Google’s Threat Intelligence Group (GTIG) has warned that at least two hacking groups are exploiting public blockchains to conceal and control malware, using a technique called “EtherHiding” that turns decentralized ledgers into resilient command-and-control (C2) infrastructure. GTIG reports it has observed the North Korean (DPRK) threat actor UNC5342, also known as BeaverTail, employing EtherHiding since February 2025, possibly the first known instance of a nation-state group using the method.
