North Korean state-sponsored hackers slip unremovable malware inside blockchains to steal cryptocurrency — EtherHiding embeds malicious JavaScript payloads in smart contracts on public blockchains

A North Korean state-sponsored hacking crew is now using public blockchains to host malicious payloads, according to new research from Google’s Threat Intelligence Group (GTIG). The campaign, which leverages a technique known as “EtherHiding,” is the first documented case of a nation-state actor adopting smart contract malware delivery to evade detection and disrupt takedowns.

Google attributes the activity to UNC5342, a group it links to the long-running “Contagious Interview” operation targeting developers and cryptocurrency professionals. First observed using EtherHiding in February 2025, UNC5342’s latest toolkit includes a JavaScript downloader dubbed JADESNOW, which fetches and executes a backdoor, INVISIBLEFERRET, directly from data stored on BNB Smart Chain and Ethereum smart contracts.

The group’s payload delivery mechanism hinges on read-only blockchain calls. These requests don’t produce new transactions or leave visible trails in blockchain analytics tools, and because the contracts themselves are immutable, defenders can’t remove the embedded scripts.

In practical terms, the technique allows threat actors to update or swap malware payloads by rewriting contract storage variables on-chain, all without needing to re-compromise distribution sites or clients. While financially motivated actors have previously used this infrastructure, Google says this marks the first time it has seen a state-sponsored crew fold the technique into its operational toolkit.

Google’s report ties the blockchain infrastructure to real-world infections delivered through compromised WordPress sites and social engineering lures, including fake job interviews designed to bait crypto developers. Victims who land on these sites receive the JADESNOW loader, which then reaches out to the on-chain smart contracts, retrieves a JavaScript payload, and runs it locally. That payload in turn launches INVISIBLEFERRET — a full-featured backdoor with remote control that enables long-term espionage and data theft.

While Google does not specify how smart contract data was retrieved, previous EtherHiding research has shown that attackers often rely on standard JSON-RPC calls, which may traverse public or hosted infrastructure. Blocking those services or forcing clients to use self-hosted nodes with policy restrictions could offer interim containment. On the browser side, organizations can enforce strict extension and script execution policies and lock down update workflows to prevent fake Chrome-style alerts from gaining traction.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.