EtherHiding: When good blockchains turn bad

2025-10-26 Cyber Security

With AI stealing the limelight over the last few years, it’s been a while since it was fashionable to talk about the blockchain. But it’s still out there, most famously used to track cryptocurrency transactions and hold smart contracts.

Part of what makes the blockchain suitable for this job is its immutability. That is, once a transaction is recorded on the blockchain, it can’t be edited or removed. This is fundamental to the decentralised nature of digital currency, and enables investigators to do things like track payments to ransomware threat actors’ wallets; they can obfuscate, but they can’t hide. But while such a ledger has many benefits, it can also create unforeseen problems.

Illustrating depicting a malicious link in a chain, representing malicious content hidden in the blockchain — Malicious content stored in blockchains presents new mitigation challenges for security teams

Abusing the permanent record

Researchers at Mandiant recently observed the North Korean threat actor UNC5342 using a technique called EtherHiding to deliver malware and steal cryptocurrency. EtherHiding was first observed in financial campaigns in 2023, but this is the first time it has been seen used by a nation state actor.

The technique uses smart contracts and public blockchains to host malicious code. This is retrieved using a malicious script, which might be hosted on a compromised website and run in-browser or sent directly to a victim as part of a fake job interview. The script runs a function like eth_call to fetch the malicious content, which does not itself create a transaction record.

In UNC5342’s case, the delivery mechanism was a downloader called JADESNOW, which grabs payloads from BNB Smart Chain smart contracts and the Ethereum blockchain. The payload was identified as InvisibleFerret, which serves as a backdoor for data exfiltration and lateral movement.

“This approach essentially turns the blockchain into a decentralised and highly resilient command-and-control server,” the researchers said in a blog post, noting that smart contract owners can update the content at any time.

Evading traditional takedowns

The problem for defenders is that abuse of the blockchain breaks our usual models for dealing with repositories hosting malicious code.

When malicious content resides at a particular domain or IP address, it can be blocked at the network perimeter, or on a web proxy that filters internet access from users’ devices. Even if the server remains active, we can be reasonably sure that none of our organisations’ users can reach it.

Sometimes threat actors host malicious code on services that allow users to upload information - think Pastebin, GitHub repositories, or even Steam user profiles. Business requirements often mean it’s impossible to block the site altogether, but the companies running these services all provide ways to report abuse and have the offending content removed.

The problem with blockchains is that they are specifically designed to operate without this kind of central authority. They are decentralised and often permanent, so there’s no organisation to engage with to make retrospective changes. As Mandiant put it, their abuse provides “bulletproof hosting”. Once it’s been written to one of these blockchains, it’s just… there.

Blockchains are decentralised and often permanent. Once malicious content has been written to a blockchain, it's just... there

Shifting defensive mindsets

What can businesses do to defend themselves against EtherHiding? As a part of Google, Mandiant’s recommendations naturally focused on in-browser protections: updates, download policies, blocklists, and Safe Browsing.

Ultimately, whatever novel delivery mechanism is used, malware has to run on the victim’s system to have an impact. Endpoint detection and response (EDR) tools should detect it at this point, but security teams will seek more assurance by finding ways to detect the activity earlier in the kill chain.

Monitoring for (or blocking) outbound connections to blockchain nodes and smart contract addresses could help, but its feasibility is very organisation-specific. If business operations require access then a blanket ban won’t work.

Malware on the blockchain doesn’t fit with traditional security models, but it does come with a silver lining: every move by UNC5342 or any other threat actor using it is logged permanently. Its permanence causes headaches in detection, but it could present a threat intelligence goldmine.

It remains to be seen how widely EtherHiding will be adopted as a technique, but if it takes off then it could necessitate a change in mindset for defenders, a move from reactive takedowns to proactive monitoring - observing patterns in blockchain abuse, tracking wallets and analysing transaction histories.

What threat actors gain in resilience, they sacrifice in operational security, and that may present our best opportunity to stay ahead of them.

Field Notes // A monthly newsletter by MattCASmith

A monthly roundup of my latest writing, plus observations and recommendations I don't share anywhere else

If this article resonated, feel free to share it with someone who might appreciate it too. If you have thoughts, opinions, or comments to share then I'd love to hear from you - feel free to send me a message on X or an email.