{ "id": "ea1b8dde-22a9-4594-a2a6-797e7e19b207", "created_at": "2026-04-06T00:17:53.210844Z", "updated_at": "2026-04-10T13:11:54.442565Z", "deleted_at": null, "sha1_hash": "07b6534409d96d4583ca09250ed74f78efb4b1cd", "title": "DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 941445, "plain_text": "DPRK Adopts EtherHiding: Nation-State Malware Hiding on\r\nBlockchains\r\nBy Mandiant\r\nPublished: 2025-10-16 · Archived: 2026-04-02 11:14:13 UTC\r\nWritten by: Blas Kojusner, Robert Wallace, Joseph Dobson\r\nGoogle Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using ‘EtherHiding’\r\nto deliver malware and facilitate cryptocurrency theft, the first time GTIG has observed a nation-state actor adopting this\r\nmethod. This post is part of a two-part blog series on adversaries using EtherHiding, a technique that leverages transactions\r\non public blockchains to store and retrieve malicious payloads—notable for its resilience against conventional takedown and\r\nblocklisting efforts. Read about UNC5142 campaign leveraging EtherHiding to distribute malware.\r\nSince February 2025, GTIG has tracked UNC5342 incorporating EtherHiding into an ongoing social engineering campaign,\r\ndubbed Contagious Interview by Palo Alto Networks. In this campaign, the actor uses JADESNOW malware to deploy a\r\nJavaScript variant of INVISIBLEFERRET, which has led to numerous cryptocurrency heists.\r\nHow EtherHiding Works\r\nEtherHiding emerged in September 2023 as a key component in the financially motivated CLEARFAKE campaign\r\n(UNC5142), which uses deceptive overlays, like fake browser update prompts, to manipulate users into executing malicious\r\ncode.\r\nEtherHiding involves embedding malicious code, often in the form of JavaScript payloads, within a smart contract on a\r\npublic blockchain like BNB Smart Chain or Ethereum. This approach essentially turns the blockchain into a decentralized\r\nand highly resilient command-and-control (C2) server.\r\nThe typical attack chain unfolds as follows:\r\n1. Initial Compromise: DPRK threat actors typically utilize social engineering for their initial compromise (e.g., fake\r\njob interviews, crypto games, etc.). Additionally, in the CLEARFAKE campaign, the attacker first gains access to a\r\nlegitimate website, commonly a WordPress site, through vulnerabilities or stolen credentials.\r\n2. Injection of a Loader Script: The attacker injects a small piece of JavaScript code, often referred to as a \"loader,\"\r\ninto the compromised website.\r\n3. Fetching the Malicious Payload: When a user visits the compromised website, the loader script executes in their\r\nbrowser. This script then communicates with the blockchain to retrieve the main malicious payload stored in a remote\r\nserver. A key aspect of this step is the use of a read-only function call (such as eth_call ), which does not create a\r\ntransaction on the blockchain. This ensures the retrieval of the malware is stealthy and avoids transaction fees (i.e.\r\ngas fees).\r\n4. Payload Execution: Once fetched, the malicious payload is executed on the victim's computer. This can lead to\r\nvarious malicious activities, such as displaying fake login pages, installing information-stealing malware, or\r\ndeploying ransomware.\r\nAdvantages for Attackers\r\nEtherHiding offers several significant advantages to attackers, positioning it as a particularly challenging threat to mitigate:\r\nDecentralization and Resilience: Because malicious code is stored on a decentralized and permissionless\r\nblockchain, there is no central server that law enforcement or cybersecurity firms can take down. The malicious code\r\nremains accessible as long as the blockchain itself is operational.\r\nAnonymity: The pseudonymous nature of blockchain transactions makes it difficult to trace the identity of the\r\nattackers who deployed the smart contract.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding\r\nPage 1 of 8\n\nImmutability: Once a smart contract is deployed, the malicious code within it typically cannot be easily removed or\r\naltered by anyone other than the contract owner. \r\nStealth: Attackers can retrieve the malicious payload using read-only calls that do not leave a visible transaction\r\nhistory on the blockchain, making their activities harder to track.