Overview
- Google’s Threat Intelligence Group attributes the activity to UNC5342 and identifies it as the first observed nation‑state adoption of the EtherHiding technique.
- The Contagious Interview campaign targets developers and crypto professionals with fake recruiter outreach and coding tests that lead victims to run malicious code.
- Infections follow a multi‑stage chain involving npm downloaders, the BEAVERTAIL stealer, the JADESNOW downloader that queries on‑chain data, and the INVISIBLEFERRET backdoor.
- Malicious JavaScript is stored on Ethereum and BNB Smart Chain and fetched via read‑only calls; contracts were updated more than 20 times in four months at roughly $1.37 per update.
- Cisco Talos, Mandiant and others published corroborating analysis and IOCs, urging controls such as blocking risky downloads, restricting script execution, enforcing safe browsing, and monitoring node URLs and smart‑contract indicators.