DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains

**Executive Summary:** A North Korea-linked campaign (UNC5342) uses convincing fake recruiters and fabricated companies to lure software developers into downloading malicious code during technical assessments; the attack chain leverages JavaScript downloaders (JADESNOW) and EtherHiding via smart contracts on Ethereum/BNB to fetch second- and third-stage payloads (BEAVERTAIL, INVISIBLEFERRET), enabling cryptocurrency theft, credential and wallet exfiltration, and persistent backdoors for long-term espionage.