Google Threat Intelligence Group has published research detailing how a North Korean threat group is using an advanced blockchain-based method, named “EtherHiding,” to deploy malware and steal digital assets and data.
This research represents the first documented case of a nation-state actor utilising the EtherHiding technique, which involves leveraging public blockchains to conceal and deliver malicious instructions for malware distribution. Google’s security analysts have linked the activity to a threat cluster known as UNC5342, which has integrated EtherHiding into a sophisticated social engineering operation targeting software developers since early 2025.
Social engineering campaign
UNC5342’s campaign, referred to in the industry as “Contagious Interview,” is designed to compromise victims through elaborate recruitment scams targeting developers in technology and digital currency sectors. Attackers impersonate recruiters from known technology or cryptocurrency firms on platforms such as LinkedIn, set up fake company websites, and contact potential victims with attractive job offers. In the later stages, phoney technical assessments or coding tasks are used to lure targets into downloading what turn out to be malware-laden files.
The files, typically in the form of a downloader known as JADESNOW, are delivered mainly through popular developer platforms such as GitHub and npm. Once executed, these files deploy additional malware stages, including credential stealers and backdoors, often targeting Windows, macOS, and Linux systems. The chain culminates in INVISIBLEFERRET, a Python-based backdoor granting persistent, covert access to the infected system.
EtherHiding technique
EtherHiding is a multi-stage attack method that stores encrypted malicious code as payloads within smart contracts deployed on blockchains like Ethereum and BNB Smart Chain. A small loader script is initially injected into a compromised site or sent to the victim. When executed, it queries the blockchain via standard API services using „read-only‟ calls, which do not create any transaction on the blockchain or incur fees. This approach allows attackers to retrievably and anonymously access their payloads at any time, repeatedly updating them with new malware as required.
Because the code is stored on a decentralised and permissionless ledger, traditional cybersecurity responses such as takedown or blocklisting are far less effective. The perpetrators exploit both the immutability and anonymity offered by blockchains, which hinders attribution and impedes any direct intervention by network defenders or law enforcement.
This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs and can be easily modified for new campaigns.
Robert Wallace, Consulting Leader at Mandiant – Google Cloud, further underscored the significance of this shift.
Modus operandi and risks
The attack chain begins with social engineering and proceeds through several carefully sequenced technological stages. Initial compromise often relies on phishing tactics, with malware distributed as part of fake coding assignments or through download links sent during supposed interview processes. After initial infection, subsequent payloads are fetched directly from blockchain smart contracts, rendering forensic and network-based detection challenging.
This multi-platform threat focuses on the theft of cryptocurrency wallets, login credentials, and private data stored in browsers. For high-value targets, a persistent backdoor enables long-term espionage and further lateral movement inside an organisation’s network. A distinguishing feature of the campaign is the flexibility with which UNC5342 switches between different blockchain networks to store payloads, complicating tracking and analysis while reducing operational costs due to lower transaction fees.
Malicious use of legitimate technologies
Smart contracts residing on blockchains are publicly accessible and permanently stored, properties that are being repurposed for command-and-control functions by threat actors such as UNC5342. Unauthorised but creative exploitation of these technical features allows for malware delivery to remain resilient against standard defensive measures.
Significantly, both UNC5342 and another financially motivated actor, UNC5142, rely on centralised API services-rather than direct blockchain node access-to interact with blockchains. In practice, this reliance introduces potential points of disruption for defenders. While some API service providers have acted to limit access by identified malicious actors, others have at times remained unresponsive, reportedly raising concerns about broader risk and possible technique proliferation.
Defensive strategies
According to Google, traditional approaches like domain blocklisting or disrupting malicious file downloads may help, but EtherHiding presents added complexity. Recommended defences include centralised control measures, particularly for enterprise environments. For instance, Chrome Enterprise allows administrators to enforce download restrictions on dangerous file types and manage browser updates automatically, thus preventing malware installation prompted by fake update pop-ups or deceptive phishing tactics. Configuring enhanced Safe Browsing and URL blocklists within browsers offers an additional layer of protection.
Google Threat Intelligence Group’s research details several technical indicators, including specific blockchain contract addresses and cryptographic hashes associated with the campaign’s malware samples, which can help cybersecurity teams detect or block components of the campaign.
Call for vigilance
The research highlights the continued evolution of cyber threats that leverage advancements in widely-adopted technologies such as blockchains. The use of immutable, decentralised hosting via smart contracts, together with targeted social engineering, reinforces the need for updated security measures that can adapt to rapidly changing adversarial methods.
