home.social

#etherhiding — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #etherhiding, aggregated by home.social.

  1. Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

    Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.

    Pulse ID: 6a15ba2632bd7e246e9c1250
    Pulse Link: otx.alienvault.com/pulse/6a15b
    Pulse Author: AlienVault
    Created: 2026-05-26 15:20:06

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

  2. Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

    Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.

    Pulse ID: 6a15ba2632bd7e246e9c1250
    Pulse Link: otx.alienvault.com/pulse/6a15b
    Pulse Author: AlienVault
    Created: 2026-05-26 15:20:06

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

  3. Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

    Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.

    Pulse ID: 6a15ba2632bd7e246e9c1250
    Pulse Link: otx.alienvault.com/pulse/6a15b
    Pulse Author: AlienVault
    Created: 2026-05-26 15:20:06

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

  4. Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

    Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.

    Pulse ID: 6a15ba2632bd7e246e9c1250
    Pulse Link: otx.alienvault.com/pulse/6a15b
    Pulse Author: AlienVault
    Created: 2026-05-26 15:20:06

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

  5. Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

    Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.

    Pulse ID: 6a15ba2632bd7e246e9c1250
    Pulse Link: otx.alienvault.com/pulse/6a15b
    Pulse Author: AlienVault
    Created: 2026-05-26 15:20:06

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

  6. Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware

    An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses.

    Pulse ID: 6a0200aec25a59a6b9d4edcf
    Pulse Link: otx.alienvault.com/pulse/6a020
    Pulse Author: AlienVault
    Created: 2026-05-11 16:15:42

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BlockChain #Cloud #CyberSecurity #Dropbox #EtherHiding #GitHub #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #SideLoading #UK #bot #AlienVault

  7. Malware Bypasses Browser Application-Bound Encryption Protections

    A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

    Pulse ID: 69fb17376737204f3abf5eaf
    Pulse Link: otx.alienvault.com/pulse/69fb1
    Pulse Author: AlienVault
    Created: 2026-05-06 10:25:59

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

  8. Malware Bypasses Browser Application-Bound Encryption Protections

    A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

    Pulse ID: 69fb17376737204f3abf5eaf
    Pulse Link: otx.alienvault.com/pulse/69fb1
    Pulse Author: AlienVault
    Created: 2026-05-06 10:25:59

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

  9. Malware Bypasses Browser Application-Bound Encryption Protections

    A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

    Pulse ID: 69fb17376737204f3abf5eaf
    Pulse Link: otx.alienvault.com/pulse/69fb1
    Pulse Author: AlienVault
    Created: 2026-05-06 10:25:59

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

  10. Malware Bypasses Browser Application-Bound Encryption Protections

    A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

    Pulse ID: 69fb17376737204f3abf5eaf
    Pulse Link: otx.alienvault.com/pulse/69fb1
    Pulse Author: AlienVault
    Created: 2026-05-06 10:25:59

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

  11. Malware Bypasses Browser Application-Bound Encryption Protections

    A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

    Pulse ID: 69fb17376737204f3abf5eaf
    Pulse Link: otx.alienvault.com/pulse/69fb1
    Pulse Author: AlienVault
    Created: 2026-05-06 10:25:59

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

  12. EtherHiding emerges as a malware delivery mechanism!

    Google threat intelligence is reporting North Korean nation-state actor "UNC5342" is leveraging transactions on public blockchains to store and retrieve malicious payloads.

    EtherHiding executes a social engineering campaign (fake job interviews, crypto games) as the initial compromise to lure developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.

    Once a target opens the file, a malicious script connects to a public blockchain like BNB Smart Chain or Ethereum, to retrieve encrypted code from a smart contract. That code installs a JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.

    cloud.google.com/blog/topics/t #Security #CyberSecurity #Hackers #CyberAttack #UNC5342 #Google #Malware #SmartContracts #Crypto #CryptoCurrency #EtherHiding #SocialEngineering #BlockChain

  13. EtherHiding emerges as a malware delivery mechanism!

    Google threat intelligence is reporting North Korean nation-state actor "UNC5342" is leveraging transactions on public blockchains to store and retrieve malicious payloads.

    EtherHiding executes a social engineering campaign (fake job interviews, crypto games) as the initial compromise to lure developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.

    Once a target opens the file, a malicious script connects to a public blockchain like BNB Smart Chain or Ethereum, to retrieve encrypted code from a smart contract. That code installs a JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.

    cloud.google.com/blog/topics/t #Security #CyberSecurity #Hackers #CyberAttack #UNC5342 #Google #Malware #SmartContracts #Crypto #CryptoCurrency #EtherHiding #SocialEngineering #BlockChain

  14. EtherHiding emerges as a malware delivery mechanism!

    Google threat intelligence is reporting North Korean nation-state actor "UNC5342" is leveraging transactions on public blockchains to store and retrieve malicious payloads.

