Google’s Threat Intelligence Group (GTIG) has warned that at least two hacking groups are exploiting public blockchains to conceal and control malware, using a technique called “EtherHiding” that turns decentralized ledgers into resilient command-and-control (C2) infrastructure. GTIG reports it has observed the North Korean (DPRK) threat actor UNC5342, also known as BeaverTail, employing EtherHiding since February 2025, possibly the first known instance of a nation-state group using the method.
EtherHiding involves embedding malicious code, often JavaScript payloads, inside a smart contract on public chains such as Ethereum or BNB Smart Chain (BSC). Once written to the chain, the payload serves as a decentralized dead drop resolver: because the smart contract resides on an immutable, distributed ledger, takedown is effectively impossible in the conventional sense. The technique also leverages the pseudonymous nature of blockchain transactions to hinder attribution.
GTIG links the technique to “Contagious Interview”, a long-running campaign that targets developers and crypto professionals. Attackers pose as recruiters on LinkedIn, move conversations to Telegram or Discord, then deliver infected coding tests or fake software downloads as part of an apparent interview process. The objective is to gain unauthorized access to developers’ machines, steal sensitive data, and siphon cryptocurrency, combining espionage and financial theft consistent with DPRK operations.
Researchers say targets are primarily developers and personnel in the cryptocurrency and technology sectors. Social engineering is elaborate: attackers create convincing fake recruiter identities, phony firms, and realistic interview workflows to persuade victims to run malicious code. In earlier iterations of the campaign, victims were prompted to download bogus updates, for exampl,e fake Chrome installers that delivered malware. Embedding the payload into a smart contract removes a single point of failure for attackers and complicates defensive measures.
GTIG has observed EtherHiding activity across multiple public chains. The use of multiple ledgers increases resilience but also expands opportunities for defenders. Google researchers note that attackers commonly rely on third-party APIs or hosting platforms to fetch and execute the scraped payloads from the blockchain. That reliance creates potential choke points: coordinated action by providers can disrupt the interface between on-chain content and off-chain execution.
The report recommends a range of mitigations. Organizations should harden endpoints, enforce strict software installation policies, and train staff to recognize recruitment-style social engineering. Enterprise browser management tools such as Chrome Enterprise’s centralized controls can block malicious downloads, enforce automatic updates, and neutralize prompts that ask users to run unauthorized installers. Network defenses should monitor unusual calls to blockchain resolver APIs and block known malicious domains or hosting platforms used by the campaign.
In an expert comment, Kev Eley, Vice President UKI at Exabeam, said, “The adoption of EtherHiding by state-linked actors is a stark evolution in how adversaries combine decentralized technologies with social engineering to evade detection." Embedding payloads in smart contracts makes takedown far harder and increases the operational resilience of campaigns." Organizations must treat these threats as strategic risks: enforce strict endpoint controls, harden supply chain and hiring processes, and adopt detection that uncovers early behavioral signs of compromise. AI-driven detection that identifies anomalous developer activity and suspicious download behavior can help surface attacks before major damage occurs.” Eley concludes.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments