EtherHiding: Fake CAPTCHAs, Click-Fix Lures, and Blockchain-Backed Payload Delivery

EtherHiding is a web-delivered malware campaign that uses fake CAPTCHA lures and smart-contract storage on the Binance Smart Chain testnet to stage and rotate payloads without changing compromised websites. Injected pages load ethers.js and perform on-chain eth_call lookups to retrieve OS-specific JavaScript which populates the clipboard with attacker commands; victims who paste into Terminal (macOS) or the Run dialog (Windows) trigger curl-to-bash or MSHTA download-execute flows that deploy credential-stealing and backdoor components (notably commodity stealers like Amos and Vidar). Censys telemetry shows widespread fake CAPTCHA reuse and recurring contract addresses, and the report provides behavioral detection signals and hunting guidance for defenders.