Redazione RHC : 17 October 2025 11:07
A North Korean group linked to the DPRK has developed EtherHiding , a method for hiding malicious code within public blockchain smart contracts and modifying payloads on the fly. According to Google Threat Intelligence Group, this technique was adopted by the UNC5342 group, also known as CL-STA-0240 from Palo Alto Networks, DeceptiveDevelopment from ESET, and DEVPOPPER from Securonix.
The attack vectors are consistent with the long-running “Contagious Interview” campaign: attackers contact developers via LinkedIn, posing as recruiters, move the conversation to Telegram or Discord, and, under the guise of a test, trick them into executing malicious code. The goal is to gain unauthorized access to workstations and steal data and cryptocurrency.
Google has been using EtherHiding since February 2025. The code is embedded in a smart contract on the BNB Smart Chain or Ethereum, and the chain itself serves as a decentralized “dead drop,” an infrastructure resistant to deletions and blocks.
Transaction pseudonymity complicates contract distribution attribution, and the controlling address can update the payload at any time (the average gas fee is approximately $1.37), allowing for rapid changes in tactics and malicious modules. Mandiant emphasizes that the inclusion of such mechanisms by state-run operators increases the campaign’s survivability and accelerates its adaptation to new targets.
The infection is preceded by a deception in instant messaging apps . The chain then develops in several stages, affecting Windows, macOS, and Linux computers. First, a primary loader is launched, disguised as an npm package. Next, BeaverTail, a JavaScript stealer, is activated, which extracts crypto wallet data, browser extension contents, and saved credentials.
Next comes JADESNOW , another JavaScript loader, which accesses Ethereum to obtain InvisibleFerret . InvisibleFerret is a JavaScript port of a previously observed Python backdoor : it grants remote control of the machine and organizes long-term data exfiltration, including from Meta Mask and Phantom , as well as password managers like 1Password .
Hackers are also attempting to install a portable Python interpreter and use it to launch a separate module to steal credentials stored at a different address on the Ethereum network. Sometimes, multiple blockchains are used simultaneously, increasing the survivability of the distribution channel and complicating countermeasures.
This approach increases resilience to blocking and law enforcement, complicates instance analysis, and requires defense teams to monitor not only domains and hosting addresses, but also smart contract reference logic, addresses, and specific calls to RPC providers. Developers targeted by attackers on LinkedIn are particularly at risk: they are more likely to have wallets, access to repositories and development infrastructure, and have installed supply chain-aware tools.
The attack demonstrates a clear shift toward misusing blockchain capabilities as a distributed malware control infrastructure. Defense teams should consider transaction patterns, monitor smart contract calls, and integrate indicators related to addresses and methods of interaction with BSC and Ethereum into their security analysis; otherwise, identifying and stopping such chains will become increasingly difficult.
Redazione