In a recent cybersecurity development, North Korean state-sponsored hackers have employed a novel technique to infiltrate blockchain networks and illicitly extract cryptocurrency. The group, identified as UNC5342, has been utilizing a method termed "EtherHiding" to embed unremovable malware within blockchain smart contracts. This approach marks the first known instance of a nation-state actor leveraging smart contract-hosted malware to evade detection and obstruct takedown efforts.
The campaign, active since February 2025, involves the use of JavaScript-based loaders, known as JADESNOW, to download and execute a sophisticated backdoor named INVISIBLEFERRET. These malicious components are stored on the BNB Smart Chain and Ethereum blockchains. By employing read-only blockchain calls that do not generate visible transaction activity, the attackers effectively avoid detection. The immutable nature of smart contracts further complicates efforts to remove or alter the malicious code, allowing the malware to persist undetected.
The dissemination of this malware is achieved through compromised WordPress sites and deceptive job interview lures targeting cryptocurrency developers. Victims unknowingly trigger malware downloads by visiting these compromised websites. Google's Threat Intelligence Group has recommended temporarily blocking JSON-RPC services or tightening client-side and browser security policies as potential containment measures. This campaign signifies a concerning evolution in threat actor tactics, utilizing blockchain for persistent and stealthy malware deployment.
The emergence of this sophisticated attack underscores the need for enhanced security measures within the cryptocurrency and blockchain sectors. Stakeholders are urged to implement robust security protocols and remain vigilant against such evolving threats. The integration of malicious code within blockchain smart contracts presents a significant challenge, necessitating a collaborative effort to develop effective countermeasures.
As the cryptocurrency industry continues to grow, the sophistication of cyber-attacks is expected to increase. It is imperative for both developers and users to stay informed about emerging threats and adopt proactive security practices to safeguard digital assets and maintain the integrity of blockchain networks.
