North Korean Hackers Utilize EtherHiding for Cryptocurrency Theft

North Korean Hackers Utilize EtherHiding for Cryptocurrency Theft

First seen 26 May 2026, 17:43 UTC cloud.google.comwww.bleepingcomputer.com 86% similarity 75.6

Article Content

Browse articles
ThreatCluster

The Google Threat Intelligence Group (GTIG) reports that North Korean threat actor UNC5342 has adopted a new technique called EtherHiding to deliver malware and facilitate cryptocurrency theft. This method embeds malicious payloads within smart contracts on public blockchains like Ethereum and Binance Smart Chain. Since February 2025, UNC5342 has been using EtherHiding in a campaign known as Contagious Interview, which employs social engineering tactics such as fake job interviews to compromise victims. The JADESNOW malware is utilized to download a JavaScript variant of INVISIBLEFERRET, leading to significant cryptocurrency heists. EtherHiding allows attackers to update their payloads stealthily and at minimal cost, complicating detection and mitigation efforts. The technique's use of read-only calls ensures that no transaction history is visible on the blockchain, enhancing anonymity. The campaign has shown operational compartmentalization, with updates to the smart contracts occurring frequently and at low costs.

Key Points: • North Korean hackers are using EtherHiding to deliver malware via public blockchains. • The Contagious Interview campaign employs social engineering tactics to compromise victims. • EtherHiding allows for stealthy payload updates and complicates detection efforts.

ThreatCluster AI

Timeline

2023-09-01
EtherHiding technique first described
Guardio Labs introduced EtherHiding as a method for embedding malware in smart contracts.
BleepingComputer
2025-02-01
UNC5342 begins using EtherHiding
North Korean threat actor UNC5342 starts employing EtherHiding in their Contagious Interview operations.
cloud.google.com
2026-05-26
GTIG publishes findings on EtherHiding
Google Threat Intelligence Group releases a detailed report on the use of EtherHiding by North Korean hackers.
cloud.google.com

Community

Browse all →