Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

EtherHiding JADESNOW downloader malware activity

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

North Korean threat actor UNC5342 is using EtherHiding to deliver malware for cryptocurrency theft in the Contagious Interview campaign. Google Threat Intelligence Group said this is the first observed nation-state actor adoption of the technique, which stores JavaScript payloads in smart contracts and is difficult to takedown or blocklist. The activity uses JADESNOW to deploy a JavaScript variant of INVISIBLEFERRET and targets developers across Windows, macOS and Linux.

Related Happenings

Gremlin stealer modular toolkit evolution

Malware Activity
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

Open Happening

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

AgingFly malware attacks local governments and hospitals in Ukraine

Malware Activity
First: 16.04.2026 00:57 Last: 16.04.2026 00:57 Sources 1

About this happening: The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

Venom Stealer MaaS infostealer with persistent credential harvesting

Malware Activity
First: 31.03.2026 17:51 Last: 31.03.2026 17:51 Sources 1

About this happening: The **Venom Stealer** infostealer now ships as **malware-as-a-service (MaaS)**, expanding access to a persistent credential-theft tool and raising risk for **Windows** users. It s...

Open Happening

Timeline

  1. 16.10.2025 17:00 3 articles · 7mo ago

    GTIG discloses UNC5342 EtherHiding campaign

    Initial Disclosure

    Google Threat Intelligence Group (GTIG) says North Korean threat actor UNC5342 has used EtherHiding since February 2025 in Contagious Interview operations, using fabricated job interview fronts such as BlockNovas LLC, Angeloper Agency, and SoftGlide LLC to target software and web developers with a JavaScript downloader that retrieves JADESNOW from smart contracts on Ethereum or the BNB Smart Chain and can lead to an InvisibleFerret-style payload, credential theft, and in-memory execution.

    Show sources
    Open in new tab