Overview

• Google Threat Intelligence Group disclosed that the DPRK-linked cluster UNC5342 has employed EtherHiding since February 2025 within its Contagious Interview operation targeting developers.
• Attackers pose as recruiters on LinkedIn, shift conversations to Telegram or Discord, and induce targets to run code under the guise of a technical assessment.
• The multi-stage chain uses npm-hosted downloaders, BeaverTail and JADESNOW JavaScript components, and an InvisibleFerret backdoor to steal credentials and cryptocurrency across Windows, macOS, and Linux.
• JADESNOW retrieves payloads from Ethereum or BNB Smart Chain, with smart contracts updated more than 20 times in four months at roughly $1.37 per change and fetched via read-only calls that leave no visible transaction history.
• Security researchers describe the adoption as an escalation and advise enterprises to block risky file downloads, enforce strict browser and script policies, and restrict access to known malicious sites and blockchain node endpoints.