{"id":25377,"date":"2025-10-17T22:46:03","date_gmt":"2025-10-18T02:46:03","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=25377"},"modified":"2025-10-17T22:47:27","modified_gmt":"2025-10-18T02:47:27","slug":"when-hackers-write-smart-contracts-north-koreas-use-of-etherhiding","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/when-hackers-write-smart-contracts-north-koreas-use-of-etherhiding.html","title":{"rendered":"When Hackers Write Smart Contracts: North Korea\u2019s Use of EtherHiding"},"content":{"rendered":"\n<p><strong>Key Takeaways<\/strong><\/p>\n\n\n\n<ul>\n<li>North Korean threat actors are now embedding malware in public blockchains via a technique called EtherHiding, making detection and takedown much harder.<\/li>\n\n\n\n<li>The attack chain typically begins with social engineering \u2014 fake job interviews \u2014 and progresses to on-chain smart contracts that host payloads.<\/li>\n\n\n\n<li>Because smart contracts can be read without visible transaction logs, these malware campaigns carry a stealth advantage.<\/li>\n\n\n\n<li>To defend, organizations should control script execution, restrict risky file downloads, and isolate unfamiliar code in sandboxed environments.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>North Korean hackers, affiliated with a group tracked as UNC5342, have adopted a sophisticated tactic called EtherHiding to distribute malware via public blockchains. According to the Google Threat Intelligence Group (GTIG), this marks a notable shift: it\u2019s the first time a state-backed actor has been observed using this method. North Korea has become something of a savant nation in terms of using crypto and related tech as a means to gain vasts amounts of wealth. Does having access to nuclear weapons means zero repurcusions for your actions? Apparently.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is EtherHiding<\/h2>\n\n\n\n<p>EtherHiding was first described in 2023 by Guardio Labs as a technique where malicious payloads are embedded inside smart contracts on blockchains like Ethereum or Binance Smart Chain. The malware isn\u2019t stored in a traditional server, but inside the code of a smart contract, retrievable through read-only calls that do not leave transaction logs. This makes the method resistant to takedowns and highly stealthy.<\/p>\n\n\n\n<p>In this new campaign, the smart contracts host a JavaScript downloader called JADESNOW. The malware chain unfolds roughly like this:<\/p>\n\n\n\n<ol>\n<li>The victim is lured via a fake job-interview process managed by fictitious entities (e.g. \u201cBlockNovas LLC,\u201d \u201cSoftGlide LLC\u201d).<\/li>\n\n\n\n<li>The victim runs code ostensibly for a technical assessment. That code executes a JavaScript downloader.<\/li>\n\n\n\n<li>JADESNOW queries the smart contract on Ethereum or BNB Smart Chain to fetch additional payloads \u2014 these payloads can evolve over time via contract updates.<\/li>\n\n\n\n<li>The payload may then deploy InvisibleFerret (a known espionage tool) or credential stealers targeting browser-stored data (e.g. wallets, passwords) and exfiltrate data.<\/li>\n<\/ol>\n\n\n\n<p>Because the smart contract can be updated over time by the operator \u2014 GTIG observed more than 20 updates in just four months \u2014 the attacker can change what gets delivered without touching a central infrastructure. These updates reportedly cost only about $1.37 per gas transaction.<\/p>\n\n\n\n<p>GTIG described the decision to use multiple blockchains (Ethereum and BNB) as potentially reflecting \u201coperational compartmentalization between teams of North Korean cyber operators.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why This Matters<\/h2>\n\n\n\n<p>This technique complicates detection and response in several ways:<\/p>\n\n\n\n<ul>\n<li><strong>Transparency becomes a weakness.<\/strong> Blockchains are, by design, visible and immutable. But here attackers exploit that transparency: read access is enough to fetch malicious content.<\/li>\n\n\n\n<li><strong>No traditional server to shut down.<\/strong> Because payloads live in smart contracts, there is no central server or domain to take down or block.<\/li>\n\n\n\n<li><strong>Low cost, high flexibility.<\/strong> The attacker can update the code at minimal cost, enabling dynamic payload changes without building new infrastructure.<\/li>\n\n\n\n<li><strong>Blended attack vector.<\/strong> The campaign ties together social engineering (fake interviews) with on-chain techniques, bridging old and new malware methods.