\r\nFlexibility: The attacker who controls the smart contract can update the malicious payload at any time. This allows\r\nthem to change their attack methods, update domains, or deploy different types of malware to compromised websites\r\nsimultaneously by simply updating the smart contract.\r\nIn essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of\r\nblockchain technology are repurposed for malicious ends. This technique underscores the continuous evolution of cyber\r\nthreats as attackers adapt and leverage new technologies to their advantage.\r\nDPRK Social Engineering Campaign\r\nNorth Korea's social engineering campaign is a sophisticated and ongoing cyber espionage and financially motivated\r\noperation that cleverly exploits the job application and interview process. This campaign targets developers, particularly in\r\nthe cryptocurrency and technology sectors, to steal sensitive data, cryptocurrency, and gain persistent access to corporate\r\nnetworks.\r\nThe campaign has a dual purpose that aligns with North Korea's strategic goals:\r\nFinancial Gain: A primary objective is the theft of cryptocurrency and other financial assets to generate revenue for\r\nthe regime, helping it bypass international sanctions.\r\nEspionage: By compromising developers, the campaign aims to gather valuable intelligence and potentially gain a\r\nfoothold in technology companies for future operations.\r\nThe campaign is characterized by its elaborate social engineering tactics that mimic legitimate recruitment processes.\r\n1. The Phishing Lure:\r\nFake Recruiters and Companies: The threat actors create convincing but fraudulent profiles on professional\r\nnetworking sites like LinkedIn and job boards. They often impersonate recruiters from well-known tech or\r\ncryptocurrency firms.\r\nFabricated Companies: In some instances, they have gone as far as setting up fake company websites and social\r\nmedia presences for entities like \"BlockNovas LLC,\" \"Angeloper Agency,\" and \"SoftGlideLLC\" to appear legitimate.\r\nTargeted Outreach: They aggressively contact potential victims, such as software and web developers, with\r\nattractive job offers.\r\n2. The Interview Process:\r\nInitial Engagement: The fake recruiters engage with candidates, often moving the conversation to platforms like\r\nTelegram or Discord.\r\nThe Malicious Task: The core of the attack occurs during a technical assessment phase. Candidates are asked to\r\nperform a coding test or review a project, which requires them to download files from repositories like GitHub. These\r\nfiles contain malicious code.\r\nDeceptive Tools: In other variations, candidates are invited to a video interview and are prompted with a fake error\r\nmessage (a technique called ClickFix) that requires them to download a supposed \"fix\" or a specific software to\r\nproceed, which is actually the malware.\r\n3. The Infection Chain:\r\nThe campaign employs a multi-stage malware infection process to compromise the victim's system, often affecting\r\nWindows, macOS, and Linux systems.\r\nInitial Downloader (e.g., JADESNOW): The malicious packages downloaded by the victim are often hosted on the\r\nnpm (Node Package Manager) registry. These loaders may collect initial system information and download the next\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding\r\nPage 2 of 8\n\nstage of malware.\r\nSecond-Stage Malware (e.g., BEAVERTAIL, JADESNOW): The JavaScript-based malware is designed to scan for\r\nand exfiltrate sensitive data, with a particular focus on cryptocurrency wallets, browser extension data, and\r\ncredentials. The addition of JADESNOW to the attack chain marks UNC5342’s shift towards EtherHiding to serve\r\nup the third-stage backdoor INVISIBLEFERRET.\r\nThird-Stage Backdoor (e.g., INVISIBLEFERRET): For high-value targets, a more persistent backdoor is deployed.\r\nINVISIBLEFERRET, a Python-based backdoor, provides the attackers remote control over the compromised system,\r\nallowing for long-term espionage, data theft, and lateral movement within a network. \r\nJADESNOW\r\nJADESNOW is a JavaScript-based downloader malware family associated with the threat cluster UNC5342. JADESNOW\r\nutilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and\r\nEthereum. The input data stored in the smart contract may be Base64-encoded and XOR-encrypted. The final payload in the\r\nJADESNOW infection chain is usually a more persistent backdoor like INVISIBLEFERRET.JAVASCRIPT.