Cybercriminals and nation-state hackers are now leveraging blockchain technology to hide and distribute malware in a way that is nearly impossible to detect or dismantle.
The technique, known as EtherHiding, embeds malicious code within smart contracts on public blockchains like Ethereum and BNB Smart Chain, exploiting their decentralized and immutable nature.
Once a victim visits a compromised site, a small loader script runs in the browser, using read-only blockchain calls to fetch malware directly from smart contracts.
These calls don’t require gas fees or leave transaction traces, making them nearly invisible to detection tools.
Because the malware is stored on-chain, it can’t be removed or altered, unlike traditional servers that can be shut down.
Google’s Threat Intelligence Group and Mandiant identified two major campaigns using this method.
North Korea-linked UNC5342 targeted developers with fake job offers and delivered backdoors like Invisible-Ferret.
UNC5142, a financially motivated group, used hacked WordPress sites and platforms like Cloudflare Pages to spread info-stealers such as Vidar and RadThief.
This marks a paradigm shift in cyber threats.
Traditional defenses like IP blocking or domain takedowns are ineffective.
Security teams must now adopt on-chain threat intelligence and smart contract analysis to combat this new generation of blockchain-hosted malware.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