<\/li>\n<\/ul>\n\n\n\n<p>If you\u2019re a software or web developer, you\u2019re particularly at risk: the operation specifically targets those in tech fields, baiting them with attractive job prospects.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Defenders Can Do<\/h2>\n\n\n\n<p>GTIG offers guidance that organizations and individuals can follow to reduce risk:<\/p>\n\n\n\n<ul>\n<li><strong>Sandbox unfamiliar code.<\/strong> When asked to run unknown scripts (especially in interview processes), do so in isolated or virtualized environments that can\u2019t affect production systems.<\/li>\n\n\n\n<li><strong>Restrict risky file types.<\/strong> Enterprises using Chrome Enterprise should limit automatic downloads or execution of files with extensions like .EXE, .MSI, .BAT, .DLL.<\/li>\n\n\n\n<li><strong>Control browser updates and scripts.<\/strong> Maintain strict management over browsers and block or audit script execution from unknown sources.<\/li>\n\n\n\n<li><strong>Apply web access controls.<\/strong> Segment and limit web access for unverified external actors and disable unnecessary scripting or web features when possible.<\/li>\n\n\n\n<li><strong>Monitor contract activity.<\/strong> While smart contracts themselves can\u2019t be deleted, monitoring for contract updates (especially on seemingly benign contracts) may offer clues to suspicious behavior.<\/li>\n<\/ul>\n\n\n\n<p>Even though EtherHiding represents a novel frontier in malware, its roots remain in familiar attack techniques \u2014 phishing, social engineering, and credential stealing. In this case, though, the malicious payloads are hidden in plain sight.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignleft\"><a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/05\/image-10.png\"><img loading=\"lazy\" decoding=\"async\" width=\"299\" height=\"136\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/05\/image-10.png\" alt=\"\" class=\"wp-image-20657\"\/><\/a><\/figure><\/div>\n\n\n<p>If you liked this post, you\u2019ll love one of the the leading global business communications and technology events since 1999, the&nbsp;<a href=\"http:\/\/www.itexpo.com\/\">ITEXPO #TECHSUPERSHOW<\/a>, Feb 10-12, 2026 Fort Lauderdale, Florida.<\/p>\n\n\n\n<p>Don\u2019t forget the collocated&nbsp;<a href=\"http:\/\/www.mspexpo.com\/\">MSP Expo<\/a>&nbsp;\u2013 just for managed service providers!<\/p>\n\n\n\n<p><em>Aside from his role as CEO of&nbsp;<a href=\"http:\/\/www.tmcnet.com\/\">TMC<\/a>&nbsp;and chairman of&nbsp;<a href=\"http:\/\/www.itexpo.com\/\">ITEXPO<\/a>&nbsp;#TECHSUPERSHOW Feb 10-12, 2026,&nbsp;Rich Tehrani is CEO of&nbsp;<a href=\"https:\/\/www.rt-advisors.com\/\">RT Advisors<\/a>&nbsp;and a Registered Representative (investment banker) with and offering securities through&nbsp;<a href=\"https:\/\/www.4pointscapital.com\/\">Four Points Capital Partners LLC&nbsp;<\/a>(Four Points) (Member FINRA\/SIPC). He handles capital\/debt raises as well as M&amp;A. RT Advisors is not owned by Four Points.<\/em><\/p>\n\n\n\n<p>The above is not an endorsement or recommendation to buy\/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.<\/p>\n\n\n\n<p>The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.<\/p>\n\n\n\n<p><em>Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key Takeaways North Korean hackers, affiliated with a group tracked as UNC5342, have adopted a sophisticated tactic called EtherHiding to distribute malware via public blockchains. According to the Google Threat Intelligence Group (GTIG), this marks a notable shift: it\u2019s the first time a state-backed actor has been observed using this method. North Korea has become<\/p>\n","protected":false},"author":44,"featured_media":23986,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[156],"tags":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/25377"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=25377"}],"version-history":[{"count":2,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/25377\/revisions"}],"predecessor-version":[{"id":25379,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/25377\/revisions\/25379"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/23986"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=25377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=25377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=25377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}