Smart contracts typically cost less than $2 per transaction to create or modify, a huge cost and labor savings compared to more traditional malware delivery methods.
In addition to the EtherHiding observed by Google, there was a social engineering campaign that used recruitment for fictitious jobs to lure victims, many of whom were developers of cryptocurrency apps or other online services. As part of the selection process, candidates must pass a test demonstrating their coding or code review skills. The files required to run the tests contain malicious code.
Illustration of UNC5342 EtherHiding flow.
The infection process is based on a chain of malware that is installed in stages. Later stages responsible for executing the final payload are then established through smart contracts that hackers store on the Ethereum and BNB Smart Chain blockchains, which accept downloads from anyone.
One of the groups observed by Google, a North Korea-backed team tracked as UNC5342, is using early-stage malware, tracked as JadeSnow, to extract late-stage malware from the BNB and Ethereum blockchains. Google researchers noted:
It is unusual to see an attacker using multiple blockchains for EtherHiding activities; this may indicate operational fragmentation among North Korean cyber operations teams. Finally, campaigns often take advantage of the flexible nature of EtherHiding to update the infection chain and change payload delivery locations. In one transaction, the JADESNOW loader can switch from receiving payloads from Ethereum to receiving them from BNB Smart Chain. This switch not only makes analysis more difficult, but also reduces the transaction fees offered by alternative networks.
The researchers said they also observed another group, financially motivated by UNC5142, also using EtherHiding.
North Korea's hacking prowess was once considered poor. Over the past decade, the country has carried out a series of high-profile attacks that demonstrate its growing skills, commitment and resources. Two weeks ago, analytics firm Elliptic said In 2025, the country stole more than $2 billion worth of cryptocurrency.
