Hackers linked to the North Korean state have begun using public blockchains to spread malware and steal cryptocurrencies, which researchers say is the first known case of a nation-state adopting the technique.
Google security researchers said Thursday they observed a Pyongyang-backed hacking group, tracked as UNC5342, deploying a method known as EtherHiding — a way to embed malicious code into smart contracts on decentralized networks such as Ethereum and BNB Smart Chain.
This technique makes it more difficult to block or remove malware because the code is stored in blockchain ledgers that cannot be taken offline or modified. The malicious code remains accessible as long as the blockchain itself is operational, according to the researchers.
“This represents an evolution toward next-generation, ironclad hosting,” Google said, noting that attackers are increasingly exploiting the same decentralization features that make blockchain resilient.
Malware hidden in smart contracts
Since February, UNC5342 has used EtherHiding as part of a social engineering campaign that tricks developers – often those working in the cryptocurrency or technology industries – into uploading malware disguised as work-related files or coding challenges.
Once a target opens the file, a malicious script connects to the blockchain to retrieve the encrypted code of a smart contract. This code installs the JadeSnow loader, which in turn provides a more persistent backdoor known as InvisibleFerret which has been used in several cryptocurrency thefts.
Since malicious payloads are stored on decentralized blockchains, they cannot be removed through traditional takedown efforts. Attackers can also quietly update or replace their malware by modifying the smart contract, Google said.
The pseudonymous nature of blockchain adds another layer of anonymity, making it difficult to identify the people behind the transaction.
Google said EtherHiding was first used in 2023 by a financially motivated group known as UNC5142, but this is the first time a state-sponsored actor has adopted it.
The company added that even though hackers rely on decentralized blockchains to store their code, they still interact through centralized web services that defenders can monitor or block to disrupt attacks.
“In other words, UNC5142 and UNC5342 use permissioned services to interact with blockchains without permission,” the researchers said.
Future saved
Intelligence cloud.
Learn more.
