Oct 16, 2025: Google Threat Intelligence | DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains

• Social Engineering: “deceptive overlays, like fake browser update prompts, to manipulate users into executing malicious code”

Oct 16, 2025: Google Threat Intelligence Group | New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

• Website Danger: “indiscriminately target vulnerable WordPress sites, leading to widespread and opportunistic campaigns”

Thanks

Thanks to Alex Chompff for flagging.

Prompt

 [
  {
    “text”: “EtherHiding Ledger”,
    “token_ids”: [5100, 5101],
    “explanation”: “The core technique: Malicious code (JavaScript payload) is **embedded directly within a smart contract** on a public, decentralized blockchain (BNB Smart Chain / Ethereum).”
  },
  {
    “text”: “Blockchain C2 Grid”,
    “token_ids”: [5110, 5111],
    “explanation”: “The smart contract’s function: A **decentralized, resilient Command-and-Control (C2) server** that cannot be taken down by conventional means, leveraging the blockchain’s immutability.”
  },
  {
    “text”: “Stealth Read-Only Fetch”,
    “token_ids”: [5120, 5121],
    “explanation”: “The retrieval mechanism: Using a **read-only function call** (e.g., eth_call) to fetch the payload without creating an on-chain transaction history or requiring gas fees, maximizing stealth.”
  },
  {
    “text”: “Payload: JADESNOW”,
    “token_ids”: [5130, 5131],
    “explanation”: “The DPRK-linked downloader malware (UNC5342) that queries the blockchain to fetch the next-stage payload, often an **encrypted JavaScript** component.”
  },
  {
    “text”: “Target: INVISIBLEFERRET”,
    “token_ids”: [5140, 5141],
    “explanation”: “The persistent backdoor and credential stealer (Python-based) deployed by JADESNOW, focused on high-value targets for **espionage** and **cryptocurrency theft**.”
  },
  {
    “text”: “Attack Vector: Social Engineering”,
    “token_ids”: [5150, 5151],
    “explanation”: “The initial compromise method: **Fake job interviews** (UNC5342) and deceptive **fake browser update prompts** (UNC5142/CLEARFAKE) used to trick the user into executing the initial loader script.”
  },
  {
    “text”: “Resilience Metric”,
    “token_ids”: [5160],
    “explanation”: “The primary threat advantage: The code remains accessible as long as the blockchain is operational, creating a **next-generation bulletproof hosting** environment.”
  }
]

Apply

Please feel free to apply for funding via the following link.

Apply

Feedback

Please feel free to give feedback via the following link.

Feedback

Subscribe

Please feel free to subscribe via the following link.

Subscribe

愛