North Korean Hackers Use Blockchain to Hide Malware in New Campaign

TLDR

• EtherHiding uses smart contracts to host malware on Ethereum and BNB Chain.
• Hackers compromise WordPress sites to inject JavaScript loaders.
• Malware hosted on blockchain is hard to detect and remove due to immutability.
• CLEARFAKE was the first known EtherHiding campaign in September 2023.

North Korean state-sponsored hackers are now embedding malicious code into blockchain networks to avoid detection. According to Google’s Threat Intelligence Group (GTIG), this new method—called EtherHiding—uses smart contracts on public blockchains like Ethereum and BNB Smart Chain to store malware. The campaign allows the attackers to deliver and control harmful code through systems that are nearly impossible to block or alter.

What Is EtherHiding and How It Works

GTIG explains that EtherHiding involves placing small code snippets into smart contracts, which are hosted on decentralized blockchain networks. These networks are immutable, meaning that once code is added, it cannot be deleted or modified. This makes it difficult for cybersecurity systems to take down or stop the malware.

The hackers start by compromising WordPress websites, often using stolen login data or unpatched software flaws. Once inside, they add a JavaScript loader into the site’s code. This loader reaches out to the blockchain and pulls malware from a remote location. Since this connection is off-chain, it leaves almost no transaction record and requires little to no gas fees.

GTIG found that this method has been active since at least September 2023. The campaign began under the name CLEARFAKE, which used fake browser update alerts to trick users into installing malicious software.

Why the Blockchain Makes Malware Harder to Remove

One of the key features of blockchain technology is that once data is recorded, it cannot be changed. This feature is now being used to hide and spread malware in a way that security teams cannot easily stop. Because the malware is hosted inside smart contracts, blocking or deleting it would require changes to the blockchain itself, which is not possible.

GTIG reports that the use of decentralized systems allows attackers to operate without being noticed. Most anti-malware tools do not check smart contracts for harmful code, so these threats can stay active for long periods without detection.

“Although smart contracts offer innovative ways to build decentralized applications, their unchangeable nature is leveraged in EtherHiding,” GTIG noted.

Citizen Lab researcher John Scott-Railton called EtherHiding an “early-stage experiment” and warned that it could be made more dangerous by using automation tools. He said that future versions might include code that targets blockchain systems directly, especially if those systems are linked to wallets or transaction platforms.

Shift in North Korean Cyber Strategy

Cybersecurity experts believe this method shows a change in North Korea’s cyber operations. Instead of only stealing cryptocurrency, hackers are now using the technology behind it to help distribute malware.

Data from blockchain analytics firm TRM Labs states that North Korean hackers have stolen more than $1.5 billion in cryptocurrency this year. Investigators say that the funds are used to support military projects and avoid global sanctions.

The use of EtherHiding makes it easier for attackers to stay online and move their tools between platforms. Since the code is hosted on decentralized networks, even taking down the original website does not stop the malware from spreading.

How Users and Developers Can Protect Against EtherHiding

GTIG advises users and web developers to take extra steps to secure their systems. They recommend blocking unknown scripts, disabling unauthorized downloads, and keeping WordPress plugins updated.

Security teams are also encouraged to start scanning smart contracts for malicious content. Since the code is public, researchers can label and track harmful contracts more easily if they know what to look for.

The group also stressed the need for tighter website security. Preventing the initial breach of WordPress sites is a key step in stopping these attacks before the loader can be installed.

The post North Korean Hackers Use Blockchain to Hide Malware in New Campaign appeared first on CoinCentral.