\r\nThe deployment and management of JADESNOW differs from that of similar campaigns that implement EtherHiding, such\r\nas CLEARFAKE. The CLEARFAKE campaign, associated with the threat cluster UNC5142, functions as a malicious\r\nJavaScript framework and often masquerades as a Google Chrome browser update pop-up on compromised websites. The\r\nprimary function of the embedded JavaScript is to download a payload after a user clicks the \"Update Chrome\" button. The\r\nsecond-stage payload is another Base64-encoded JavaScript stored on the BNB Smart Chain. The final payload may be\r\nbundled with other files that form part of a legitimate update, like images or configuration files, but the malware itself is\r\nusually an infostealer like LUMASTEALER.\r\nFigure 1 presents a general overview of the social engineering attack chain. The victim receives a malicious interview\r\nquestion, deceiving the victim into running code that executes the initial JavaScript downloader that interacts with a\r\nmalicious smart contract and downloads the second-stage payload. The smart contract hosts the JADESNOW downloader\r\nthat interacts with Ethereum to fetch the third-stage payload, in this case INVISIBLEFERRET.JAVASCRIPT. The payload is\r\nrun in memory and may query Ethereum for an additional credential stealer component. It is unusual to see a threat actor\r\nmake use of multiple blockchains for EtherHiding activity; this may indicate operational compartmentalization between\r\nteams of North Korean cyber operators. Lastly, campaigns frequently leverage EtherHiding's flexible nature to update the\r\ninfection chain and shift payload delivery locations. In one transaction, the JADESNOW downloader can switch from\r\nfetching a payload on Ethereum to fetching it on the BNB Smart Chain. This switch not only complicates analysis but also\r\nleverages lower transaction fees offered by alternate networks.\r\nFigure 1: UNC5342 EtherHiding on BNB Smart Chain and Ethereum\r\nMalicious Smart Contracts\r\nBNB Smart Chain and Ethereum are both designed to run decentralized applications (dApps) and smart contracts. A smart\r\ncontract is code on a blockchain that automatically executes actions when certain conditions or agreements are met, enabling\r\nsecure, transparent, and automated agreements without intermediaries. Smart contracts are compiled into bytecode and\r\nuploaded to the blockchain, making them publicly available to be disassembled for analysis.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding\r\nPage 3 of 8\n\nBNB Smart Chain, like Ethereum, is a decentralized and permissionless blockchain network that supports smart contracts\r\nprogrammed for the Ethereum Virtual Machine (EVM). Although smart contracts offer innovative ways to build\r\ndecentralized applications, their unchangeable nature is leveraged in EtherHiding to host and serve malicious code in a\r\nmanner that cannot be easily blocked.\r\nMaking use of Ethereum and BNB Smart Chain for the purpose of EtherHiding is straightforward since it simply involves\r\ncalling a custom smart contract on the blockchain. UNC5342’s interactions with the blockchain networks are done through\r\ncentralized API service providers rather than Remote Procedure Call (RPC) endpoints, as seen with CLEARFAKE. When\r\ncontacted by GTIG, responsible API service providers were quick to take action against this malicious activity; however,\r\nseveral other platforms have remained unresponsive. This indifference and lack of collaboration is a significant concern, as\r\nit increases the risk of this technique proliferating among threat actors.\r\nJADESNOW On-Chain Analysis\r\nThe initial downloader queries the BNB Smart Chain through a variety of API providers, including Binplorer, to read the\r\nJADESNOW payload stored at the smart contract at address 0x8eac3198dd72f3e07108c4c7cff43108ad48a71c .