A state-sponsored North Korean hacking group is using blockchain smart contracts to deploy hard-to-detect malware and steal cryptocurrency in a dangerous new wave of cyberattacks.
Quick Summary – TLDR:
- North Korean group UNC5342 is using blockchain to hide malware in smart contracts
- Technique called EtherHiding helps bypass traditional security methods
- Campaigns target developers through fake job offers and malware-laced coding tests
- The malware enables theft of crypto wallets, credentials, and long-term spying
What Happened?
Google’s Threat Intelligence Group has uncovered how North Korean hackers are embedding malware in public blockchains, making their operations nearly impossible to take down. This marks the first time a nation-state has used the EtherHiding technique, previously seen only in financially driven cyberattacks. These attacks blend social engineering, decentralized storage, and smart contracts to steal digital assets and sensitive data.
What is EtherHiding?
— blackorbird (@blackorbird) October 16, 2025
It’s a novel technique where the attackers embed malicious payloads (like JADESNOW and INVISIBLEFERRET malware) within smart contracts on public blockchains (like BNB Smart Chain and Ethereum). https://t.co/AyKeSuPyWW pic.twitter.com/we4NV2PTu5
North Korean Hackers Turn to Blockchain
The North Korean threat actor, tracked as UNC5342, has incorporated a blockchain-based malware delivery system known as EtherHiding. This method hides malicious code inside smart contracts on public blockchains like Ethereum and BNB Smart Chain. Unlike traditional hosting, this infrastructure is immutable, decentralized, and resistant to takedown, giving attackers a persistent presence on the web.
According to Google, UNC5342 has been using EtherHiding since early 2025 in a campaign dubbed “Contagious Interview.” The group poses as recruiters from fake companies such as “BlockNovas LLC” or “Angeloper Agency” on platforms like LinkedIn. They approach developers with fraudulent job offers, then lure them into downloading malicious test files from trusted sources like GitHub and npm.
Once downloaded, a malware downloader called JadeSnow retrieves encrypted code from blockchain smart contracts. This code installs a persistent backdoor named InvisibleFerret, which grants remote access, harvests credentials, and targets browser-based crypto wallets like MetaMask and Phantom.
Financially Motivated Hackers Join In
Another group, UNC5142, is also leveraging EtherHiding for profit-driven campaigns. This group compromises thousands of WordPress sites and embeds JavaScript scripts, collectively named ClearShort, that fetch second-stage malware from blockchain contracts. These scripts link users to attacker-controlled pages hosted on legitimate platforms like Cloudflare’s Pages.dev.
UNC5142’s infrastructure is cleverly engineered to mimic a software proxy pattern, using a three-tier contract system:
- A router to manage traffic.
- A system to fingerprint the victim’s environment.
- A contract that stores encrypted payloads.
This design lets attackers update malware across thousands of sites for just a few dollars in transaction fees. Google researchers estimate it costs between 25 cents and $1.50 to push new commands, making this approach both scalable and low-cost.
Blockchain Makes Takedown Nearly Impossible
Because the malicious code resides in smart contracts, defenders cannot easily remove it. Traditional indicators like domains or IP addresses don’t apply here. Even if a smart contract is flagged as malicious, its content stays online permanently.
Although the groups use decentralized blockchains, they rely on centralized API services like public RPC endpoints to fetch data. These access points provide a rare opportunity for defenders to intervene, but cooperation from service providers has been inconsistent. In UNC5342’s case, some platforms responded quickly to reports, while others did not.
The malware also takes advantage of social engineering tricks, like fake Chrome update prompts or Cloudflare verifications, to convince users to install harmful scripts. In several instances, victims were tricked into running hidden PowerShell commands that fetched final-stage payloads disguised as media files.
What Makes EtherHiding Dangerous?
- Stealth: It uses read-only blockchain calls that leave no on-chain trace.
- Persistence: Smart contracts are immutable and stay online forever.
- Flexibility: Malware updates require just a small blockchain transaction.
- Anonymity: Blockchain’s pseudonymous nature hides the attacker’s identity.
The combination of social manipulation, cross-platform malware, and blockchain infrastructure has made these campaigns alarmingly effective. InvisibleFerret, the final payload, is capable of long-term spying, credential theft, and exfiltration to private Telegram channels or attacker-controlled servers.
SQ Magazine Takeaway
I’ve seen malware campaigns evolve fast over the years, but this is a chilling leap. These hackers have found a way to exploit blockchain’s strengths for all the wrong reasons. With smart contracts offering unblockable command centers, traditional cybersecurity tools are left scrambling. What makes it worse? The social engineering is top-notch. Fake recruiters, slick interview setups, legit platforms like GitHub are designed to feel trustworthy. This isn’t just a North Korean problem. Any cybercriminal can copy this technique, which is why it’s critical for developers, security teams, and even job seekers to stay alert. The future of malware may very well live on the blockchain.
