Just last week, we reviewed another security report on an unprecedented scale of compromise of development components, and the significant role of DPRK – specifically, how Google identified a new attack tactic with DPRK and EtherHiding: UNC5342 hides malware in Ethereum, BNB Smart Chain smart contracts. The key point is that the North Korean cluster UNC5342 began using the EtherHiding technique to deliver and control malicious components in an active social engineering campaign. And although individual elements of the operation align with earlier activity by other clusters, such as CLEARFAKE (UNC5142), UNC5342 introduced its own stack of JADESNOW and INVISIBLEFERRET, relying on both BNB Smart Chain and Ethereum.
A Brief Technical Perspective: How EtherHiding Works in UNC5342’s Implementation
EtherHiding functions as a decentralized, takedown-resistant C2 loop. Malicious code is embedded into a smart contract on a public network, after which the infected loader in the victim’s browser retrieves the encrypted payload via read-only calls like eth_call. This access does not create on-chain events and does not require gas, which lowers operational visibility and makes domain- and IP-level blocking less effective. Importantly, in this campaign, the payload data can be updated without changing the victim site’s infrastructure: it is enough to modify values in the smart contract, and the new instructions will be picked up on the next request.
Another notable aspect of UNC5342’s technical implementation is variability: in several transactions, the loader switches the source between Ethereum and BNB Smart Chain, which simultaneously complicates analysis and allows fee savings. Contract values were updated regularly, more than 20 times over the first four months, with an average cost per operation of about $1.37 – sufficient to flexibly change the campaign configuration without generating additional network noise.
Social Engineering and the Infection Chain
Social engineering has already become an integral feature of intrusions, and this campaign is no exception. It imitates legitimate hiring processes and technical interviews, where fake recruiters communicate in messengers, move the candidate to a test task or project review that requires downloading and running materials from public repositories. The first stage of compromise starts with a JavaScript-downloader from the JADESNOW family, distributed, among other channels, through npm packages. The JavaScript-payload then executes, collects data, pulls the next component, and prepares the installation of the long-lived backdoor INVISIBLEFERRET.
For high-value targets, the chain adds a persistent backdoor and a credential stealer module. Crypto wallets and browsers, including MetaMask and Phantom, also end up in scope, which we analyzed in detail earlier, as do password managers and saved credentials.
On-Chain Artifacts and Payload Extraction Method
UNC5342 uses the smart contract 0x8eac3198dd72f3e07108c4c7cff43108ad48a71c on BNB Smart Chain. The initial loader contacts it through API providers and extracts values from the Data field. They are Base64-encoded and additionally XOR-encrypted; after decryption, the loader assembles them into an array of strings and forms a set of API calls to specific transaction hashes in Ethereum. In these transactions, the operators employ the controlled address 0x9bc1355344b54dedf3e44296916ed15653844509.
At the final stage, the operators do not store the payload as data in an Ethereum contract. The code requests the transaction history of the attackers’ address and reads calldata from transfers to the well-known burn address 0x00…dEaD. In this way, they move the payload’s location between networks and addresses without changing client logic – it is enough to send a new transaction with updated encrypted content. In essence, they apply a Dead Drop Resolver model, increasing infrastructure resilience.
GTIG explicitly points to the linking transactions for INVISIBLEFERRET.JAVASCRIPT in Ethereum, including 0x86d1a21fd151e344ccc0778fd018c281db9d40b6ccd4bdd3588cb40fade1a33a. The payload establishes a connection to C2 on 3306/tcp, gathers host system parameters, and runs in the background, accepting commands for execution, directory changes, and exfiltration. The operators move individual components into different transactions – for example, 0xc2da361c40279a4f2f84448791377652f2bf41f06d18f19941a96c720228cdf0f and 0xf9d432745ea15dbc00ff319417af3763f72fcf84d4ebedbfceeef4246847ce41 – and thereby distribute artifacts across chains, complicating static linkage of the entire scheme with a single indicator.
Centralized Dependencies as a Window for Defense
Despite the decentralized storage layer, both clusters – UNC5142 and UNC5342 – interact with blockchains not directly but through centralized intermediaries. CLEARFAKE used third-party RPC endpoints for requests to BNB Smart Chain; UNC5342 shows dependence on API providers and blockchain explorers for reading transactional data. This nuance creates observation and control points in classic Web2 infrastructure: providers can tag addresses and contracts, restrict API access, and corporate networks can block specific URLs and request patterns. GTIG notes that several responsible services quickly constrained the abuse, but some platforms remain indifferent, which increases the risk that other actors will replicate the method.
For corporate defense, GTIG highlights managed browser policy via Chrome Enterprise. Centralized application of DownloadRestrictions allows blocking the final stage – saving and launching a file that the user receives from a fake pop-up offering to update Chrome. Managed Updates remove the very pretext for social engineering, and URLBlocklist and Safe Browsing block access to known nodes and detect malicious downloads in real time. This transfer of the decision point from the user to an administered policy reduces the effectiveness of the recruitment scenarios exploited by UNC5342.
Attacks Get Craftier, Systems Are Imperfect, and the Human Factor Is the Weakest Link
Documenting the first use of EtherHiding by a nation-state actor demonstrates the maturity of the technique as a durable substitute for traditional C2 platforms. The ability to update configuration through inexpensive transactions, retrieve data via read-only calls, and switch between networks turns public blockchains into long-lived registries of control signals. This clearly points to a rise in attacks where legitimate on-chain mechanisms become part of the kill chain, and detection must account not only for network and file telemetry, but also for anomalous calls to specific contracts and sink addresses. Naturally, for development teams, this is another reminder in favor of strict hiring procedures and test task verification, since the initial compromise begins far beyond smart contracts. Stay tuned for the latest updates and opportunities in the new economy, crypto industry, and blockchain developments.
