cloud.google.com
North Korean Hackers Utilize EtherHiding for Cryptocurrency Theft
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The Google Threat Intelligence Group (GTIG) reports that North Korean threat actor UNC5342 has adopted a new technique called EtherHiding to deliver malware and facilitate cryptocurrency theft. This method embeds malicious payloads within smart contracts on public blockchains like Ethereum and Binance Smart Chain. Since February 2025, UNC5342 has been using EtherHiding in a campaign known as Contagious Interview, which employs social engineering tactics such as fake job interviews to compromise victims. The JADESNOW malware is utilized to download a JavaScript variant of INVISIBLEFERRET, leading to significant cryptocurrency heists. EtherHiding allows attackers to update their payloads stealthily and at minimal cost, complicating detection and mitigation efforts. The technique's use of read-only calls ensures that no transaction history is visible on the blockchain, enhancing anonymity. The campaign has shown operational compartmentalization, with updates to the smart contracts occurring frequently and at low costs.
Key Points: • North Korean hackers are using EtherHiding to deliver malware via public blockchains. • The Contagious Interview campaign employs social engineering tactics to compromise victims. • EtherHiding allows for stealthy payload updates and complicates detection efforts.