#etherhiding — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #etherhiding, aggregated by home.social.
-
Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware
An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses.
Pulse ID: 6a0200aec25a59a6b9d4edcf
Pulse Link: https://otx.alienvault.com/pulse/6a0200aec25a59a6b9d4edcf
Pulse Author: AlienVault
Created: 2026-05-11 16:15:42Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BlockChain #Cloud #CyberSecurity #Dropbox #EtherHiding #GitHub #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #SideLoading #UK #bot #AlienVault
-
Malware Bypasses Browser Application-Bound Encryption Protections
A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.
Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault
-
Malware Bypasses Browser Application-Bound Encryption Protections
A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.
Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault
-
Malware Bypasses Browser Application-Bound Encryption Protections
A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.
Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault
-
Malware Bypasses Browser Application-Bound Encryption Protections
A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.
Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault
-
Malware Bypasses Browser Application-Bound Encryption Protections
A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.
Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault
-
Une méthode inédite, baptisée « #EtherHiding », transforme la #blockchain de #cryptomonnaies #Ethereum en arsenal offensif. Les #chercheurs en #cybersécurité de #Google tirent la sonnette d' #alarme face à cette escalade #technologique
-
EtherHiding emerges as a malware delivery mechanism!
Google threat intelligence is reporting North Korean nation-state actor "UNC5342" is leveraging transactions on public blockchains to store and retrieve malicious payloads.
EtherHiding executes a social engineering campaign (fake job interviews, crypto games) as the initial compromise to lure developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.
Once a target opens the file, a malicious script connects to a public blockchain like BNB Smart Chain or Ethereum, to retrieve encrypted code from a smart contract. That code installs a JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.
https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding #Security #CyberSecurity #Hackers #CyberAttack #UNC5342 #Google #Malware #SmartContracts #Crypto #CryptoCurrency #EtherHiding #SocialEngineering #BlockChain
-
North Korean state-sponsored hackers are embedding malware within public blockchains to steal cryptocurrency, a technique called "EtherHiding." Malicious JavaScript payloads are hidden inside smart contracts, making them effectively unremovable.
Read more: https://www.tomshardware.com/tech-industry/cyber-security/north-korea-hiding-malware-inside-blockchain-smart-contracts
#Cybersecurity #Malware #NorthKorea #Hacking #Blockchain #Crypto #Cryptocurrency #EtherHiding #SmartContracts #CyberAttack #TechNews -
#NorthKorea|n #hackers, tracked as #UNC5342, are using the #EtherHiding technique to hide #malware on the #blockchain. This technique, first described by Guardio Labs, allows the threat actor to host #maliciousscripts within #smartcontracts on the Binance Smart Chain or Ethereum, making it difficult to track and disrupt campaigns. https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-etherhiding-to-hide-malware-on-the-blockchain/?eicker.news #tech #media #news
-
North Korean Hackers Use ‘EtherHiding’ to Spread Malicious Crypto Wallets, Mandiant Warns - TLDR:
DPRK hackers use EtherHiding to embed malicious scripts within blockchain smart co... - https://blockonomi.com/north-korean-hackers-use-etherhiding-to-spread-malicious-crypto-wallets-mandiant-warns/ #blockchainsecurity #binancesmartchain #wordpressattacks #cryptophishing #cryptowallets #cybersecurity #dprkhackers #etherhiding #security #mandiant #crime #apt43
-
North Korean hackers are taking stealth to a new level: embedding malware into blockchain smart contracts and tricking devs with fake job interviews. Are we ready for a world where your next code review could be a trap?
#etherhiding
#northkoreanhackers
#blockchainsecurity
#malwaredistribution
#smartcontracts
#cyberthreats
#socialengineering
#infosec -
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇
-
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇
-
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇
-
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