\r\nFigure 2 is an example of an API call to read data stored in the smart contract from the transaction history. The transaction\r\ndetails show that the contract has been updated over 20 times within the first four months, with each update costing an\r\naverage of $1.37 USD in gas fees. The low cost and frequency of these updates illustrate the attacker’s ability to easily\r\nchange the campaign’s configuration. This smart contract has also been linked to a software supply chain attack that\r\nimpacted React Native Aria and GlueStack via compromised npm packages in June 2025\r\n{\r\n timestamp: 1738949853,\r\n transactionHash: \"0x5c77567fcf00c317b8156df8e00838105f16fdd4fbbc6cd83d624225397d8856\",\r\n tokenInfo: {\r\n address: \"0x8eac3198dd72f3e07108c4c7cff43108ad48a71c\",\r\n (...)\r\n owner: \"0x9bc1355344b54dedf3e44296916ed15653844509\",\r\n (...)\r\n txsCount: 22,\r\n (...)\r\n },\r\n type: \"issuance\",\r\n value: \"1\",\r\n priority: 127,\r\n address: \"0x9bc1355344b54dedf3e44296916ed15653844509\"\r\n}\r\nFigure 2: ABI call for transaction history\r\nBlockchain explorers like BscScan (for BNB Smart Chain) and Etherscan (for Ethereum) are essential tools for reviewing\r\non-chain information like smart contract code and historic transactions to and from the contract. These transactions may\r\ninclude input data such as a variable Name , its Type , and the Data stored in that variable. Figure 3 shows on-chain\r\nactivity at the transaction address 0x5c77567fcf00c317b8156df8e00838105f16fdd4fbbc6cd83d624225397d8856 , where the\r\nData field contains a Base64-encoded and XOR-encrypted message. This message decrypts to a heavily obfuscated\r\nJavaScript payload that GTIG assesses as the second-stage downloader, JADESNOW.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding\r\nPage 4 of 8\n\nFigure 3: UNC5342 on-chain activity\r\nWhen comparing transactions, the launcher-related code remains intact, but the next stage payload is frequently updated\r\nwith a new obfuscated payload. In this case, the obfuscated payload is run in memory and decrypts an array of strings that\r\ncombine to form API calls to different transaction hashes on Ethereum. This pivot to a different network is notable. The\r\nattackers are not using an Ethereum smart contract to store the payload; instead, they perform a GET request to query the\r\ntransaction history of their attacker-controlled address and read the calldata stored from transactions made to the well-known “burn” address 0x00…dEaD .\r\nFigure 4: On-chain transactions\r\nThe final address of these transactions is inconsequential since the malware only reads the data stored in the details of a\r\ntransaction, effectively using the blockchain transaction as a Dead Drop Resolver. These transactions are generated\r\nfrequently, showing how easily the campaign can be updated with a simple blockchain transaction, including changing the\r\nC2 server.\r\nThe in-memory payload fetches and evaluates the information stored on-chain by querying Ethereum via different\r\nblockchain explorer APIs. Multiple explorers are queried simultaneously (including Blockchair, Blockcypher, and\r\nEthplorer), likely as a fail-safe way to ensure payload retrieval. The use of a free API key, such as apiKey=freekey offered\r\nby Ethplorer for development, is sufficient for the JADESNOW operation despite strict usage limits.\r\nPayload Analysis\r\nThe third stage is the INVISIBLEFERRET.JAVASCRIPT payload stored at the Ethereum transaction address\r\n0x86d1a21fd151e344ccc0778fd018c281db9d40b6ccd4bdd3588cb40fade1a33a . This payload connects to the C2 server via port\r\n3306, the default port for MySQL. It sends an initial beacon with the victim's hostname, username, operating system, and\r\nthe directory the backdoor is currently running under. The backdoor proceeds to run in the background, listening for\r\nincoming commands to the C2. The command handler is capable of processing arbitrary command execution, executing\r\nbuilt-in commands to change the directory, and exfiltrating files, directories, and subdirectories from the victim’s system.\r\nThe INVISIBLEFERRET.JAVASCRIPT payload may also be split into different components like is done at the transaction\r\naddress 0xc2da361c40279a4f2f84448791377652f2bf41f06d18f19941a96c720228cd0f . The split up JavaScript payload\r\nexecutes the INVISIBLEFERRET.JAVASCRIPT backdoor and attempts to install a portable Python interpreter to execute an\r\nadditional credential stealer component stored at the transaction address\r\n0xf9d432745ea15dbc00ff319417af3763f72fcf8a4debedbfceeef4246847ce41 . This additional credential stealer component\r\ntargets web browsers like Google Chrome and Microsoft Edge to exfiltrate stored passwords, session cookies, and credit\r\ncards. The INVISIBLEFERRET.JAVASCRIPT credential stealer component also targets cryptocurrency wallets like\r\nMetaMask and Phantom, as well as credentials from other sensitive applications like password managers (e.g., 1Password).