A threat actor with links to North Korea has started employing a technique known as EtherHiding for distributing malware and stealing cryptocurrency. This marks a significant shift, as this technique, which embeds malicious code within smart contracts on public blockchains, has not been previously associated with state-sponsored hacking groups.
Researchers from Google’s Threat Intelligence Group (GTIG) have attributed these activities to a group identified as UNC5342, which has also been referred to by other security firms under various names. The current wave of attacks is part of a long-term campaign dubbed "Contagious Interview," which involves approaching potential targets on LinkedIn and posing as recruiters. The attackers then coax victims into executing harmful code under the guise of job assessments after moving conversations to messaging platforms like Telegram or Discord.
The ultimate goal of these cyber operations is to gain unauthorized access to developers’ systems, pilfer sensitive information, and steal cryptocurrency assets. This approach aligns with North Korea’s dual focus on cyber espionage and financial exploitation.
Since February 2025, UNC5342 has utilized EtherHiding, exploiting its mechanisms to create a decentralized dead drop for their malicious payloads, thus increasing resilience against takedown efforts. The pseudonymous nature of blockchain transactions complicates tracing efforts, allowing attackers to modify the hidden code at will, albeit at a low cost.
This development has raised alarms in the cybersecurity community, indicating a dangerous evolution as nation-state actors begin to innovate their phishing strategies. The malware deployed through this scheme can affect multiple operating systems, including Windows, macOS, and Linux.
Attackers use various methods to deliver malware, including utilizing npm packages to initiate an infection chain that eventually downloads more sophisticated threats like BeaverTail, a JavaScript stealer. This particular malware can exfiltrate sensitive information, including cryptocurrency wallets and login credentials.
The infection process prompts victims to execute code that retrieves payloads from malicious smart contracts, creating a multi-layered attack strategy that grows increasingly complex. In summary, North Korea’s embrace of EtherHiding reflects a broader transformation in cyber tactics, allowing them to utilize blockchain technology for nefarious purposes while evading detection.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.