{
	"id": "de85024d-c69b-4aab-b38b-6c8b7e787e79",
	"created_at": "2026-04-06T00:10:02.443076Z",
	"updated_at": "2026-04-10T13:11:57.527669Z",
	"deleted_at": null,
	"sha1_hash": "0f95dd03577741833b807dbd57980636aab2777d",
	"title": "Hackers use Binance Smart Chain contracts to store malicious scripts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6391502,
	"plain_text": "Hackers use Binance Smart Chain contracts to store malicious scripts\r\nBy Bill Toulas\r\nPublished: 2023-10-13 · Archived: 2026-04-05 17:39:58 UTC\r\nCybercriminals are employing a novel code distribution technique dubbed 'EtherHiding,' which abuses Binance's Smart\r\nChain (BSC) contracts to hide malicious scripts in the blockchain.\r\nThe threat actors responsible for this campaign previously used compromised WordPress sites that redirected to Cloudflare\r\nWorker hosts for injecting malicious JavaScript into hacked websites, but later pivoted to abusing blockchain systems that\r\nprovide a far more resilient and evasive distribution channel.\r\n\"Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into\r\ndownloading malicious fake browser updates,\" mention Guardio Labs researchers Nati Tal and Oleg Zaytsev, who\r\ndiscovered the campaign.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\n\"While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they've quickly pivoted to\r\ntake advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever\r\nto detect and take down.\"\r\nEtherHiding malware\r\nEtherHiding is a new technique that threat actors use in 'ClearFake' campaigns to distribute code injected into hacked\r\nwebsites and display fake browser update overlays.\r\nGuardio Labs explains that the hackers are targeting vulnerable WordPress sites or compromised admin credentials to inject\r\ntwo script tags into webpages.\r\nThese script injections load the Binance Smart Chain (BSC) JS library and fetch malicious scripts from the blockchain that\r\nthen injected into the site.\r\nJavaScript to connect to the Binance Smart Chain\r\nSource: Guardio\r\nThis code fetched from BSC is also injected into the webpage, to trigger the download of the third-stage payload, this time\r\nfrom the threat actor's servers (C2).\r\nThe C2 address is referred directly from the blockchain, so the attackers can easily change it frequently to evade blocks.\r\nThese third-stage payloads run in the user's browser to show a fake overlay on the site that prompts users to update their\r\nGoogle Chrome, Microsoft Edge, or Mozilla Firefox browser.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/\r\nPage 3 of 7\n\nFake Chrome update overlay shown on hacked site\r\nSource: BleepingComputer\r\nOnce the victim clicks the update button, they are directed to download a malicious executable from Dropbox or other\r\nlegitimate hosting sites.\r\nLatest ClearFake attack chain (Guardio Labs)\r\nBlockchain advantage\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/\r\nPage 4 of 7\n\nThe blockchain is designed to run decentralized apps and smart contracts, and any code hosted on it cannot be taken down,\r\nso hosting it there instead of using rented infrastructure makes these attacks unblockable.\r\nWhen one of their domains gets flagged, the attackers update the chain to swap out the malicious code and related domains,\r\ncontinuing the attack with minimal interruption.\r\nAlso, there are no charges to make these changes, so the cybercriminals can essentially abuse the system as much as they\r\nneed to without suffering a financial burden that would make their operations unprofitable.\r\nMalicious smart contract (Guardio Labs)\r\nOnce a smart contract is deployed on the BSC, it operates autonomously and cannot be shut down. Even reporting the\r\naddress as malicious will not prevent it from distributing the malicious code when invoked.\r\nGuardio Labs says reporting the address triggers a warning on Binance's BSC explorer page to alert users not to interact with\r\nthe address. However, visitors of compromised WordPress sites will never see that warning or realize what happens under\r\nthe hood.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/\r\nPage 5 of 7\n\nReported address on BSC Explorer (Guardio Labs)\r\nThe only way to mitigate the problem is to focus on WordPress security, using strong, unique admin passwords, keeping\r\nplugins up to date, and removing unused add-ons and accounts.\r\nWhile currently an evolution of the ClearFake campaigns, EtherHiding presents the ever-evolving tactics of threat actors to\r\nmake their attacks more takedown-resistant.\r\nIf this method proves successful, Blockchain abuse could become integral to various payload delivery attack chains in the\r\ncoming months.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/"
	],
	"report_names": [
		"hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts"
	],
	"threat_actors": [],
	"ts_created_at": 1775434202,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0f95dd03577741833b807dbd57980636aab2777d.pdf",
		"text": "https://archive.orkl.eu/0f95dd03577741833b807dbd57980636aab2777d.txt",
		"img": "https://archive.orkl.eu/0f95dd03577741833b807dbd57980636aab2777d.jpg"
	}
}