Google catches North Koreans red-handed

Published: 20 October 2025
Hacker in hoodie sitting with North Korea flag in background
Image by Cybernews

Cybersecurity experts at Google say that, for the first time, they've caught a nation-state-backed threat actor using the EtherHiding technique to infect devices with crypto-stealing malware.

According to Google Threat Intelligence Group (GTIG), the North Korea (DPRK) threat actor UNC5342 is behind the campaign. EtherHiding uses transactions on public blockchains like Ethereum (ETH) and BNB Chain (BNB) to store and retrieve malicious payloads, which are known for their resilience against conventional takedown and blocklisting efforts.

GTIG found that, after the initial compromise via various social-engineering techniques, such as fake job interviews and crypto games, the attacker injects JavaScript code, known as a "loader," into the compromised website. Next, once the victim visits the website, the malicious script helps retrieve the main malicious payload stored on a remote server, which is then executed on the victim's computer.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

"This can lead to various malicious activities, such as displaying fake login pages, installing information-stealing malware, or deploying ransomware," the researchers said.

According to them, this campaign targets developers to steal sensitive data, crypto assets, and access to corporate networks.

Meanwhile, EtherHiding helps the attackers because its code can't be taken down by law enforcement or cybersecurity firms, since it's stored on a public and decentralized blockchain.

"The malicious code remains accessible as long as the blockchain itself is operational," GTIG emphasized.

Moreover, this technique helps the attackers stay anonymous while the malicious payload is retrieved using read-only calls that leave no visible transaction history on the blockchain. The payload can also be updated anytime, allowing the criminals to change their attack methods.

"In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends," the researchers concluded, recommending the use of techniques that block malicious downloads, automation and management of browser updates, and control of web access and scripts.

ADVERTISEMENT

Unlock exclusive Cybernews content on YouTube

Share
Post
Share
Share
Share
More from Cybernews
DuckDuckGo AI hallucinates Trump's death after AI data poisoning campaign
Peppa Pig AI contract sparks fears over child actors signing away their voices
Microsoft increases Xbox prices again: “Never thought I'd see the day video games become an investment”
UK hospital reports itself after 40 staff accessed crocodile attack victim’s records
Microsoft extends Windows 10 update program as users refuse to upgrade
Australia tightens teen social media ban amid Reddit reports of easy bypassing
ADVERTISEMENT