NEWS

Etherhiding: How North Korean Hackers Are Hiding Malware on the Blockchain

Mike Agoya

  • November 3, 2025
  • 4 min read
Etherhiding: How North Korean Hackers Are Hiding Malware on the Blockchain

Hiding Malware on the Blockchain
Usually, when malware is discovered online, there’s a race to find the home base server and shut it down. But North Korean hackers have just made that impossible. Their latest campaign takes the familiar tricks of phishing, social engineering, and data theft, and anchors them in one place no one can shut down: the blockchain.
Because the blockchain is a public record shared across thousands of computers, there is no single server to find. The malware is permanent, and it can’t be deleted.
It is called EtherHiding, and it is being deployed by a North Korean hacker group that Google’s Threat Intelligence team tracks as UNC5342.
And it’s cheap.

The Shift

For years, cybercriminals have used cloud servers, hacked websites, or code repositories to deliver malware. Each of those has a weakness: they can be deleted, blocked, or traced. EtherHiding changes that equation. Instead of hosting payloads on the open web, attackers upload them directly into smart contracts on blockchains like BNB Smart Chain and Ethereum.

Once embedded, those malicious fragments live forever. The malware fetches them through blockchain read calls, stitches the pieces together, and executes them on a victim’s device. The blockchain is no longer just a storage layer; it has become part of the attack surface.

Fake Interviews

The UNC5342 campaign begins with a familiar lure: fake job interviews. Posing as recruiters from global companies, the attackers will send coding challenges and test projects to targeted developers. Hidden inside these tasks are snippets of code that reach into the blockchain, pull down a malicious script called JADESNOW, and quietly install a backdoor known as INVISIBLEFERRET.

Once active, the malware scrapes browser credentials, session cookies, and hot-wallet data from extensions like MetaMask and Phantom. It is designed for theft. It will snoop at passwords, crypto, and anything valuable that lives in your browser.

Mandiant found that the attackers can update their payloads on-chain at will for less than $1.50 per change. No need for a new domain, no server migration, no DNS trail. Just a cheap blockchain transaction and a new batch of malware ready to deploy.

Why It Is So Hard to Stop

When malicious data lives on the blockchain, traditional takedown methods do not work. There is no central server to seize and no IP to block. The blockchain ledger is immutable. Once data is written, it stays there forever.

That does not mean defenders are helpless. The attackers still rely on intermediary layers such as web services, compromised sites, and blockchain API providers that relay the data. Security teams can block access to known malicious contract addresses, pressure API providers to restrict endpoints, and monitor read requests for suspicious patterns. Google’s Threat Intelligence Group has already worked with several providers to do exactly that.

So while the blockchain makes malware harder to erase, it is not invisible. Every malicious transaction leaves a public trace. The challenge now is less about deletion and more about detection.

The Bigger Picture

North Korea’s adoption of EtherHiding is not a random experiment. It represents a strategic evolution. By moving payloads on-chain, their operations gain resilience, anonymity, and low cost. It also sends a message to other state-backed groups: the blockchain is not just a financial tool anymore; it is an infrastructure layer for covert operations.

Cyber defenders are being forced to rethink their frameworks. The line between decentralized technology and malicious infrastructure is blurring fast. Blocking a malicious smart contract is not as simple as blacklisting a domain. It demands coordination between blockchain providers, security firms, and even exchanges.

In Conclusion

The EtherHiding campaign proves something bigger than the sum of its code. It shows that the blockchain’s permanence, its greatest feature, can also be its most dangerous flaw.

Attackers have found a way to weaponize immutability, and for the first time, a nation-state actor is doing it at scale.
Cybersecurity is entering its decentralized era. If defenders don’t learn the blockchain as fast as attackers do, the next generation of malware will live forever in plain sight.

About Author

Mike Agoya

I'm a blockchain developer, a researcher & most importantly, an enthusiast. When I'm not writing, you'll find me on my phone or at the movies. But on a good day, I'll be outside training for a marathon.

Previous Post

Next Post

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Crypto Wallets: Your Gateway to the World of Digital Assets
Henry Murangiri

Crypto Wallets: Your Gateway to the World of Digital Assets

A crypto wallet is an essential tool for anyone looking to interact with cryptocurrencies. Whether

EXPLAINED NEWS
October 27
6 min read
Web3: The Future of the Internet
Henry Murangiri

Web3: The Future of the Internet

What is Web3? The internet we know today is evolving, and Web3 represents the next

EXPLAINED NEWS
October 29
4 min read
The Most Popular Cryptocurrencies Today
Henry Murangiri

The Most Popular Cryptocurrencies Today

Cryptocurrencies have taken the financial world by storm, with thousands of options available. However, not

NEWS
November 1
5 min read