Researchers warn that both state-funded and criminal actors are now using smart contracts on public blockchains to store and distribute malicious code – an advanced technology called EtherHiding.
The method makes it significantly more difficult for security companies and law enforcement agencies to track, block, or shut down attackers' infrastructure, as blockchain technology is built to be decentralized and immutable.

What is EtherHiding?

EtherHiding is an attack method where attackers leverage smart contracts – programs running on blockchains like Ethereum or BNB Smart Chain – to hide malicious code and instructions directly in the blockchain’s data fields.
When specific conditions are met or the contract is invoked, it returns a harmful payload which is downloaded and executed on the victim's computer.

This means that the attackers no longer need a central server or compromised domain that can be taken down, making the infrastructure much more resistant to detection and shutdown.
The technology is based on the basic principles of blockchain – transparency and immutability. – but is used here for a completely new, harmful purpose.

Advertisement

A new step in the cyber arms race

Cyber defenders have long relied on blocking IP addresses, shutting down domains, and deleting server content when attacks are detected.
With EtherHiding, this becomes practically impossible. The content remains on the blockchain forever, and every time a smart contract is executed, it can activate code that is spread across multiple contracts.

According to researchers from Google Threat Intelligence Group (GTIG) EtherHiding represents a “shift towards next-generation bulletproof hosting,” where decentralized systems are used to build persistent, elusive infrastructure.

The attackers also exploit proxy pattern, a legitimate development approach to making smart contracts upgradable.
In the criminal variant, the pattern is used to divide the code in several parts – so that a backdoor can be updated without the entire chain needing to be changed.
The result is a flexible and long-lasting C2 (Command & Control) environment, perfect for both cybercriminal and state-sponsored operations.

North Korean group UNC5342 – JADESNOW and INVISIBLEFERRE

GTIG has recently revealed that the North Korean threat actor UNC5342 uses EtherHiding technology to deliver malicious JavaScript code in multiple stages.
The first phase – as Google calls it The JADESNOW downloader – retrieves, decrypts and executes code stored in smart contracts on Ethereum and BNB Smart Chain.
Data stored in contracts is often Base64 encoded and XOR encrypted, making it difficult to detect during automatic scans.

Once it is run loading next phase down: INVISIBLEFERRET.JAVASCRIPT, a backdoor that can execute additional payloads and steal data such as crypto wallets, browser extensions, and locally saved login credentials.
Additionally, the code in INVISIBLEFERRET is sometimes split across multiple contracts, which adds further complexity and resistance to analysis.

Social engineering – fake jobs and “ClickFix”

UNC5342's attacks are combined with sophisticated social engineering.
The group is known for carrying out fake recruitment campaigns on LinkedIn and various recruitment sites where software developers are attracted with attractive job offers.

When victims respond, attackers move the conversation to Discord or Telegram and asks them to perform a “technical test”.
The test actually consists of downloading a poisoned codebase from GitHub, which infects the system.

In other cases, it is used ClickFix campaigns, where a fake message claims that a program needs to be updated or repaired, and prompts the user to run a command locally.
This activates the malicious JavaScript code and starts the entire infection chain via the blockchain.

UNC5142 – the criminal predecessor

The cybercriminal group UNC5142 used EtherHiding already in 2023 in connection with its campaigns against WordPress websites.
They injected malicious code into plugins, themes, and databases, resulting in visitors being greeted with fake pop-ups with the text:

“Your Google Chrome version is out of date – update now.”

These attacks were built on the framework CLEARFAKE, later upgraded to CLEAR SHORTS, which downloaded malware directly from smart contracts.
GTIG has overtracked 14,000 compromised pages where UNC5142's code has been active.

CLEARSHORT uses Web3.js, a library that enables communication with Ethereum nodes via HTTP or WebSocket.
By connecting to public nodes, attackers can load download, update and run their payloads without using traditional servers.

A decentralized malware infrastructure

The advantages for attackers are obvious:

• Blockchain data can not deleted or changed.
• Infrastructure costs are almost zero, as attackers use public chains.
• Code can be distributed globally – every node in the network can act as a host.
• Identification via DNS tracking or IP blocking becomes meaningless.

At the same time, the defender's challenges are becoming greater.
Most security tools are designed to monitor file systems, email, network traffic, and cloud resources – not blockchain interactions.
This means that EtherHiding attacks often go undetected, especially in environments where developers themselves work with smart contracts and dApp frameworks.

How companies and authorities can protect themselves

To reduce the risk of this type of attack GTIG and several independent security researchers recommend the following measures:

• Monitor calls to blockchain APIs and RPC endpoints. Log all external Web3 requests that are not business-critical.
• Introduce strict permission levels so that users cannot run unconfirmed scripts locally.
• Scan npm packages, GitHub repositories, and third-party dependencies to detect malicious code.
• Train developers and administrators about how social engineering works – especially fake recruitment attempts.
• Collaborate with blockchain providers for rapid reporting of malicious contracts and keys.

Attacks like EtherHiding clearly demonstrate how attackers are moving away from traditional vulnerabilities and instead exploits the very foundation of the decentralized economy – blockchain technology – as a new tool for cybercrime.