North Korean threat group Famous Chollima is using blockchain technology to hide malware payloads in smart contracts , which marks the first documented case of a nation-state actor adopting “EtherHiding” techniques. Cisco Talos and Google Threat Intelligence Group independently confirmed the attacks target job seekers through fake interview processes, deploying malware that steals crypto and credentials. The group deployed a new JavaScript module that combines BeaverTail and OtterCookie malware, featuring keylogging and screenshot capabilities. The malicious software was distributed via a Node.js package named “ node-nvm-ssh ” on the official NPM repository, disguised as a chess application called “ Chessfi .” Node-nvm-ssh infection path | Source: Cisco Talos Google has documented a North Korean group, UNC5342, which has been embedding JADESNOW malware and INVISIBLEFERRET backdoors within smart contracts on the BNB Smart Chain and Ethereum since February 2025. UNC5342 EtherHiding on BNB Smart Chain and Ethereum | Source: Google Cloud The technique stores malicious payloads on public blockchains , creating a decentralized command-and-control infrastructure that cannot be taken down by law enforcement. This discovery comes as North Korean hackers stole over $1.3 billion across 47 incidents in 2024 and $2.2 billion in the first half of 2025 alone , funding the regime’s weapons program through elaborate money laundering networks. EtherHiding Turns Blockchain Into Bulletproof Hosting Platform EtherHiding embeds malicious JavaScript payloads within smart contracts on public blockchains, turning decentralized ledgers into resilient command-and-control servers. Attackers retrieve payloads using read-only function calls that avoid transaction fees and leave no visible blockchain history. The technique offers decentralized storage, prevents takedowns, pseudonymous transactions obscure attacker identity, and immutable smart contracts cannot be easily removed. Attackers controlling contracts can update payloads at any time, changing attack methods or deploying different malware simultaneously. Google Threat Intelligence documented UNC5342 using EtherHiding in the “Contagious Interview” campaign, where fake recruiters impersonate companies like Coinbase and Robinhood. Victims download malicious files from GitHub repositories during technical assessments, triggering multi-stage infections. The JADESNOW downloader queries BNB Smart Chain through API providers like Binplorer to retrieve payloads from smart contract address 0x8ea**8a71c. The contract has been updated over 20 times within four months, costing an average of $1.37 in gas fees per update. On-chain transactions | Source: Google Cloud Blockchain explorers show on-chain transactions containing Base64-encoded and XOR-encrypted messages that decrypt to heavily obfuscated JavaScript payloads. The malware pivots between networks, querying Ethereum transaction history through multiple explorer APIs, including Blockchair, Blockcypher, and Ethplorer. The final INVISIBLEFERRET.JAVASCRIPT payload connects to command-and-control servers via port 3306, sending victim hostname, username, operating system, and current directory. The backdoor processes arbitrary command execution, file exfiltration, and directory harvesting while targeting over 80 browser extensions, including MetaMask and Phantom. Functional similarities between Famous Chollima tools | Source: Cisco Talos Fake Companies and Stolen Identities Earlier this year, it was discovered that North Korean operatives established legitimate US corporations using fake identities to create credible corporate fronts. Silent Push researchers discovered Blocknovas registered to a vacant lot in South Carolina, while Softglide traced back to a Buffalo tax office. These companies launched the “Contagious Interview” campaign, a Lazarus Group subgroup specializing in malware deployment. ZachXBT documented at least 25 instances of North Korean IT workers infiltrating crypto companies, operating under more than 30 fake identities with government-issued ID cards and professional LinkedIn accounts. A compromised device revealed systematic expense documentation for purchasing Social Security numbers, professional accounts, and VPN services. Last month, Binance founder Changpeng Zhao also warned about four primary attack vectors, which include fake job applications, fraudulent interviews with malware-laden links, customer support scams, and bribery of employees or outsourced vendors. These North Korean hackers are advanced, creative and patient. I have seen/heard: 1. They pose as job candidates to try to get jobs in your company. This gives them a “foot in the door”. They especially like dev, security, finance positions. 2. They pose as employers and try to… https://t.co/axo5FF9YMV — CZ BNB (@cz_binance) September 18, 2025 He cited a major Indian outsourced service hack that leaked U.S. exchange user data, resulting in over $400 million in losses. Cisco Talos has previously documented Famous Chollima creating fraudulent skill-testing websites using React frameworks that closely mimic legitimate company assessment platforms through the PylangGhost malware campaign, which targets crypto professionals. Victims complete technical assessments, which include downloading alleged video drivers containing malicious Python-based payloads. Efforts have been made to stop these bad actors, as U.S. authorities recently seized over $7.7 million in crypto allegedly earned through networks of covert IT workers. The post North Korea Weaponizes Blockchain for Stealth Hacks, Poses as Job Recruiters appeared first on Cryptonews .
