Hacking groups — at least one of which works on behalf of the North Korean government — have found a new and inexpensive way to distribute malware from “bullet-proof” hosts: stashing them on public cryptocurrency blockchains.
In a Thursday post, members of the Google Threat Intelligence Group said the technique provides the hackers with their own “bullet-proof” host, a term that describes cloud platforms that are largely immune from takedowns by law enforcement and pressure from security researchers. More traditionally, these hosts are located in countries without treaties agreeing to enforce criminal laws from the US and other nations. These services often charge hefty sums and cater to criminals spreading malware or peddling child sexual abuse material and wares sold in crime-based flea markets.
Next-gen, DIY hosting that can’t be tampered with
Since February, Google researchers have observed two groups turning to a newer technique to infect targets with credential stealers and other forms of malware. The method, known as EtherHiding, embeds the malware in smart contracts, which are essentially apps that reside on blockchains for Ethereum and other cryptocurrencies. Two or more parties then enter into an agreement spelled out in the contract. When certain conditions are met, the apps enforce the contract terms in a way that, at least theoretically, is immutable and independent of any central authority.
“In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google researchers Blas Kojusner, Robert Wallace, and Joseph Dobson wrote. “This technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage.”
There’s a wide array of advantages to EtherHiding over more traditional means of delivering malware, which besides bullet-proof hosting include leveraging compromised servers.
Creating or modifying smart contracts typically cost less than $2 per transaction, a huge savings in terms of funds and labor over more traditional methods for delivering malware.
Layered on top of the EtherHiding Google observed was a social-engineering campaign that used recruiting for fake jobs to lure targets, many of whom were developers of cryptocurrency apps or other online services. During the screening process, candidates must perform a test demonstrating their coding or code-review skills. The files required to complete the tests are embedded with malicious code.
The infection process relies on a chain of malware that gets installed in stages. Later stages that are responsible for executing the final payloads are then installed through smart contracts the hackers store on the Ethereum and the BNB Smart Chain blockchains, which accept uploads from anyone.
One of the groups Google observed, a North Korean-backed team tracked as UNC5342, uses earlier-stage malware tracked as JadeSnow to retrieve later-stage malware from both the BNB and Ethereum blockchains. The Google researchers observed:
It is unusual to see a threat actor make use of multiple blockchains for EtherHiding activity; this may indicate operational compartmentalization between teams of North Korean cyber operators. Lastly, campaigns frequently leverage EtherHiding’s flexible nature to update the infection chain and shift payload delivery locations. In one transaction, the JADESNOW downloader can switch from fetching a payload on Ethereum to fetching it on the BNB Smart Chain. This switch not only complicates analysis but also leverages lower transaction fees offered by alternate networks.
The researchers said they also observed another group, the financially motivated UNC5142, also employing EtherHiding.
North Korea’s hacking prowess was once considered low caliber. Over the past decade, the country has mounted a series of high-profile attack campaigns that demonstrate growing skill, focus, and resources. Two weeks ago, blockchain analysis firm Elliptic said the nation has stolen cryptocurrency valued at more than $2 billion so far in 2025.
