At least two distinct hacking organizations, including a North Korean state-linked actor and a financially motivated criminal group, are leveraging public blockchains to conceal and manage malware, according to research from Google’s Threat Intelligence Group. This method makes their operations highly resistant to conventional takedown efforts.
The technique, which researchers have named EtherHiding, fundamentally alters how attackers manage and deploy malicious code by embedding instructions within smart contracts on public blockchains instead of relying on conventional command-and-control servers. This approach leverages the decentralized and immutable characteristics of blockchain technology to create what the research describes as a “bulletproof” infrastructure. Robert Wallace, a consulting leader at Mandiant, a part of Google Cloud, characterized the development as an “escalation in the threat landscape.” He noted that hackers have developed a method that is “resistant to law enforcement takedowns” and can be “easily modified for new campaigns.” The core design of the blockchain ensures that once data is recorded, it cannot be altered or removed, providing attackers with a persistent and reliable platform for their operations that is not subject to the typical takedown procedures targeting centralized servers.
EtherHiding was first observed in 2023 during a campaign known as ClearFake, where cybercriminals with financial motivations used fake browser update prompts to lure victims. The underlying concept involves storing malicious code or commands within a blockchain transaction or, more commonly, a smart contract. Attackers then retrieve this information using read-only calls to the blockchain. Because these calls do not write new data or transfer assets, they do not create visible transactions on the public ledger. This stealth allows the malware to receive instructions without leaving a clear trail for security analysts. As a result, defenders cannot depend on traditional indicators of compromise, such as malicious domains or IP addresses, which are central to conventional threat detection and blocking. The report states that for as long as the blockchain remains operational, the “malicious code remains accessible.”
Researchers identified that the two groups adapted EtherHiding for different objectives. The North Korean-affiliated group, tracked as UNC5342, incorporates the technique into sophisticated social engineering campaigns designed to infiltrate the networks of developers and cryptocurrency firms. In contrast, the financially driven group UNC5142 employs EtherHiding to facilitate the widespread distribution of information-stealing malware by compromising a large number of WordPress websites.
The North Korean threat group UNC5342 integrated the EtherHiding technique into a broader operation that Palo Alto Networks previously named the Contagious Interview campaign. This campaign involves social engineering tactics where the attackers impersonate recruiters on professional networking sites like LinkedIn and various job boards. They approach software developers with fraudulent job offers from fabricated companies, with “BlockNovas LLC” and “Angeloper Agency” being two examples of the fake firm names used. The attackers aim to build a rapport with their targets before moving them to the next stage of the attack.
After establishing initial contact, the actors behind UNC5342 would lure the targeted developers into staged interviews conducted on encrypted messaging applications such as Telegram and Discord. During what was presented as a technical assessment or coding challenge, the victims were instructed to download and execute files from public repositories on GitHub or npm. These files purported to be part of the interview process but secretly contained malware payloads. The primary malware families identified in this campaign are JadeSnow, a downloader, and InvisibleFerret, a backdoor. Both of these malicious tools are engineered to use EtherHiding for their command-and-control communications, connecting to attacker-controlled smart contracts deployed on both the Ethereum and BNB Smart Chain networks to receive instructions.
The infection chain initiated by UNC5342 is methodical. The JadeSnow downloader is the first component to execute on a victim’s system. It is programmed to query specific smart contracts on the blockchain to fetch encrypted JavaScript payloads. These payloads, once decrypted, are responsible for delivering the main backdoor, InvisibleFerret. Once the InvisibleFerret malware is installed and active on a compromised machine, it grants the attackers a wide range of capabilities. These include the ability to exfiltrate sensitive data, capture user credentials, and exercise remote control over the infected system. In some observed instances, researchers noted that InvisibleFerret deployed an additional credential-stealing module specifically designed to target web browsers and popular cryptocurrency wallets like MetaMask and Phantom. The data stolen through these activities is then exfiltrated to attacker-controlled servers and also sent to private Telegram channels. The campaign serves a dual purpose for the North Korean regime: generating illicit revenue through cryptocurrency theft and gathering strategic intelligence from the compromised developers and their employers.
