EtherHiding — a technique where attackers hide malicious code (for example, JavaScript or loaders) inside smart contracts on public blockchains (Ethereum, BNB Smart Chain, etc.).
How it works:
Thus, EtherHiding becomes a new way to “host” malware that is resistant to standard methods of blocking domains or servers.
Researchers found that a North Korean hacking group known as UNC5342 is using EtherHiding in its operations.
How it works in practice:
Social engineering and phishing
Attackers create fake job offers or conduct “interviews” to attract specialists — often from the crypto and tech sectors.
They ask targets to do a “test task” or download something supposedly needed for the interview; in reality it’s malicious code.
Deploying a loader script
A small JavaScript loader is placed on a (fake or compromised) website. When the user visits, this script runs in the victim’s browser.
Reading malicious code from the blockchain
The loader queries a smart contract on the blockchain and reads an encoded malicious payload. Because this uses a read-call (no transaction), it’s nearly invisible on-chain.
Executing the malicious code on the victim’s machine
The code runs on the victim’s computer and can install backdoors, steal data, cryptocurrency, etc.
Notably, attackers can switch between different blockchains (for example, from Ethereum to BNB Smart Chain) to complicate analysis and avoid blocking.
One of the tools observed is JADESNOW — a JavaScript loader that, via EtherHiding, retrieves a more serious backdoor (for example, INVISIBLEFERRET).