Back

North Korean Hackers Utilize EtherHiding for Cryptocurrency Theft

Severity: High (Score: 75.6)

Sources: www.bleepingcomputer.com, cloud.google.com

Published: 2026-05-26 · Updated: 2026-05-26

Keywords: etherhiding, threat, dprk, google, gtig, north, deliver

Summary

The Google Threat Intelligence Group (GTIG) reports that North Korean threat actor UNC5342 has adopted a new technique called EtherHiding to deliver malware and facilitate cryptocurrency theft. This method embeds malicious payloads within smart contracts on public blockchains like Ethereum and Binance Smart Chain. Since February 2025, UNC5342 has been using EtherHiding in a campaign known as Contagious Interview, which employs social engineering tactics such as fake job interviews to compromise victims. The JADESNOW malware is utilized to download a JavaScript variant of INVISIBLEFERRET, leading to significant cryptocurrency heists. EtherHiding allows attackers to update their payloads stealthily and at minimal cost, complicating detection and mitigation efforts. The technique's use of read-only calls ensures that no transaction history is visible on the blockchain, enhancing anonymity. The campaign has shown operational compartmentalization, with updates to the smart contracts occurring frequently and at low costs. Key Points: • North Korean hackers are using EtherHiding to deliver malware via public blockchains. • The Contagious Interview campaign employs social engineering tactics to compromise victims. • EtherHiding allows for stealthy payload updates and complicates detection efforts.

Detailed Analysis

**Impact** North Korean threat actor UNC5342 targets software and web developers globally through social engineering campaigns involving fake job interviews. The attacks have resulted in multiple cryptocurrency thefts, specifically targeting credentials and wallets such as MetaMask and Phantom. The campaigns impact individuals involved in software development and cryptocurrency sectors, with potential data loss including passwords, credit card details, and crypto wallet information. The operational scope includes compromised legitimate websites used as infection vectors. **Technical Details** The attack chain begins with social engineering via fake job interviews, leveraging compromised WordPress sites or fabricated entities to deliver a JavaScript loader script. The loader fetches malicious payloads embedded in smart contracts on public blockchains (Ethereum and Binance Smart Chain) using stealthy read-only calls (eth_call). The main malware includes JADESNOW, a JavaScript downloader that retrieves a JavaScript variant of INVISIBLEFERRET, which executes in memory and enables credential theft and remote command execution. The smart contracts have been updated over 20 times, indicating flexible payload management. No specific CVEs are mentioned. **Recommended Response** Implement strict download restrictions on risky file types (.EXE, .MSI, .BAT, .DLL) and enforce full administrative control over browser updates, especially in Chrome Enterprise environments. Apply strict web access and script execution policies to reduce exposure to malicious JavaScript. Monitor for unusual blockchain-related network activity and suspicious smart contract interactions. Educate users to verify job offers carefully and test all downloaded files in isolated environments before execution.

Source articles (2)

  • Dprk Adopts Etherhiding — cloud.google.com · 2026-05-26
    Google Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using ‘EtherHiding’ to deliver malware and facilitate cryptocurrency theft, the first time GTIG has obs…
  • EtherHiding — www.bleepingcomputer.com · 2026-05-26
    North Korean hackers have adopted the 'EtherHiding' technique that leverages smart contracts to host and deliver malware in social engineering campaigns that steal cryptocurrency. Google Threat Intell…

Timeline

  • 2023-09-01 — EtherHiding technique first described: Guardio Labs introduced EtherHiding as a method for embedding malware in smart contracts.
  • 2025-02-01 — UNC5342 begins using EtherHiding: North Korean threat actor UNC5342 starts employing EtherHiding in their Contagious Interview operations.
  • 2026-05-26 — GTIG publishes findings on EtherHiding: Google Threat Intelligence Group releases a detailed report on the use of EtherHiding by North Korean hackers.

Related entities

  • Unc5142 (Apt Group)
  • Unc5342 (Apt Group)
  • Malware (Attack Type)
  • Contagious Interview (Campaign)
  • North Korea (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • 0x8eac3198dd72f3e07108c4c7cff43108ad48a71c (Eth)
  • 0x9bc1355344b54dedf3e44296916ed15653844509 (Eth)
  • Financial (Industry)
  • Technology (Industry)
  • BeaverTail (Malware)
  • ClearFake (Malware)
  • InvisibleFerret (Malware)
  • Jadesnow (Malware)
  • Lumastealer (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Binance Smart Chain (Platform)
  • BNB Smart Chain (Platform)
  • Discord (Platform)
  • Linux (Platform)
  • MacOS (Platform)
  • MetaMask (Platform)
  • Phantom (Platform)
  • Telegram (Platform)
  • Windows (Platform)
  • WordPress (Platform)
  • GitHub (Platform)
  • Ethereum (Company)
  • Google Chrome (Tool)
  • Binplorer (Tool)
  • Npm (Tool)
  • 01fd153bfb4be440dd46cea7bebe8eb61b1897596523f6f6d1a507a708b17cc7 (Sha256)
  • 970307708071c01d32ef542a49099571852846a980d6e8eb164d2578147a1628 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed