North Korean Hackers Embed Malware in Blockchain Smart Contracts Using EtherHiding

SEOUL — March 22, 2026 : A North Korean-linked cyber threat group, tracked as UNC5342, has incorporated blockchain-based infrastructure into its operations by embedding malware within smart contracts on public networks, according to findings from Google Threat Intelligence Group.

The activity represents an evolution in state-linked cyber operations, using decentralized blockchain systems such as Ethereum and BNB Smart Chain to distribute malicious payloads and maintain command-and-control (C2) functionality.

Use of EtherHiding Technique

The method, known as EtherHiding, involves storing encrypted malicious payloads inside blockchain smart contracts. These contracts function as decentralized repositories from which malware retrieves instructions or secondary payloads without relying on traditional centralized servers.

Security researchers note that this is the first documented instance of a nation-state actor adopting this technique at scale. UNC5342 has been observed using EtherHiding since February 2025, building on earlier criminal use cases identified in 2023.

The approach enables attackers to leverage the immutability and decentralization of blockchain networks, making the hosted malicious code resistant to takedown or disruption.

“Contagious Interview” Campaign

The blockchain-based delivery method is integrated into a broader social engineering campaign known as the “Contagious Interview” operation, which targets software developers, particularly in the cryptocurrency and technology sectors.

The attack chain typically unfolds in multiple stages:

• Initial Contact: Attackers impersonate recruiters on platforms such as LinkedIn or job boards

• Engagement Shift: Conversations are moved to messaging platforms including Telegram or Discord

• Payload Delivery: Victims are asked to complete coding tests or download files from GitHub repositories or malicious npm packages

• Execution: The downloaded files contain a lightweight JavaScript-based downloader known as JADESNOW

Once executed, JADESNOW initiates a read-only query to blockchain explorer APIs such as Blockchair, Ethplorer, or BscScan. These queries retrieve encrypted payloads stored within smart contracts or transaction data.

Malware Payload and Capabilities

The retrieved payloads are typically Base64-encoded and XOR-encrypted. After decryption, they deploy secondary malware components, most notably the INVISIBLEFERRET backdoor, available in both JavaScript and Python variants.

INVISIBLEFERRET establishes persistence on the infected system and enables remote control. It is designed to extract:

• Credentials from browsers such as Chrome and Edge

• Data from password managers, including 1Password

• Cryptocurrency wallet information from applications such as MetaMask and Phantom

Collected data is compressed into archive files and exfiltrated to attacker-controlled infrastructure, including remote servers or Telegram channels. Additional payloads may be retrieved from separate blockchain transactions.

The campaign supports both financial theft of cryptocurrency assets and long-term network access for espionage purposes.

Operational Advantages of Blockchain-Based Delivery

The use of blockchain infrastructure provides several operational benefits for attackers:

• Immutability: Smart contract data cannot be deleted or altered once deployed, ensuring persistent availability of malicious payloads

• Decentralization: No central server exists that can be seized or shut down by law enforcement or cybersecurity teams

• Low Cost: Updating payloads within smart contracts can cost as little as $1.37 in gas fees on BNB Smart Chain

• Anonymity: Blockchain addresses are pseudonymous, complicating attribution

Examples identified by researchers include a BNB Smart Chain contract that was updated more than 20 times over four months, demonstrating the ability to continuously modify payloads while maintaining persistent access.

Related Tools and Campaign Overlap

A related malware framework, EtherRAT, observed in late 2025 during exploitation of the React2Shell vulnerability (CVE-2025-55182), also uses Ethereum smart contracts for command-and-control resolution.

EtherRAT queries blockchain data to retrieve updated C2 server addresses and establishes persistence on Linux systems. While direct code overlap has not been confirmed in all cases, researchers note operational similarities linking it to the same broader campaign cluster.

UNC5342 is also tracked under multiple designations by cybersecurity firms, including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, and Void Dokkaebi.

Limits of Mitigation and Response

Because blockchain systems are inherently immutable, removal of malicious smart contract data is not possible. Once deployed, the code remains accessible for the lifetime of the network.

However, mitigation efforts can focus on disrupting other stages of the attack chain:

• Blocking Web3 APIs: Malware relies on public RPC endpoints and blockchain explorer APIs rather than running full nodes; restricting access can interrupt payload retrieval

• Endpoint Detection: Behavioral monitoring can identify execution of JADESNOW and INVISIBLEFERRET

• Network Monitoring: Tracking connections to known malicious contract addresses and blockchain services can provide visibility

• User Controls: Preventing execution of unverified scripts and enforcing multi-factor authentication reduces exposure

File-based indicators, such as known hashes of JADESNOW samples, can also assist in detection, though the dynamic nature of payload updates limits the effectiveness of signature-based tools.

Strategic Context

The adoption of blockchain-based malware delivery reflects a broader trend toward resilient, decentralized infrastructure in cyber operations. By integrating EtherHiding into its toolkit, UNC5342 has expanded its ability to maintain persistent access and evade traditional countermeasures.

The activity aligns with North Korea’s established focus on cryptocurrency theft and cyber-enabled revenue generation, while also supporting intelligence-gathering objectives through supply-chain and developer-targeted intrusions.

Security researchers note that the technique is likely to evolve further, with attackers potentially expanding to additional blockchain networks and refining payload delivery methods.