EtherHiding

EtherHiding is a blockchain-based malware hosting and command-and-control technique in which malicious JavaScript, payloads, configuration data, or C2 endpoints are embedded in public blockchain smart contracts rather than hosted solely on traditional servers. Reported implementations use Ethereum, BNB Smart Chain, Polygon, Avalanche, and BNB Smart Chain TestNet, with malware retrieving data through public RPC endpoints and smart-contract read calls such as getURL(), ERC20 name(), or similar lookups. The technique is designed to make attacker infrastructure resilient to takedown because smart contracts are decentralized and effectively immutable, while allowing operators to rotate payloads or C2 information cheaply through blockchain updates.

The content links EtherHiding to multiple campaigns and malware chains. Google Threat Intelligence Group reported North Korea-aligned UNC5342 using EtherHiding in the Contagious Interview social-engineering campaign targeting developers and cryptocurrency firms, including delivery chains involving JadeSnow and InvisibleFerret. In that reporting, malicious files or JavaScript retrieved crypto-stealing malware or C2 information from Ethereum and BNB Smart Chain smart contracts. Similar blockchain-based staging was also described in financially motivated WordPress compromise activity associated with UNC5142/ClearFake-style infrastructure, where injected JavaScript downloaders used BNB Smart Chain smart contracts as a control layer to distribute infostealers such as Vidar, Lummac.V2, and RadThief. Additional observed uses include ErrTraffic V3 ClickFix campaigns against compromised WordPress sites, where injected JavaScript queried Polygon smart contracts to retrieve attacker-controlled infrastructure; OCRFix, which used BNB Smart Chain TestNet smart contracts to obtain C2 addresses after fake CAPTCHA/PowerShell social engineering; a 10-stage Windows intrusion chain culminating in the HellsUchecker backdoor, where a 6.5 MB .NET EtherHiding loader queried BNB Smart Chain and Avalanche for encrypted JSON C2 configuration; Kimwolf Android botnet variants that incorporated EtherHiding/blockchain domains for resilience; and the GlassWorm loader delivered through malicious Open VSX extension updates, where EtherHiding was used to fetch C2 endpoints.

Across the cited reporting, EtherHiding-enabled malware supports retrieval of hidden payloads or C2 endpoints, host fingerprinting, system-information collection, credential theft, cryptocurrency theft, exfiltration, persistence, and follow-on payload delivery depending on the surrounding malware family. Infection vectors mentioned in the content include fake job offers and technical assessments, compromised WordPress sites, ClickFix/fake CAPTCHA lures, SEO poisoning, typosquatting, malicious MSI installers, and poisoned software-extension updates. High-confidence observables directly mentioned include the Polygon wallet address 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308 used by ErrTraffic, smart-contract function selector 0x38bcdc1c corresponding to getURL(), the HellsUchecker-related smart-contract address 0x328A1faDff154290F0Ce1389a4E633698CDfdAa7 using selector 0x06fdde03, and infrastructure such as more-arpc.icu, rpcsecnoweb.pro, rec.allthe.site/chk, opsecdefcloud[.]com, ldture[.]com, and bsc-testnet.publicnode[.]com in specific campaigns.