{"id":14981,"date":"2025-10-17T21:47:30","date_gmt":"2025-10-17T21:47:30","guid":{"rendered":"https:\/\/newestek.com\/?p=14981"},"modified":"2025-10-17T21:47:30","modified_gmt":"2025-10-17T21:47:30","slug":"north-korean-threat-actors-turn-blockchains-into-malware-delivery-servers","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14981","title":{"rendered":"North Korean threat actors turn blockchains into malware delivery servers"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Nation-state threat actors and cybercriminals are increasingly abusing cryptocurrency blockchains to host malicious payloads with a technique known as \u201cEtherHiding,\u201d which makes their attacks harder to detect and take down.<\/p>\n

\u201cGoogle Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using \u2018EtherHiding\u2019 to deliver malware and facilitate cryptocurrency theft \u2014 the first time GTIG has observed a nation-state actor adopting this method,\u201d researchers from Google wrote in a new report<\/a>.<\/p>\n

While this marks the first reported use of EtherHiding by a nation-state threat actor, Google has observed the technique being used and refined over the past year by cybercriminal group UNC5142<\/a>, which compromises WordPress websites to distribute infostealers to visitors.<\/p>\n

The technique leverages smart contracts, which act like programs stored on a blockchain, executing code when triggered. Attackers have learned to use these as command-and-control (C2) servers to return malicious payloads when the contracts execute after specific conditions are met.<\/p>\n

Resilient and decentralized C2 infrastructure<\/h2>\n

One clear benefit of abusing smart contracts in this way is that they are immutable. Compared to hosting malware on a rented or compromised server, smart contracts are very hard to take down by security companies or law enforcement agencies, as cryptocurrency blockchains are by design highly decentralized.<\/p>\n

To make things even harder, attackers use a chain of multiple smart contracts that reference one another, and they encrypt the payload so that it\u2019s not easily detectable with scanning tools.<\/p>\n

\u201cIn essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,\u201d Google\u2019s researchers said. \u201cThis technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage.\u201d<\/p>\n

Used in North Korean fake recruitment campaigns<\/h2>\n

As opposed to other nation-state actors, North Korean APT groups are known to conduct cybercriminal activity in addition to cyberespionage, because their goal includes gathering funds for the regime.<\/p>\n

One way they do this is by stealing cryptocurrency from companies and individuals. Between 2017 and 2023, it is estimated that North Korea generated $1.7 billion from cryptocurrency thefts.<\/p>\n

This has also been the task of UNC5342, which has been behind social engineering campaigns that lure software developers with fake job applications<\/a> on LinkedIn and recruitment websites.<\/p>\n

The fake recruiters move the conversation with candidates to Discord or Telegram and ask them to take a technical assessment that involves downloading poisoned code repositories from GitHub. In other variations, candidates are invited to a video interview, then a ClickFix-type error message<\/a> is displayed that requires them to download software to fix a problem.<\/p>\n

The first-stage malware is usually malicious JavaScript code hosted in a rogue npm repository. Its purpose is to download and deploy second-stage trojans that steal cryptocurrency wallets, browser extension data, and locally stored credentials. GTIG calls this first-stage malware the JADESNOW downloader.<\/p>\n

\u201cJADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum,\u201d the researchers said. \u201cThe input data stored in the smart contract may be Base64-encoded and XOR-encrypted. The final payload in the JADESNOW infection chain is usually a more persistent backdoor like INVISIBLEFERRET.JAVASCRIPT.\u201d<\/p>\n

Furthermore, the INVISIBLEFERRET backdoor\u2019s code might be split across different smart contracts, and when executed, it might download additional payloads stored at different blockchain addresses, such as a Python-based information stealer.<\/p>\n

The malicious JavaScript downloader used by UNC5342 queries the Ethereum or BNB chains through several blockchain explorer API services, often with free API keys. While some of these services might respond to takedown requests, others are non-responsive. But using third-party API services is not the only way to read or trigger smart contracts, as demonstrated by separate threat actor UNC5142.<\/p>\n

The ClickFix campaigns<\/h2>\n

The UNC5142 cybercriminal group has been known for distributing infostealer programs since 2023 using fake Google Chrome update pop-ups displayed to visitors on compromised websites. These fake browser update pop-ups were generated through a malicious JavaScript framework that ProofPoint researchers previously dubbed CLEARFAKE<\/a>.<\/p>\n

Google\u2019s researchers have tracked an evolution of this framework they call CLEARSHORT, which downloads additional malicious payloads from smart contracts deployed on the BNB Smart Chain.<\/p>\n

\u201cThe CLEARSHORT landing page leverages ClickFix, a popular social engineering technique aimed at luring victims to locally run a malicious command using the Windows Run dialog box,\u201d the researchers said.<\/p>\n

UNC5142 primarily targets WordPress websites. Google has tracked more than 14,000 web pages that display signs of compromise by UNC5142, which injects its malicious code into existing WordPress plugins, themes, or databases.<\/p>\n

The malicious CLEARSHORT code leverages Web3.js, a library that allows interaction with Ethereum nodes over different web-based protocols such as HTTP, IPC, or WebSocket. This library is used to connect to the BNB Smart Chain through a public node.<\/p>\n

UNC5142\u2019s use of smart contracts has evolved over time from storing the payload in a single contract to now splitting different attack components into three separate ones, enabling different parts of the attack to be upgraded individually.<\/p>\n

\u201cThis new architecture is an adaptation of a legitimate software design principle known as the proxy pattern, which developers use to make their contracts upgradable,\u201d the researchers said. \u201cA stable, unchangeable proxy forwards calls to a separate second-level contract that can be replaced to fix bugs or add features.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Nation-state threat actors and cybercriminals are increasingly abusing cryptocurrency blockchains to host malicious payloads with a technique known as \u201cEtherHiding,\u201d which makes their attacks harder to detect and take down. \u201cGoogle Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using \u2018EtherHiding\u2019 to deliver malware and facilitate cryptocurrency theft \u2014 the first time GTIG has observed a nation-state actor adopting this… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14981","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14981"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14981\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}