A new Golang-based infostealer named SharkStealer has emerged as one of the latest examples of threat actors leveraging blockchain technology for stealth and persistence.
Security researchers discovered that the malware uses the BNB Smart Chain (BSC) Testnet to conceal its command‑and‑control (C2) infrastructure through a tactic known as EtherHiding, allowing it to blend malicious communications with legitimate blockchain activity.
EtherHiding is a growing malware tactic in which attackers store key data or code fragments within smart contracts on public blockchains. SharkStealer adopts this method by issuing Ethereum RPC calls specifically eth_call requests to the BSC Testnet.
The blockchain responses return a tuple containing an initialization vector (IV) and an encrypted payload. The payload conceals the malware’s C2 address, which the binary then decrypts locally using a hardcoded AES key in Cipher Feedback (CFB) mode along with the returned IV.
This approach effectively turns the blockchain into a dead-drop for encrypted C2 data, ensuring threat actors maintain a resilient and tamper-resistant communication method.
Because blockchain transactions cannot easily be altered or blocked without disrupting legitimate use cases, traditional network defense measures such as domain reputation scoring or sinkholing become far less effective.
Threat actors gain the further advantage of being able to update or rotate C2 servers by redeploying smart contracts rather than relying on hijacked domains or exposed infrastructure.
Analysis from VMRay and threat researchers shows that SharkStealer connects to the BSC Testnet RPC node at data-seed-prebsc-2-s1.binance[.]org:8545.
The malware queries at least two smart contracts, identified as 0xc2c25784E78AeE4C2Cb16d40358632Ed27eeaF8E and 0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf, both using function selector 0x24c12bf6.
A sample associated with the campaign has the SHA‑256 hash 3d54cbbab911d09ecaec19acb292e476b0073d14e227d79919740511109d9274. Once the payload is decrypted, the malware retrieves its active C2 servers, which in this case include 84.54.44[.]48 and securemetricsapi[.]live.
This mechanism significantly complicates static and dynamic analysis, since the C2 is not hardcoded in plaintext and must be resolved at runtime using blockchain data.
The method demonstrates how threat actors can adopt decentralized infrastructure to minimize traceability and ensure continuity even if part of the network is disrupted.
The adoption of blockchain-based communication channels marks an essential evolutionary step in malware design.
As defenders increase visibility over traditional web-based infrastructure, adversaries have turned toward decentralized environments that offer resilience, anonymity, and censorship resistance.
EtherHiding exemplifies this shift, offering a reliable means for cybercriminals to distribute or update components long after initial detection, secretly.
Security teams are advised to improve their ability to monitor blockchain-related traffic, especially Ethereum RPC activity on corporate endpoints, to detect anomalous behaviors indicative of malicious contract interaction.
The rise of SharkStealer reinforces how blending Web3 mechanisms with conventional malware threatens to blur the line between legitimate decentralized technologies and covert cyber operations.
- BSC Testnet RPC:
data-seed-prebsc-2-s1.binance[.]org:8545 - Smart contracts + function:
0xc2c25784E78AeE4C2Cb16d40358632Ed27eeaF8E, Function:0x24c12bf60x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf, Function:0x24c12bf6
- Sample SHA-256:
3d54cbbab911d09ecaec19acb292e476b0073d14e227d79919740511109d9274 - Observed C2s:
84.54.44[.]48,securemetricsapi[.]live
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
