Cyberattackers are running and EtherHiding

As if we needed more things to put on the blockchain…

Throughout 2025, cybersecurity and tech vendors have sounded the alarm about an adversarial tactic called EtherHiding. This stealthy attack buries malware components in smart contracts on the blockchain ledger.

The attack is a tricky one for defenders to mitigate, given how the blockchain is decentralized and often spread across an immense network, with many potential points for a multi-stage attack. Over the past few years, software developer interest in Web3, which attempts to build decentralized online ecosystems using blockchain technology, has only increased the potential attack surface for exploits like EtherHiding.

“These attack chains are becoming increasingly more difficult. Even if you don’t have a particular interest in Web3 or an application for it, understanding how this type of attack works can help to inform your posture and not only your policies, but also your training,” Andrew Northern, principal security researcher with internet intel platform Censys, told IT Brew.

EtherHiding is a variation of the JavaScript-injecting technique known as creating a “watering hole”—a wait-and-see-who-shows-up attack that compromises a website to deliver malware to visitors. EtherHiding refers to the “ether” JavaScript library that provides helper applications for web services interacting with the blockchain, Northern noted.

A tactic revealed by Censys in a Nov. 21 blog post showed how attackers stored JavaScript “blobs” for a fake CAPTCHA in a Binance Smart Chain contract. JavaScript, initially injected into a target’s website, then queries the blockchain, pulling the on-chain malware pieces that could lead to the execution of an infostealer or other malicious code.

Why the blockchain tactic baffles. If cybersecurity experts are having a difficult time countering this threat, there are good reasons for it.

1. There are legitimate uses for the ethers library, so its presence alone is not an indication of anything nefarious, Northern told us.
2. EtherHiders can change their payloads rapidly, he said, and pay a “gas fee” to update a smart contract that they own.
3. Peterson Gutierrez, VP of information security and interim CISO at cybersecurity company Barracuda, said the blockchain provides a decentralized holding spot for attackers—one that law enforcement can’t bring down. (Barracuda wrote about the threat in an Oct. 31 post.)

What to do. Google gave an EtherWarning in an October 16 blog, citing a financially motivated group (termed “UNC5142”) that was using compromised WordPress websites and the blockchain to distribute info stealers. The company, which also identified North Korean threat actors deploying the tactic to steal crypto and spread malware, found “approximately 14,000 web pages containing injected JavaScript consistent with an UNC5142 compromised website.”

For a suitable defense, Northern recommended that businesses deploy Windows policy rules to associate JavaScript use with a text editor so that inadvertent JavaScript executables open harmlessly as a text file.

Also, thanks to lower adoption of Web3 principles than some advocates hoped, many orgs don’t need blockchain technology—and should block accordingly. For those companies, Northern advises users to create a block list for the API-like RPC (remote procedure call) endpoints, which are the URLs facilitating communication and data requests in a blockchain. (Some contracts contain a blockable server location, Northern noted in a follow-up exchange.)

Gutierrez said IT pros should set their sights on stopping key steps in the attack, like making users aware of the fake CAPTCHA, or “ClickFix,” tactic.

“Finding ways to break the kill chain is what IT pros should be focusing on,” Gutierrez said.

Evan Gordenker, consulting director at Palo Alto Networks’ Unit 42, recommended companies apply tight access controls for actions requiring sensitive credentials, and to make sure that in those scenarios, callouts to malicious smart contracts can’t happen.

“[IT pros] are the target here,” Gordenker said. “Developers in particular, but also IT folks, depending on the organization, will log into sensitive pages from their personal machines, and if those personal machines have infostealer malware, or in this case, visit a site that’s infected with an EtherHiding payload, then that’s potentially a really good avenue for a threat actor to target them.”