In a separate investigation, Google Mandiant detailed the activities of UNC5142, a financially motivated threat actor that also relies on EtherHiding. This group’s primary objective is to infect a vast number of websites to distribute various families of information-stealing malware. The group’s method involves compromising WordPress sites that have security vulnerabilities and injecting them with malicious JavaScript downloaders, which are collectively referred to as ClearShort. These scripts are designed to use smart contracts on the BNB Smart Chain as a resilient control layer, fetching second-stage payloads or redirecting victims to attacker-hosted landing pages.
UNC5142’s operational infrastructure is notable for its extensive use of legitimate services to mask its malicious activities. The group hosts its malicious landing pages on Cloudflare’s pages.dev service, making the traffic appear more legitimate, while the core command-and-control information is stored on the blockchain. By mid-2025, Google’s team had identified traces of UNC5142’s injected scripts on approximately 14,000 distinct websites. The group’s architecture also evolved, shifting from a single smart contract to a more complex three-tier system that mimics a software “proxy pattern.” This advanced structure consists of a router contract that directs traffic, a fingerprinting contract to profile the victim’s system, and a payload contract that stores encrypted data and decryption keys. This design allows the attackers to update their infrastructure, such as lure URLs or encryption keys, across thousands of infected sites simultaneously through a single blockchain transaction, which can cost as little as one dollar in network fees.
To deliver its final payloads, UNC5142 employs social engineering tactics, such as displaying fake Cloudflare verification pages or fraudulent Chrome browser update prompts. These lures are designed to persuade victims to execute malicious commands, typically hidden within what appears to be a legitimate action. Successful execution leads to the delivery of potent infostealers, including Vidar, Lummac.V2, and RadThief. The group’s campaigns demonstrate a clear progression in technical sophistication, with a move toward stronger encryption standards like AES-GCM and more advanced obfuscation techniques. In one documented example, the attacker’s JavaScript fetched encrypted HTML from Cloudflare, which was then decrypted on the client-side. This decrypted page prompted the user to run a hidden PowerShell command that downloaded the final payload, often disguised as a benign media file.
Analysis of blockchain transactions revealed that UNC5142 maintained at least two parallel infrastructures, which researchers dubbed Main and Secondary. Both used identical smart contract code and were funded by cryptocurrency wallets linked through the OKX exchange. The attackers were observed updating both infrastructures within minutes of each other, an action that strongly suggests coordinated control by a single, organized actor.
The research highlights that neither UNC5342 nor UNC5142 interacts directly with blockchain nodes. Instead, they depend on centralized services, such as public Remote Procedure Call (RPC) endpoints or third-party API providers, to fetch data from the blockchain. This dependency creates what researchers call “points of observation and control,” where defenders or service providers could potentially intervene. In the case of UNC5342, researchers contacted several API providers that were being used in the campaign. The response was inconsistent; while some providers acted quickly to block the malicious activity, others did not. This uneven cooperation, researchers said, “increases the risk of this technique proliferating among threat actors.”
The inherent nature of smart contracts poses a significant challenge, as they are both public and immutable. Once deployed, their code cannot be removed or blocked by security teams, even if it is flagged as malicious. Network-based security filters, which are designed for traditional web traffic patterns, struggle to effectively analyze and block the decentralized patterns associated with Web3 technologies. The anonymity afforded by cryptocurrency wallet addresses, combined with the extremely low cost of blockchain transactions, allows threat actors to iterate on their tactics rapidly and sustain campaigns indefinitely. Researchers estimated that for UNC5142, updating an entire malware delivery chain costs between 25 cents and $1.50 per transaction, giving these attackers an operational agility that surpasses conventional infrastructure.
