtherHiding provides anonymity, resilience to takedowns, and allows flexible payload updates. Moreover, retrieving the payload can be done via read-only calls, which leave no visible transaction history, adding to the stealth of the process.
Google reports that the attacks typically occur via fake job interviews, and carefully disguised fake companies (BlockNovas LLC, Angeloper Agency, SoftGlide LLC) target software and web developers.
Thus, the victim is tricked into running code as part of a skills test during an interview, and this code executes a JavaScript loader. The researchers report that a smart contract hosts the JADESNOW loader, which interacts with Ethereum to retrieve the third-stage payload (a JavaScript version of the InvisibleFerret malware, which is typically used for long-term espionage).
GTIG experts note that the payload executes in memory and may request from Ethereum another component that steals credentials. In addition, the hackers can use JADESNOW to obtain the payload from both Ethereum and BNB Smart Chain, which further complicates analysis.
“It’s unusual to see attackers using multiple blockchains for EtherHiding activity. This may indicate operational separation between teams of North Korean cyber attackers,” GTIG reports. “Transaction details show that the contract was updated more than 20 times during the first four months, with each update costing an average of US$1.37 in gas fees. The low cost and frequency of such updates demonstrate the attackers’ ability to easily change the campaign’s configuration.”
As for the malware itself, it runs in the background and awaits instructions from a command-and-control (C2) server to execute arbitrary commands or exfiltrate files from the victim’s system (the data is usually sent to an external server or via Telegram).
The credential-stealing component targets passwords, payment cards, and cryptocurrency wallet information (MetaMask and Phantom) stored in browsers like Chrome and Edge.
“Essentially, EtherHiding represents a shift to next-generation ‘bulletproof’ hosting, where the inherent features of blockchain technology are exploited for malicious purposes,” the researchers write. “This underscores the continuous evolution of cyber threats, as attackers adapt and leverage new technologies to their advantage.”
Researchers warn that the use of EtherHiding by North Korean hacking groups is a notable development that makes it more difficult to track and block such malicious campaigns. Developers who are job hunting are advised to remain vigilant, especially if they are asked to download something, and to always examine files in isolated environments.