A North Korean state-sponsored hacking crew is now using public blockchains to host malicious payloads, according to new research from Google’s Threat Intelligence Group (GTIG). The campaign, which leverages a technique known as “EtherHiding,” is the first documented case of a nation-state actor adopting smart contract malware delivery to evade detection and disrupt takedowns.
Google attributes the activity to UNC5342, a group it links to the long-running “Contagious Interview” operation targeting developers and cryptocurrency professionals. First observed using EtherHiding in February 2025, UNC5342’s latest toolkit includes a JavaScript downloader dubbed JADESNOW, which fetches and executes a backdoor, INVISIBLEFERRET, directly from data stored on BNB Smart Chain and Ethereum smart contracts.
The group’s payload delivery mechanism hinges on read-only blockchain calls. These requests don’t produce new transactions or leave visible trails in blockchain analytics tools, and because the contracts themselves are immutable, defenders can’t remove the embedded scripts.
Google’s report ties the blockchain infrastructure to real-world infections delivered through compromised WordPress sites and social engineering lures, including fake job interviews designed to bait crypto developers. Victims who land on these sites receive the JADESNOW loader, which then reaches out to the on-chain smart contracts, retrieves a JavaScript payload, and runs it locally. That payload in turn launches INVISIBLEFERRET — a full-featured backdoor with remote control that enables long-term espionage and data theft.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
