Malware Moves to the Blockchain: Introducing the EtherHiding Technique

Google Threat Intelligence researchers have identified a concerning evolution in the threat landscape: hacker groups linked to nation-states (including the North Korean group UNC5342) are using public cryptocurrency blockchains like Ethereum and BNB Smart Chain to host and distribute malware.

This technique, dubbed EtherHiding, represents the “next-generation of bulletproof hosting,” offering attackers cheap and impossible-to-remove infrastructure.

What Makes the Blockchain “Bulletproof”?

Traditionally, bulletproof hosting was located in countries without extradition treaties. EtherHiding leverages the fundamental properties of blockchain technology to achieve the same goal:

  1. Immunity to Takedown: The decentralization of the blockchain and the immutability of smart contracts (small code applications residing on the chain) prevent any authority or security company from deleting or altering the hosted malware.
  2. Anonymity and Low Cost: Transactions on these blockchains are anonymous, protecting the attackers’ identities. Furthermore, creating or modifying these contracts costs less than $2 per transaction, a huge saving compared to traditional methods.
  3. Operational Stealth: Retrieving malware from smart contracts leaves no trace in the infected servers’ event logs.

The Infection Chain and Social Engineering

Since February, Google researchers have observed two groups using EtherHiding to infect developers of online services and cryptocurrency applications.

The attack process often begins with a social engineering campaign that simulates a fake job recruitment process. Candidates are asked to perform a “code or review test” using files embedded with malicious code.

The infection process is carried out in several stages:

  1. Early-Stage Malware: An initial malware (such as JadeSnow, used by the North Korean group UNC5342) is installed.
  2. Secure Retrieval: JadeSnow is responsible for retrieving the final-stage malware directly from the smart contracts hosted on Ethereum or the BNB Smart Chain.
  3. Update Flexibility: This technique allows attackers to dynamically update their malicious payloads. Researchers observed North Korean operators switching the payload location between the BNB chain and Ethereum, complicating forensic analysis.

This technique underscores how cybercriminals are rapidly adapting to exploit the inherent capabilities of new technologies, forcing security defenses to evolve toward dynamic threat analysis solutions.

The original article detailing the EtherHiding technique can be consulted at Ars Technica: Nation-state hackers deliver malware from “bulletproof” blockchains.