Mastodawn

EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons

Pulse ID: 69ca1c1315c96fd0b4101d4c
Pulse Link: https://otx.alienvault.com/pulse/69ca1c1315c96fd0b4101d4c
Pulse Author: Tr1sa111
Created: 2026-03-30 06:45:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CDN #CyberSecurity #EtherHiding #InfoSec #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

OTX Bot Mar 26

EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons

EtherRAT, a Node.js-based backdoor linked to a North Korean APT group, was detected in a retail customer's environment. It allows arbitrary command execution, extensive system information gathering, and asset theft. The malware uses 'EtherHiding' to store C2 addresses in Ethereum smart contracts, making infrastructure resilient to takedowns. It communicates using CDN-like beaconing to blend with normal traffic. Initial access varied, including ClickFix and IT Support scams via Microsoft Teams. A SYS_INFO module performs comprehensive host fingerprinting for target selection. The malware checks for CIS languages and self-destructs if found. It collects detailed system information, including hardware, software, and network details.

Pulse ID: 69c5a04382b357bdc81343b4
Pulse Link: https://otx.alienvault.com/pulse/69c5a04382b357bdc81343b4
Pulse Author: AlienVault
Created: 2026-03-26 21:08:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CDN #CyberSecurity #ELF #EtherHiding #InfoSec #Korea #Malware #Microsoft #MicrosoftTeams #Nodejs #NorthKorea #OTX #OpenThreatExchange #RAT #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Rod2ik 🇪🇺 🇨🇵 🇪🇸 🇨🇱 🇺🇦 🇨🇦 🇬🇱 ☮🕊️Mar 1

Une méthode inédite, baptisée « #EtherHiding », transforme la #blockchain de #cryptomonnaies #Ethereum en arsenal offensif. Les #chercheurs en #cybersécurité de #Google tirent la sonnette d' #alarme face à cette escalade #technologique www.futura-sciences.com/tech/actuali...

La blockchain n’est plus sûre ...

La blockchain n’est plus sûre : ce piratage venu de Corée du Nord inquiète

Des cybercriminels au service de la Corée du Nord ont développé une technique sophistiquée pour dissimuler leurs programmes malveillants : ils exploitent désormais la blockchain Ethereum comme refuge numérique. Cette méthode inédite, baptisée « EtherHiding », transforme l'infrastructure décentralisée des cryptomonnaies en arsenal offensif. Les chercheurs en cybersécurité tirent la sonnette d'alarme face à cette escalade technologique.

Futura

Rod2ik 🇪🇺 🇨🇵 🇪🇸 🇨🇱 🇺🇦 🇨🇦 🇬🇱☮🕊️Mar 1

https://www.futura-sciences.com/tech/actualites/cybersecurite-blockchain-nest-plus-sure-ce-piratage-venu-coree-nord-inquiete-k2m6-131599/

La blockchain n’est plus sûre : ce piratage venu de Corée du Nord inquiète

Futura

CyberVeille.ch Jan 23

📢 Expel décrit une évolution de ClearFake/ClickFix qui héberge ses charges via des smart contracts
📝 Source et contexte: Expel (blog, Marcus Hutchins, 20 janv.
📖 cyberveille : https://cyberveille.ch/posts/2026-01-22-expel-decrit-une-evolution-de-clearfake-clickfix-qui-heberge-ses-charges-via-des-smart-contracts/
🌐 source : https://expel.com/blog/clearfake-new-lotl-techniques/
#ClearFake #EtherHiding #Cyberveille

Expel décrit une évolution de ClearFake/ClickFix qui héberge ses charges via des smart contracts

Source et contexte: Expel (blog, Marcus Hutchins, 20 janv. 2026) publie une analyse technique de la campagne malware ClearFake/ClickFix, active sur des centaines de sites compromis et axée sur l’évasion défensive. • Ce que fait ClearFake: framework JavaScript malveillant injecté sur des sites piratés, affichant un faux CAPTCHA “ClickFix” qui incite l’utilisateur à faire Win+R puis à coller/valider une commande, déclenchant l’infection. La chaîne JS est obfusquée et prépare des charges ultérieures.

CyberVeille

goneo Oct 21

#wordpress : Es gibt einen neuen Hacking Trick, um einen Malware-Launcher einzuschleusen: EtherHiding. Dabei nutzen die Angreifer smart contracts, die auf einer Block Chain liegen - und damit ist der Schadcode nicht löschbar. Wie das genau funktioniert:
https://www.goneo.de/blog/2025/10/20/%f0%9f%9a%a8-achtung-deine-wordpress-seite-als-malware-launcher-dank-etherhiding/ #hacking #etherhiding

BGDon 🇨🇦 🇺🇸 👨‍💻Oct 20

EtherHiding emerges as a malware delivery mechanism!

Google threat intelligence is reporting North Korean nation-state actor "UNC5342" is leveraging transactions on public blockchains to store and retrieve malicious payloads.

EtherHiding executes a social engineering campaign (fake job interviews, crypto games) as the initial compromise to lure developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.

Once a target opens the file, a malicious script connects to a public blockchain like BNB Smart Chain or Ethereum, to retrieve encrypted code from a smart contract. That code installs a JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.

https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding #Security #CyberSecurity #Hackers #CyberAttack #UNC5342 #Google #Malware #SmartContracts #Crypto #CryptoCurrency #EtherHiding #SocialEngineering #BlockChain

Ivan Oct 20

North Korean state-sponsored hackers are embedding malware within public blockchains to steal cryptocurrency, a technique called "EtherHiding." Malicious JavaScript payloads are hidden inside smart contracts, making them effectively unremovable.
Read more: https://www.tomshardware.com/tech-industry/cyber-security/north-korea-hiding-malware-inside-blockchain-smart-contracts
#Cybersecurity #Malware #NorthKorea #Hacking #Blockchain #Crypto #Cryptocurrency #EtherHiding #SmartContracts #CyberAttack #TechNews

North Korean state-sponsored hackers slip unremovable malware inside blockchains to steal cryptocurrency — EtherHiding embeds malicious JavaScript payloads in smart contracts on public blockchains

Google reports DPRK group UNC5342 uses EtherHiding to deliver backdoors and steal crypto, marking the first nation-state use of a tactic designed for resistant attacks.

Tom's Hardware

eicker.news ᳇ tech news Oct 18

#NorthKorea|n #hackers, tracked as #UNC5342, are using the #EtherHiding technique to hide #malware on the #blockchain. This technique, first described by Guardio Labs, allows the threat actor to host #maliciousscripts within #smartcontracts on the Binance Smart Chain or Ethereum, making it difficult to track and disrupt campaigns. https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-etherhiding-to-hide-malware-on-the-blockchain/?eicker.news #tech #media #news

North Korean hackers use EtherHiding to hide malware on the blockchain

North Korean hackers were observed employing the 'EtherHiding' tactic to deliver malware, steal cryptocurrency, and perform espionage with stealth and resilience.

BleepingComputer

The DefendOps Diaries Oct 16

North Korean hackers are taking stealth to a new level: embedding malware into blockchain smart contracts and tricking devs with fake job interviews. Are we ready for a world where your next code review could be a trap?

https://thedefendopsdiaries.com/north-korean-hackers-leverage-etherhiding-malware-distribution-via-blockchain-smart-contracts/

#etherhiding
#northkoreanhackers
#blockchainsecurity
#malwaredistribution
#smartcontracts
#cyberthreats
#socialengineering
#infosec