- A North Korean-linked Hacking group has used the EtherHiding method to spread Malware and steal cryptocurrency.
- The campaign targets developers on LinkedIn, then uses Telegram or Discord to deliver malicious code.
- EtherHiding stores harmful code inside blockchain smart contracts, making it hard to remove or trace.
- The attack affects Windows, macOS, and Linux with multiple malware families, including backdoors and data stealers.
- This marks the first time a state-sponsored actor has employed EtherHiding, highlighting a shift in cyberattack techniques.
A threat group connected to North Korea has employed the EtherHiding technique to distribute malware and steal cryptocurrency. This activity, observed by the Google Threat Intelligence Group (GTIG), began in February 2025. The group, known in different security communities by names such as UNC5342 and Famous Chollima, targets developers through LinkedIn before moving conversations to platforms like Telegram or Discord to deploy malicious code.
The campaign, called Contagious Interview, aims to gain unauthorized access to developers’ devices, exfiltrate sensitive information, and illegally acquire cryptocurrency assets. EtherHiding works by embedding harmful code in blockchain smart contracts on networks like Ethereum or BNB Smart Chain. This lets the attackers use the blockchain as a decentralized dead drop resolver, a way to exchange data that is resistant to takedown or tracing efforts.
Google noted that EtherHiding makes use of the blockchain’s pseudonymous transactions to hide who deploys the contracts. The attackers can also update the malware at any time, paying an average blockchain fee of about $1.37. Robert Wallace, a consulting leader at Mandiant, Google Cloud, said in a statement, “This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs and can be easily modified for new campaigns.”
Following social engineering steps, the infection targets Windows, macOS, and Linux using several malware types: an initial downloader disguised as npm packages, BeaverTail (a JavaScript stealer that collects cryptocurrency wallets and credentials), JADESNOW (a downloader using EtherHiding), and InvisibleFerret (a Python backdoor enabling remote access and persistent data theft). The backdoor specifically targets wallets like MetaMask and Phantom and password managers such as 1Password.
Google described EtherHiding as a move toward advanced bulletproof Hosting, where blockchain features are exploited for malicious purposes. This underscores ongoing cyber threat evolution as attackers adopt new technologies for their activities.
For more details, see the public report from the Google Threat Intelligence Group here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Ethereum Nears 100x Capacity Boost With Real-Time Proving Tech
- EU Regulators Tighten Tesla Door Safety Rules After Crash Concerns
- Bitcoin Climbs After Flash Crash as Fed Signals Dovish Shift
- MoonPay Unveils Unified Crypto Payments Platform for Merchants
- Kremlin: Russia Has No Intention to Challenge the US Dollar
