A newly surfaced report indicates that the North Korean hacking group known as Famous Chollima is utilizing advanced blockchain technology to distribute malware, marking a significant evolution in cyber warfare tactics. This method, identified as “EtherHiding,” enables the group to embed malicious payloads within smart contracts, thereby obscuring their operations from traditional detection methods.
Cisco Talos and Google Threat Intelligence Group released findings showing that the attacks predominantly target job seekers, luring them through bogus interview processes. The attackers deploy sophisticated malware that is engineered to steal cryptocurrency and sensitive credentials. Central to these operations is a newly developed JavaScript module that combines two potent forms of malware, BeaverTail and OtterCookie. This malware is equipped with keylogging and screenshot functionalities, further enhancing its capabilities.
The malware spreads via a Node.js package available on the official NPM repository, disguised as a seemingly harmless chess application named “Chessfi.” Research indicates that the UNC5342 group has been embedding various malware forms, including JADESNOW malware and INVISIBLEFERRET backdoors, within smart contracts on prominent blockchains such as the BNB Smart Chain and Ethereum since February 2025.
This emergent tactic of EtherHiding enables attackers to exploit public blockchains as decentralized command-and-control infrastructures that are difficult for law enforcement to dismantle. By storing malicious payloads within smart contracts, these hackers create a resilient framework that can be dynamically updated without triggering alarming transaction fees, thus evading typical monitoring mechanisms.
The revelation comes amid heightened scrutiny of North Korean cyber activities, with estimates suggesting the regime has siphoned over $1.3 billion through various cyber incidents throughout 2024 and an alarming $2.2 billion in just the first half of 2025. This stolen wealth is believed to be funneled into funding the country’s weapons programs via extensive money laundering networks.
EtherHiding specifically turns decentralized ledgers into durable hosting platforms for attackers. By embedding malicious JavaScript within smart contracts and retrieving them with read-only function calls, these cybercriminals avoid creating a visible record on the blockchain. The method facilitates anonymous transactions, allowing attackers to conceal their identities effectively.
Google Threat Intelligence noted the utilization of EtherHiding in the so-called “Contagious Interview” campaign, wherein fake recruiters impersonate renowned companies like Coinbase and Robinhood. As part of this scheme, potential victims are often encouraged to download malicious files during technical assessments, leading to multi-stage infections.
The JADESNOW downloader, once activated, utilizes API queries to the BNB Smart Chain to fetch payloads from a specific smart contract address. Analysis indicates this contract has undergone over 20 updates within a four-month span, with the average transaction costing approximately $1.37 in gas fees.
The on-chain transactions reveal Base64-encoded and XOR-encrypted messages that eventually decrypt into heavily obfuscated JavaScript payloads, indicating a complex and evolving strategy to pivot between different blockchain networks. The final payload from INVISIBLEFERRET.JAVASCRIPT aims to connect to command-and-control servers utilizing port 3306, capturing critical user information such as hostname, username, operating system, and current directory.
In a significant twist, North Korean operatives have been reported to establish legitimate U.S. corporations under fictitious identities to further enhance their credibility. One such front, Blocknovas, was registered to an abandoned lot in South Carolina, illustrating the lengths to which these hackers will go.
This trend of deception has been documented at least 25 times, involving North Korean IT workers masquerading under over 30 fake identities with phony government IDs and LinkedIn profiles. The leak of systematic expense documentation has revealed purchases of Social Security numbers, professional accounts, and VPN services.
In light of these developments, industry leaders remain vigilant. Changpeng Zhao, the founder of Binance, has identified critical attack vectors, emphasizing the need for heightened awareness concerning fraudulent job applications, malware-laden links, and various scams targeting crypto operations. The sophistication and creativity exhibited by these North Korean hackers signal an urgent need for robust defenses against emerging cyber threats.