\r\nThe data is compressed into a ZIP archive and uploaded to an attacker-controlled remote server and a private Telegram chat.\r\nThe Centralized Dependencies in EtherHiding\r\nDecentralization is a core tenet of blockchain networks and other Web3 technologies. In practice, however, centralized\r\nservices are often used, which introduces both opportunities and risks. Though blockchains like BNB Smart Chain are\r\nimmutable and permissionless and the smart contracts deployed onto such blockchains cannot be removed, operations by\r\nthreat actors using these blockchains are not unstoppable.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding\r\nPage 5 of 8\n\nNeither North Korea’s UNC5342 nor threat actor UNC5142 are interacting directly with BNB Smart Chain when retrieving\r\ninformation from smart contracts; both threat actors are utilizing centralized services, akin to using traditional Web2 services\r\nsuch as web hosting. This affords astute defenders the opportunity to mitigate such threats. These centralized intermediaries\r\nrepresent points of observation and control, where traffic can be monitored and malicious activity can be addressed through\r\nblocking, account suspensions, or other methods. In other words, UNC5142 and UNC5342 are using permissioned services\r\nto interact with permissionless blockchains.\r\nThese threat actors exhibit two different approaches to utilizing centralized services for interfacing with blockchain\r\nnetworks:\r\n1. An RPC endpoint is used by UNC5142 (CLEARFAKE) in the EtherHiding activity. This allows direct\r\ncommunication with a BNB Smart Chain node hosted by a third party in a manner that is close to a blockchain node’s\r\n“native tongue.” \r\n2. An API service hosted by a central entity is used by UNC5342 (DPRK), acting as a layer of abstraction between the\r\nthreat actor and the blockchain.\r\nThough the difference is nuanced, these intermediary services are positioned to directly impact threat actor operations.\r\nAnother approach not observed in these operations is to operate a node that integrates fully with the blockchain network.\r\nRunning a full node is resource-intensive, slow to sync, and creates a significant hardware and network footprint that can be\r\ntraced, making it a cumbersome and risky tool for cyber operations.\r\nRecommendations\r\nEtherHiding presents new challenges as traditional campaigns have usually been halted by blocking known domains and\r\nIPs. Malware authors may leverage the blockchain to perform further malware propagation stages since smart contracts\r\noperate autonomously and cannot be shut down.\r\nFigure 5: BscScan warning message\r\nWhile security researchers attempt to warn the community by tagging a contract as malicious on official blockchain scanners\r\n(like the warning on BscScan in Figure 5), malicious activity can still be performed.\r\nChrome Enterprise: Centralized Mitigation\r\nChrome Enterprise can be a powerful tool to prevent the impact of EtherHiding by using its centralized management\r\ncapabilities to enforce policies that directly disrupt the attack chain. This approach shifts security away from relying on\r\nindividual user discretion and into the hands of a centralized, automated system.\r\nThe core strength of Chrome Enterprise resides in Chrome Browser Cloud Management. This platform allows\r\nadministrators to configure and enforce security policies across all managed browsers in their organization, ensuring\r\nconsistent protection regardless of the user's location or device.\r\nFor EtherHiding, this means an administrator can deploy a defense strategy that does not rely on individual users making the\r\nright security decisions.\r\nKey Prevention Policies and Strategies\r\nAn administrator can use specific policies to break the EtherHiding attack at multiple points:\r\n1. Block Malicious Downloads\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding\r\nPage 6 of 8\n\nThis is the most direct and effective way to stop the attack. The final step of an EtherHiding campaign requires the user to\r\ndownload and run a malicious file (e.g., from a fake update prompt). Chrome Enterprise can prevent this entirely.\r\nDownloadRestrictions Policy: An admin can configure this policy to block downloads of dangerous file types. By\r\nsetting this policy to block file types like .exe , .msi , .bat , and .dll , the malicious payload can not be saved\r\nto the user's computer, effectively stopping the attack.\r\n2. Automate and Manage Browser Updates\r\nEtherHiding heavily relies on social engineering, most notably by using a pop-up that tells the user \"Your Chrome is out of\r\ndate.\" In a managed enterprise environment, this should be an immediate red flag.\r\nManaged Updates: Administrators use Chrome Enterprise to control and automate browser updates. Updates are\r\npushed silently and automatically in the background.\r\nUser Training: Because updates are managed, employees can be trained with a simple, powerful message: \"You will\r\nnever be asked to manually update Chrome.\" Any prompt to do so is considered a scam and thus undermines the\r\nprimary social engineering tactic.\r\n3. Control Web Access and Scripts\r\nWhile attackers constantly change their infrastructure, policies can still reduce the initial attack surface.\r\nURLBlocklist Policy: Admins can block access to known malicious websites, domains, or even the URLs of\r\nblockchain nodes if they are identified by threat intelligence.\r\nSafe Browsing: Policies can enforce Google's Safe Browsing in its most enhanced mode, which uses real-time threat\r\nintelligence to warn users about phishing sites and malicious downloads.\r\nAcknowledgements\r\nThis analysis would not have been possible without the assistance from across Google Threat Intelligence Group, including\r\nthe Koreas Mission, FLARE, and Advanced Practices.\r\nIndicators of Compromise\r\nType Indicator Context\r\nSHA256 Hash (ZIP Archive) 970307708071c01d32ef542a49099571852846a980d6e8eb164d2578147a1628\r\nZIP archive containing\r\ndownloader, in this ca\r\nJADESNOW.\r\nSHA256 Hash (Initial JavaScript\r\nDownloader)\r\n01fd153bfb4be440dd46cea7bebe8eb61b1897596523f6f6d1a507a708b17cc7\r\nJADESNOW sample t\r\ninfection chain.\r\nBSC Address (Smart Contract) 0x8eac3198dd72f3e07108c4c7cff43108ad48a71c\r\nBNB Smart Chain con\r\nUNC5342 to host the\r\nJADESNOW payload\r\nBSC Address (Attacker-Controlled) 0x9bc1355344b54dedf3e44296916ed15653844509\r\nOwner address of the\r\nBNB Smart Chain con\r\nEthereum Transaction Hash\r\n(INVISIBLEFERRET.JAVASCRIPT\r\nPayload)\r\n0x86d1a21fd151e344ccc0778fd018c281db9d40b6ccd4bdd3588cb40fade1a33a\r\nTransaction storing th\r\nINVISIBLEFERRET.\r\npayload.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding\r\nPage 7 of 8\n\nType Indicator Context\r\nEthereum Transaction Hash\r\n(INVISIBLEFERRET.JAVASCRIPT\r\nSplit Payload)\r\n0xc2da361c40279a4f2f84448791377652f2bf41f06d18f19941a96c720228cd0f\r\nTransaction storing th\r\nINVISIBLEFERRET.\r\npayload\r\nEthereum Transaction Hash\r\n(INVISIBLEFERRET Credential\r\nStealer Payload)\r\n0xf9d432745ea15dbc00ff319417af3763f72fcf8a4debedbfceeef4246847ce41\r\nTransaction storing th\r\nINVISIBLEFERRET.\r\ncredential stealer payl\r\nYARA Detections\r\nrule G_Downloader_JADESNOW_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$s1 = \"global['_V']\"\r\n$s2 = \"global['r']\"\r\n$s3 = \"umP\"\r\n$s4 = \"mergeConfig\"\r\n$s5 = \"charAt\" nocase\r\ncondition:\r\nuint16(0) != 0x5A4D and filesize \u003c 10KB and #s3 \u003e 2 and #s5 == 1 and all of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding" ], "report_names": [ "dprk-adopts-etherhiding" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "376d1479-0ddf-477c-96eb-afdd8f365fec", "created_at": "2026-01-20T02:00:03.662195Z", "updated_at": "2026-04-10T02:00:03.913032Z", "deleted_at": null, "main_name": "UNC5342", "aliases": [], "source_name": "MISPGALAXY:UNC5342", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434673, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07b6534409d96d4583ca09250ed74f78efb4b1cd.pdf", "text": "https://archive.orkl.eu/07b6534409d96d4583ca09250ed74f78efb4b1cd.txt", "img": "https://archive.orkl.eu/07b6534409d96d4583ca09250ed74f78efb4b1cd.jpg" } }