Google Threat Intelligence Group has released a study detailing how a North Korean threat group is using an advanced blockchain-based method, called “EtherHiding,” to deploy malware and steal digital assets and data.
This research represents the first documented case of a state actor using the EtherHiding technique, which involves leveraging public blockchains to hide and provide malicious instructions for malware distribution. Google security analysts have linked this activity to a threat cluster known as UNC5342, which has integrated EtherHiding into a sophisticated social engineering operation targeting software developers since early 2025.
Social engineering campaign
The UNC5342 campaign, known in the industry as “Contagious Interview,” is designed to compromise victims through elaborate recruitment scams targeting developers in the technology and digital currency industries. Attackers pose as recruiters for well-known tech or cryptocurrency companies on platforms such as LinkedIn, create fake company websites and contact potential victims with attractive job offers. In later stages, fake technical assessments or coding tasks are used to trick targets into downloading what turns out to be malware-laden files.
The files, usually in the form of a downloader called JADESNOW, are provided primarily through popular development platforms such as GitHub and npm. Once executed, these files deploy additional stages of malware, including credential stealers and backdoors, often targeting Windows, macOS, and Linux systems. The chain culminates with INVISIBLEFERRET, a Python-based backdoor granting persistent and covert access to the infected system.
Aether Hiding Technique
EtherHiding is a multi-stage attack method that stores encrypted malicious code as payloads in smart contracts deployed on blockchains like Ethereum and BNB Smart Chain. A small loading script is initially injected into a compromised site or sent to the victim. Once executed, it queries the blockchain via standard API services using “read-only” calls, which do not create any transactions on the blockchain and incur no fees. This approach allows attackers to gain retrievable and anonymous access to their payloads at any time, repeatedly updating them with new malware as necessary.
Because the code is stored in a decentralized, permissionless ledger, traditional cybersecurity responses such as removal or blacklisting are much less effective. The perpetrators exploit both the immutability and anonymity offered by blockchains, hindering attribution and preventing direct intervention by network defenders or law enforcement.
This development signals an escalation in the threat landscape, as state-level threat actors now use new techniques to distribute malware that is resistant to law enforcement takedowns and can be easily modified for new campaigns.
Robert Wallace, Consulting Leader at Mandiant – Google Cloud, further highlighted the importance of this change.
Operating procedure and risks
The attack chain begins with social engineering and proceeds through several carefully sequenced technological steps. The initial compromise often relies on phishing tactics, with malware distributed as part of fake coding jobs or via download links sent during purported interview processes. After the initial infection, subsequent payloads are retrieved directly from blockchain smart contracts, making forensic and network-based detection difficult.
This cross-platform threat focuses on stealing cryptocurrency wallets, login credentials, and private data stored in browsers. For high-value targets, a persistent backdoor allows for long-term espionage and additional lateral movement within an organization’s network. A distinctive feature of the campaign is the flexibility with which UNC5342 switches between different blockchain networks to store payloads, complicating tracking and analysis while reducing operational costs through lower transaction fees.
Malicious use of legitimate technologies
Smart contracts residing on blockchains are publicly accessible and permanently stored, properties which are reused for command and control functions by malicious actors such as UNC5342. Unauthorized but creative exploitation of these technical features allows malware to remain resistant to standard defensive measures.
It is important to note that UNC5342 and another financially motivated player, UNC5142, rely on centralized API services rather than direct access to blockchain nodes to interact with blockchains. In practice, this dependence introduces potential points of disruption for defenders. While some API service providers have taken steps to limit access for identified bad actors, others have sometimes remained unresponsive, raising concerns about broader risks and possible proliferation of the techniques.
Defensive strategies
Google says traditional approaches like domain blocklisting or stopping malicious file downloads can help, but EtherHiding presents additional complexity. Recommended defenses include centralized control measures, especially for enterprise environments. For example, Chrome Enterprise allows administrators to apply download restrictions on dangerous file types and automatically manage browser updates, preventing the installation of malware caused by fake update pop-ups or deceptive phishing tactics. Improved Safe Browsing and URL blocklist settings in browsers provide an additional layer of protection.
Research from the Google Threat Intelligence Group details several technical indicators, including specific blockchain contract addresses and cryptographic hashes associated with the campaign’s malware samples, that can help cybersecurity teams detect or block campaign components.
Call for vigilance
The research highlights the continued evolution of cyber threats that leverage advances in widely adopted technologies such as blockchains. The use of immutable, decentralized hosting through smart contracts, combined with targeted social engineering, reinforces the need for updated security measures that can adapt to rapidly evolving adversarial methods.
