Creating or modifying smart contracts typically cost lower than $2 per transaction, an enormous savings by way of funds and labor over more traditional methods for delivering malware.
Layered on top of the EtherHiding Google observed was a social-engineering campaign that used recruiting for fake jobs to lure targets, lots of whom were developers of cryptocurrency apps or other online services. Through the screening process, candidates must perform a test demonstrating their coding or code-review skills. The files required to finish the tests are embedded with malicious code.
Illustration of UNC5342 EtherHiding flow.
The infection process relies on a series of malware that gets installed in stages. Later stages answerable for executing the ultimate payloads are then installed through smart contracts that the hackers store on the Ethereum and the BNB Smart Chain blockchains, which accept uploads from anyone.
Certainly one of the groups Google observed, a North Korean-backed team tracked as UNC5342, uses earlier-stage malware tracked as JadeSnow to retrieve later-stage malware from each the BNB and Ethereum blockchains. The Google researchers observed:
It’s unusual to see a threat actor make use of multiple blockchains for EtherHiding activity; this will likely indicate operational compartmentalization between teams of North Korean cyber operators. Lastly, campaigns ceaselessly leverage EtherHiding’s flexible nature to update the infection chain and shift payload delivery locations. In a single transaction, the JADESNOW downloader can switch from fetching a payload on Ethereum to fetching it on the BNB Smart Chain. This switch not only complicates evaluation but in addition leverages lower transaction fees offered by alternate networks.
The researchers said in addition they observed one other group, the financially motivated UNC5142, also employing EtherHiding.
North Korea’s hacking prowess was once considered low caliber. Over the past decade, the country has mounted a series of high-profile attack campaigns that reveal growing skill, focus, and resources. Two weeks ago, blockchain evaluation firm Elliptic said the nation has stolen cryptocurrency valued at greater than $2 billion to this point in 2025.