Key Takeaways

• North Korean threat actors are now embedding malware in public blockchains via a technique called EtherHiding, making detection and takedown much harder.
• The attack chain typically begins with social engineering — fake job interviews — and progresses to on-chain smart contracts that host payloads.
• Because smart contracts can be read without visible transaction logs, these malware campaigns carry a stealth advantage.
• To defend, organizations should control script execution, restrict risky file downloads, and isolate unfamiliar code in sandboxed environments.

---

North Korean hackers, affiliated with a group tracked as UNC5342, have adopted a sophisticated tactic called EtherHiding to distribute malware via public blockchains. According to the Google Threat Intelligence Group (GTIG), this marks a notable shift: it’s the first time a state-backed actor has been observed using this method. North Korea has become something of a savant nation in terms of using crypto and related tech as a means to gain vasts amounts of wealth. Does having access to nuclear weapons means zero repurcusions for your actions? Apparently.

What is EtherHiding

EtherHiding was first described in 2023 by Guardio Labs as a technique where malicious payloads are embedded inside smart contracts on blockchains like Ethereum or Binance Smart Chain. The malware isn’t stored in a traditional server, but inside the code of a smart contract, retrievable through read-only calls that do not leave transaction logs. This makes the method resistant to takedowns and highly stealthy.

In this new campaign, the smart contracts host a JavaScript downloader called JADESNOW. The malware chain unfolds roughly like this:

1. The victim is lured via a fake job-interview process managed by fictitious entities (e.g. “BlockNovas LLC,” “SoftGlide LLC”).
2. The victim runs code ostensibly for a technical assessment. That code executes a JavaScript downloader.
3. JADESNOW queries the smart contract on Ethereum or BNB Smart Chain to fetch additional payloads — these payloads can evolve over time via contract updates.
4. The payload may then deploy InvisibleFerret (a known espionage tool) or credential stealers targeting browser-stored data (e.g. wallets, passwords) and exfiltrate data.

Because the smart contract can be updated over time by the operator — GTIG observed more than 20 updates in just four months — the attacker can change what gets delivered without touching a central infrastructure. These updates reportedly cost only about $1.37 per gas transaction.

GTIG described the decision to use multiple blockchains (Ethereum and BNB) as potentially reflecting “operational compartmentalization between teams of North Korean cyber operators.”

Why This Matters

This technique complicates detection and response in several ways:

• Transparency becomes a weakness. Blockchains are, by design, visible and immutable. But here attackers exploit that transparency: read access is enough to fetch malicious content.
• No traditional server to shut down. Because payloads live in smart contracts, there is no central server or domain to take down or block.
• Low cost, high flexibility. The attacker can update the code at minimal cost, enabling dynamic payload changes without building new infrastructure.
• Blended attack vector. The campaign ties together social engineering (fake interviews) with on-chain techniques, bridging old and new malware methods.

If you’re a software or web developer, you’re particularly at risk: the operation specifically targets those in tech fields, baiting them with attractive job prospects.

What Defenders Can Do

GTIG offers guidance that organizations and individuals can follow to reduce risk:

• Sandbox unfamiliar code. When asked to run unknown scripts (especially in interview processes), do so in isolated or virtualized environments that can’t affect production systems.
• Restrict risky file types. Enterprises using Chrome Enterprise should limit automatic downloads or execution of files with extensions like .EXE, .MSI, .BAT, .DLL.
• Control browser updates and scripts. Maintain strict management over browsers and block or audit script execution from unknown sources.
• Apply web access controls. Segment and limit web access for unverified external actors and disable unnecessary scripting or web features when possible.
• Monitor contract activity. While smart contracts themselves can’t be deleted, monitoring for contract updates (especially on seemingly benign contracts) may offer clues to suspicious behavior.

Even though EtherHiding represents a novel frontier in malware, its roots remain in familiar attack techniques — phishing, social engineering, and credential stealing. In this case, though, the malicious payloads are hidden in plain sight.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing