North Korean hackers hide crypto-theft malware inside smart contracts

The post North Korean hackers hide crypto-theft malware inside smart contracts appeared on BitcoinEthereumNews.com.

North Korean hackers are now using a blockchain-based method known as EtherHiding to deliver malware to facilitate their crypto theft operations. According to experts, a North Korean hacker was discovered using this method, where attackers embed codes like JavaScript Payloads inside a blockchain-based smart contract. Using the method, the hackers turn the decentralized ledger into a resilient command-and-control (C2). According to a published blog post by Google Threat Intelligence Group (GTIG), this is the first time that it has observed an actor of this scale using this method. It claimed that using EtherHiding is convenient in the face of conventional takedown and blocklisting efforts. The threat intelligence group mentioned that it has been tracking threat actor UNC5342 since February 2025, integrating EtherHiding into an ongoing social engineering campaign. North Korean hackers turn to EtherHiding Google mentioned that it has linked the usage of EtherHiding to a social engineering campaign tracked by Palo Alto Networks as Contagious Interview. The Contagious Interview was carried out by North Korean actors. According to Socket researchers, the group expanded its operation with a new malware loader, XORIndex. The loader has accumulated thousands of downloads, with the targets being job seekers and individuals believed to own digital assets or sensitive credentials. In this campaign, the North Korean hackers use JADESNOW malware to distribute a JavaScript variant of INVISIBLEFERRET, which has been used to carry out so many cryptocurrency thefts. The campaign targets developers in the crypto and technology industries, stealing sensitive data, digital assets, and gaining access to corporate networks. It also centers around a social engineering tactic that copies legitimate recruitment processes using fake recruiters and fabricated companies. Fake recruiters are used to lure candidates to platforms like Telegram or Discord. After that, the malware is then delivered to their systems and devices through fake…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ October 18, 2025 11:24 am