Mastodawn

EtherHiding emerges as a malware delivery mechanism!

Google threat intelligence is reporting North Korean nation-state actor "UNC5342" is leveraging transactions on public blockchains to store and retrieve malicious payloads.

EtherHiding executes a social engineering campaign (fake job interviews, crypto games) as the initial compromise to lure developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.

Once a target opens the file, a malicious script connects to a public blockchain like BNB Smart Chain or Ethereum, to retrieve encrypted code from a smart contract. That code installs a JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.

https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding #Security #CyberSecurity #Hackers #CyberAttack #UNC5342 #Google #Malware #SmartContracts #Crypto #CryptoCurrency #EtherHiding #SocialEngineering #BlockChain

eicker.news ᳇ tech news Oct 18

#NorthKorea|n #hackers, tracked as #UNC5342, are using the #EtherHiding technique to hide #malware on the #blockchain. This technique, first described by Guardio Labs, allows the threat actor to host #maliciousscripts within #smartcontracts on the Binance Smart Chain or Ethereum, making it difficult to track and disrupt campaigns. https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-etherhiding-to-hide-malware-on-the-blockchain/?eicker.news #tech #media #news

North Korean hackers use EtherHiding to hide malware on the blockchain

North Korean hackers were observed employing the 'EtherHiding' tactic to deliver malware, steal cryptocurrency, and perform espionage with stealth and resilience.

BleepingComputer

lazarusholic Apr 24, 2025

"M-Trends 2025: Data, Insights, and Recommendations From the Frontlines" published by Mandiant. #ITWorker, #Trend, #UNC1069, #UNC3782, #UNC4736, #UNC4899, #UNC5342, #DPRK, #CTI https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025/?hl=en

M-Trends 2025: Data, Insights, and Recommendations From the Frontlines | Google Cloud Blog

We share data, insights and recommendations from the incident response frontlines in the latest edition of our annual report.

Google Cloud Blog

The Threat Codex Apr 7, 2025

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails
#UNC5342 #BeaverTail #Tropidoor
https://asec.ahnlab.com/en/87299/

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails - ASEC

On November 29, 2024, a case was disclosed in which threat actors impersonated a recruitment email from a developer community called Dev.to to distribute malware. [1] In this case, the attacker provided a BitBucket link containing a project, and the victim discovered malicious code within the project and disclosed it to the community. The project […]

ASEC

The Threat Codex Apr 3, 2025

From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
#UNC5342 #GolangGhost
https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/

From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic

Discover how Lazarus leverages fake job sites in the ClickFake Interview campaign targeting crypto firms using the ClickFix tactic.

Sekoia.io Blog