A hacking group with ties to North Korea has been identified as the first state-sponsored threat actor to adopt a stealthy new distribution method called EtherHiding to deploy malware and enable widespread cryptocurrency theft. This significant escalation in the cyber threat landscape has been attributed by the Google Threat Intelligence Group (GTIG) to a cluster they track as UNC5342. This group is also known across the industry by many other names, including Famous Chollima and Void Dokkaebi. Their activities align perfectly with North Korea’s dual goals of cyber espionage and financial gain through illicit means.
The hackers are executing this activity as part of a long-running social engineering campaign dubbed Contagious Interview. The attackers initially approach potential targets, typically software developers, on LinkedIn by posing as recruiters or hiring managers. They then steer the conversation to a private channel like Telegram or Discord and trick the victim into running malicious code disguised as a required job assessment or technical task. The ultimate objective is to gain unauthorized access to the developers’ systems, steal valuable intellectual property, and siphon off digital currency assets.
The core of this new wave of attacks is the incorporation of EtherHiding, a technique UNC5342 has been observed using since February 2025. This sophisticated method involves embedding malicious code within a legitimate-looking smart contract on a public blockchain, such as BNB Smart Chain (BSC) or Ethereum. By utilizing the blockchain, the attackers transform it into a decentralized “dead drop resolver,” which makes the malicious payload highly resilient to traditional law enforcement takedown efforts. Furthermore, the pseudonymous nature of blockchain transactions adds a layer of complexity, making it exceedingly difficult to trace the individuals who deployed the malicious smart contract in the first place.
The infection chain triggered by the initial social engineering attack is complex and targets a wide range of operating systems, including Windows, macOS, and Linux. After the initial JavaScript downloader is executed, it interacts with a malicious BSC smart contract to fetch a component called JADESNOW. This component then queries the transaction history of an Ethereum address to retrieve the final stage payload: InvisibleFerret. This is a JavaScript version of a backdoor designed for high-value targets, which allows for remote control of the compromised system and is specifically engineered to steal credentials and target cryptocurrency wallets like MetaMask and Phantom.
This aggressive shift to using EtherHiding represents what experts call a move toward “next-generation bulletproof hosting,” where the inherent features of blockchain technology—resilience, decentralization, and pseudonymity—are repurposed for malicious ends. This strategic evolution means threat actors can update their malicious payloads at any time, albeit for a small transaction cost, allowing them to remain agile and effective against a wide spectrum of targets. As one consulting leader noted, this development “signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs.”
Reference:
