Creating or modifying smart contracts typically costs less than $2 per transaction, which is a huge savings in terms of funds and labor compared to more traditional methods of distributing malware.
In addition to the EtherHiding that Google observed, there was a social engineering campaign that used fake job recruiting to attract targets, many of whom were developers of cryptocurrency apps or other online services. During the selection process, candidates must take a test that demonstrates their coding or code review skills. The files required to complete the tests contain malicious code.
Illustration of the UNC5342 EtherHiding flow.
The infection process is based on a chain of malware that is installed in stages. Subsequent stages responsible for executing the final payloads are installed through smart contracts that hackers store on the Ethereum and BNB Smart Chain blockchains, which accept payloads from anyone.
One of the groups Google observed, a North Korean-backed team tracked as UNC5342, uses earlier-stage malware tracked as JadeSnow to recover later-stage malware from the BNB and Ethereum blockchains. Google researchers observed:
It is unusual to see a threat actor use multiple blockchains for EtherHiding activity; This may indicate operational compartmentalization between teams of North Korean cyber operators. Finally, campaigns frequently take advantage of the flexible nature of EtherHiding to update the infection chain and change payload delivery locations. In one transaction, the JADESNOW downloader can switch from searching for a payload on Ethereum to searching for it on the BNB Smart Chain. This change not only complicates analysis but also takes advantage of the lower transaction fees offered by alternative networks.
The researchers said they also observed another group, the financially motivated UNC5142, which also employed EtherHiding.
North Korea’s hacking prowess was once considered low-caliber. Over the past decade, the country has mounted a series of high-profile attack campaigns that demonstrate increasing skill, focus and resources. Two weeks ago, blockchain analysis firm Elliptic saying The nation has stolen cryptocurrencies worth more than $2 billion so far in 2025.
