DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains
Contents
DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains
Mandiant
Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get DemoWritten by: Blas Kojusner, Robert Wallace, Joseph Dobson
Google Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using ‘EtherHiding’ to deliver malware and facilitate cryptocurrency theft, the first time GTIG has observed a nation-state actor adopting this method. This post is part of a two-part blog series on adversaries using EtherHiding, a technique that leverages transactions on public blockchains to store and retrieve malicious payloads—notable for its resilience against conventional takedown and blocklisting efforts. Read about UNC5142 campaign leveraging EtherHiding to distribute malware.
Since February 2025, GTIG has tracked UNC5342 incorporating EtherHiding into an ongoing social engineering campaign, dubbed Contagious Interview by Palo Alto Networks. In this campaign, the actor uses JADESNOW malware to deploy a JavaScript variant of INVISIBLEFERRET, which has led to numerous cryptocurrency …
Mandiant
Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get DemoWritten by: Blas Kojusner, Robert Wallace, Joseph Dobson
Google Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using ‘EtherHiding’ to deliver malware and facilitate cryptocurrency theft, the first time GTIG has observed a nation-state actor adopting this method. This post is part of a two-part blog series on adversaries using EtherHiding, a technique that leverages transactions on public blockchains to store and retrieve malicious payloads—notable for its resilience against conventional takedown and blocklisting efforts. Read about UNC5142 campaign leveraging EtherHiding to distribute malware.
Since February 2025, GTIG has tracked UNC5342 incorporating EtherHiding into an ongoing social engineering campaign, dubbed Contagious Interview by Palo Alto Networks. In this campaign, the actor uses JADESNOW malware to deploy a JavaScript variant of INVISIBLEFERRET, which has led to numerous cryptocurrency …
IoC
c2da361c40279a4f2f84448791377652f2bf41f06d18f19941a96c720228cd0f
86d1a21fd151e344ccc0778fd018c281db9d40b6ccd4bdd3588cb40fade1a33a
8eac3198dd72f3e07108c4c7cff43108ad48a71c
f9d432745ea15dbc00ff319417af3763f72fcf8a4debedbfceeef4246847ce41
5c77567fcf00c317b8156df8e00838105f16fdd4fbbc6cd83d624225397d8856
9bc1355344b54dedf3e44296916ed15653844509
rule G_Downloader_JADESNOW_1 {
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$s1 = "global['_V']"
$s2 = "global['r']"
$s3 = "umP"
$s4 = "mergeConfig"
$s5 = "charAt" nocase
condition:
uint16(0) != 0x5A4D and filesize < 10KB and #s3 > 2 and #s5 == 1 and all of them
}
86d1a21fd151e344ccc0778fd018c281db9d40b6ccd4bdd3588cb40fade1a33a
8eac3198dd72f3e07108c4c7cff43108ad48a71c
f9d432745ea15dbc00ff319417af3763f72fcf8a4debedbfceeef4246847ce41
5c77567fcf00c317b8156df8e00838105f16fdd4fbbc6cd83d624225397d8856
9bc1355344b54dedf3e44296916ed15653844509
rule G_Downloader_JADESNOW_1 {
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$s1 = "global['_V']"
$s2 = "global['r']"
$s3 = "umP"
$s4 = "mergeConfig"
$s5 = "charAt" nocase
condition:
uint16(0) != 0x5A4D and filesize < 10KB and #s3 > 2 and #s5 == 1 and all of them
}