    EtherHiding executes a social engineering campaign (fake job interviews, crypto games) as the initial compromise to lure developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.

    Once a target opens the file, a malicious script connects to a public blockchain like BNB Smart Chain or Ethereum, to retrieve encrypted code from a smart contract. That code installs a JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.

    cloud.google.com/blog/topics/t #Security #CyberSecurity #Hackers #CyberAttack #UNC5342 #Google #Malware #SmartContracts #Crypto #CryptoCurrency #EtherHiding #SocialEngineering #BlockChain

  15. EtherHiding emerges as a malware delivery mechanism!

    Google threat intelligence is reporting North Korean nation-state actor "UNC5342" is leveraging transactions on public blockchains to store and retrieve malicious payloads.

    EtherHiding executes a social engineering campaign (fake job interviews, crypto games) as the initial compromise to lure developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.

    Once a target opens the file, a malicious script connects to a public blockchain like BNB Smart Chain or Ethereum, to retrieve encrypted code from a smart contract. That code installs a JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.

    cloud.google.com/blog/topics/t

  16. North Korean state-sponsored hackers are embedding malware within public blockchains to steal cryptocurrency, a technique called "EtherHiding." Malicious JavaScript payloads are hidden inside smart contracts, making them effectively unremovable.
    Read more: tomshardware.com/tech-industry
    #Cybersecurity #Malware #NorthKorea #Hacking #Blockchain #Crypto #Cryptocurrency #EtherHiding #SmartContracts #CyberAttack #TechNews

  17. #NorthKorea|n #hackers, tracked as #UNC5342, are using the #EtherHiding technique to hide #malware on the #blockchain. This technique, first described by Guardio Labs, allows the threat actor to host #maliciousscripts within #smartcontracts on the Binance Smart Chain or Ethereum, making it difficult to track and disrupt campaigns. bleepingcomputer.com/news/secu #tech #media #news

  18. #NorthKorea|n #hackers, tracked as #UNC5342, are using the #EtherHiding technique to hide #malware on the #blockchain. This technique, first described by Guardio Labs, allows the threat actor to host #maliciousscripts within #smartcontracts on the Binance Smart Chain or Ethereum, making it difficult to track and disrupt campaigns. bleepingcomputer.com/news/secu #tech #media #news

  19. #NorthKorea|n #hackers, tracked as #UNC5342, are using the #EtherHiding technique to hide #malware on the #blockchain. This technique, first described by Guardio Labs, allows the threat actor to host #maliciousscripts within #smartcontracts on the Binance Smart Chain or Ethereum, making it difficult to track and disrupt campaigns. bleepingcomputer.com/news/secu #tech #media #news

  20. #NorthKorea|n #hackers, tracked as #UNC5342, are using the #EtherHiding technique to hide #malware on the #blockchain. This technique, first described by Guardio Labs, allows the threat actor to host #maliciousscripts within #smartcontracts on the Binance Smart Chain or Ethereum, making it difficult to track and disrupt campaigns. bleepingcomputer.com/news/secu #tech #media #news

  21. #NorthKorea|n #hackers, tracked as #UNC5342, are using the #EtherHiding technique to hide #malware on the #blockchain. This technique, first described by Guardio Labs, allows the threat actor to host #maliciousscripts within #smartcontracts on the Binance Smart Chain or Ethereum, making it difficult to track and disrupt campaigns. bleepingcomputer.com/news/secu #tech #media #news

  22. TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.

    blog.sekoia.io/clearfakes-new-

  23. #etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

  24. #etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

  25. #etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

  26. #etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

  27. Вредоносный код навсегда сохранили в блокчейне

    Один из старых хакерских трюков — распространять вредоносное ПО под видом обновления браузера . На взломанном сайте размещается плашка с утверждением, что для просмотра нужно обновить браузер. И кнопка для скачивания обновления, как на скриншоте с прошлогодней атаки ClearFake . Таким образом, жертва самостоятельно устанавливает вредоносное ПО на свой компьютер. В прошлом году злоумышленники разработали умный способ защитить вредоносный софт от уничтожения. Они разместили его в децентрализованном анонимном блокчейне . То есть интегрировали код в смарт-контракт, который навечно сохранился в открытом доступе.

    habr.com/ru/companies/globalsi

    #блокчейн #обновление_браузера #BSC #Binance_Smart_Chain #Binance #BNB #WordPress #ClearFake #BscScan #EtherHiding