A state-sponsored threat actor with ties to the Democratic People’s Republic of Korea (DPRK) has been observed leveraging the EtherHiding technique to hide and distribute malware. According to the Google Threat Intelligence Group (GTIG), this activity marks the first time a state-backed hacking group has embraced hiding malicious payloads inside blockchain smart contracts. The group’s primary goal is to deploy malware to facilitate the theft of cryptocurrency from compromised targets.

UNC5342: A Prolific, Multi-Named Threat Actor

GTIG attributes the campaign to a threat cluster it tracks as UNC5342. This actor is known for its sophisticated social engineering and financially motivated attacks. Due to its widespread operations, the group is monitored by multiple cybersecurity firms under various names. These aliases include CL-STA-0240 by Palo Alto Networks Unit 42, DeceptiveDevelopment by ESET, DEV#POPPER by Securonix, and Famous Chollima by CrowdStrike. Other security vendors track the group as Gwisin Gang (DTEX), Tenacious Pungsan (Datadog), and Void Dokkaebi (Trend Micro).

Attack Vector: The “Contagious Interview” Campaign

The use of EtherHiding is part of a long-running social engineering campaign codenamed “Contagious Interview.” The attack begins on professional networking sites like LinkedIn, where UNC5342 operatives pose as legitimate recruiters or hiring managers. After making initial contact and establishing a rapport with a potential target, the attackers persuade the individual to move the conversation to an alternative platform such as Telegram or Discord. The final step involves tricking the victim into running malicious code disguised as a job assessment or technical test, ultimately leading to malware deployment and system compromise.