North Korean hackers found hiding crypto-stealing malware with Blockchain

State-sponsored actors are using Ethereum and BNB to host malware

17 Oct 2025, 16:35 · TechRadar

News By Sead Fadilpašić published 17 October 2025

(Image credit: Shutterstock)

UNC5342 uses blockchain smart contracts to deliver crypto-stealing malware via EtherHiding
Fake jobs and coding challenges lure developers into triggering the JadeSnow loader and backdoor
Blockchain’s immutability makes malware hosting resilient

North Korean state-sponsored threat actors are now using public blockchains to host malicious code and deploy malware on target endpoints.

This is according to Google’s Threat Intelligence Group (GTIG), who said they observed UNC5342 using Ethereum and BNB to host droppers and ultimately deploy cryptocurrency-stealing malware against software and blockchain developers.

The technique is called EtherHiding. Instead of sending a malicious file directly to the victim (or otherwise tricking them into downloading it), they encode parts of the malware into blockchain transactions and smart contracts.

Evolution of bulletproof hosting

The smart contract itself doesn’t execute malware automatically on someone’s computer, but it can deliver instructions or code when a user interacts with it (when they click a link, run a script, or connect a crypto wallet).

The blockchain is a great place to store and distribute malware since it is public, immutable, and almost impossible to tamper.

“This represents a shift toward next-generation bulletproof hosting,” Google said, stressing that the blockchain’s resilient nature is what makes it so enticing for cybercrooks.

From February, UNC5342 was observed creating fake jobs and coding challenges, tricking developers and others working in the Web3 space to download different files. These files connect to the blockchain and retrieve the code which, in turn, installs the JadeSnow loader. This loader drops the InvisibleFerret backdoor, which was already observed used in cryptocurrency thefts.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors