Google’s Threat Intelligence Group (GTIG) has linked North Korean threat actor UNC5342 to a new wave of attacks that, since February 2025, employ EtherHiding—a technique that stores and serves malicious code from public blockchain smart contracts. The campaign, dubbed Contagious Interview, combines fake developer job tests, multi-chain payload hosting on Ethereum and BNB Smart Chain, and a JavaScript malware toolset designed to steal crypto assets and credentials. GTIG notes this is the first observed use of EtherHiding by a state-aligned actor.
EtherHiding explained: smart contracts as covert malware delivery
Originally documented by Guardio Labs in 2023, EtherHiding embeds payloads in smart contracts, enabling adversaries to fetch code on demand using read-only operations (for example, Ethereum’s eth_call). Because these calls do not alter blockchain state, they leave no on-chain transaction record, denying defenders standard telemetry and takedown paths. This approach provides infrastructure resilience, anonymity, and rapid payload rotation without conventional command-and-control servers.
Tactics and infection chain: from fake hiring to in-memory execution
Initial access via developer hiring scams and “test tasks”
UNC5342 impersonates software and web development recruiters under fronts such as BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. Targets are persuaded to run a “technical assignment” that conceals a JavaScript-based loader. This social engineering exploits common hiring workflows and the routine use of third-party scripts during skills assessments.
Payload delivery using JADESNOW and InvisibleFerret
The threat actor hosts a loader referred to as JADESNOW within a smart contract, which retrieves a third-stage JavaScript variant of the InvisibleFerret malware for persistent espionage. The payload executes in memory, can dynamically fetch a credential-theft module, and exfiltrates files to attacker-controlled servers or Telegram. GTIG observed chain hopping between Ethereum and BNB Smart Chain to complicate blocking and analysis.
Smart contract telemetry reviewed by GTIG indicates the payload container was updated more than 20 times in the first four months of activity, with an average gas fee of about $1.37 per update. The low cost and ease of modification offer the adversary fast, inexpensive configuration rotation at scale.
Targeting and impact: credentials, wallets, and source code
The credential-theft component focuses on passwords, payment data, and crypto wallets, including browser extensions such as MetaMask and Phantom, as well as data stored in Chrome and Edge. For organizations, risks include compromise of corporate accounts, leakage of proprietary source code, and direct financial loss through theft of crypto assets—especially for teams with access to blockchain infrastructure, DevOps, or CI/CD systems.
Why blockchain-hosted C2 challenges defenders
Public blockchains function as a form of “bulletproof” hosting: authorities cannot seize or deplatform a smart contract, and domain/IP-based blocking is largely ineffective. Read-only calls reduce observable traces, while multi-chain strategies blunt simple blocklists. As a result, detection must pivot toward host-based behavioral analytics, script execution monitoring, and egress control to disrupt data exfiltration channels.
Mitigations for developers, SOC teams, and HR
For candidates and engineering teams
Run any test assignment in isolated environments (VMs/containers) without access to corporate accounts or wallets. Remove or disable crypto wallet extensions from browsers used for tests. Submit provided archives and scripts to sandboxes and static analyzers before execution.
For SOC and Blue Teams
Enforce EDR/NGAV policies tuned for scripted behavior (JavaScript/WScript/Node.js). Monitor traffic to public Ethereum/BNB RPC endpoints—including eth_call and contract state reads—from corporate browsers and development tools. Implement egress filtering and DLP to block exfiltration paths (including Telegram APIs). Segment developer accounts and apply least privilege.
For HR and hiring managers
Standardize how coding tests are delivered and reviewed. Prefer internally hosted templates over third-party code and scan all external materials through secure gateways and sandboxes before sharing with candidates.
As UNC5342 operationalizes EtherHiding, defenders should expect broader adoption of smart contract–based delivery by advanced actors. Strengthening code hygiene, isolating evaluation environments, and prioritizing behavioral detection—especially for JavaScript activity and anomalous blockchain RPC access—will materially reduce the risk of account compromise and crypto theft.
