North Korean-linked hackers are increasing their global cyberattacks using new decentralized and evasive malware tools. These campaigns target individuals and companies through fake job recruitment schemes, aiming to steal cryptocurrency, access networks, and evade detection. Researchers warn that the use of blockchain-based command systems is making these operations harder to disrupt.
Expanding Cyber Operations Using Advanced Malware
Cisco Talos has identified a North Korean threat group known as Famous Chollima, which continues to evolve its tactics and tools. The group has been observed using two related malware families named BeaverTail and OtterCookie, both developed to steal credentials and collect sensitive data. These updated variants now share functions that improve communication and efficiency during attacks.
In one case investigated by Cisco Talos, a Sri Lankan organization was indirectly affected when a job seeker was deceived into installing a malicious program as part of a fake technical test. The malware included modules for recording keystrokes and taking screenshots. The collected information was then sent to remote servers controlled by the attackers. Researchers said that this method shows how individuals can be compromised even when organizations are not direct targets.
Blockchain as a Decentralized Command System
Google’s Threat Intelligence Group reported that a North Korean-linked actor, known as UNC5342, has deployed a new malware called EtherHiding. This malware hides malicious JavaScript payloads on public blockchains. By using this approach, attackers build a decentralized command and control (C2) system that is difficult for authorities to remove.
According to GTIG, EtherHiding allows attackers to modify malware behavior remotely without relying on traditional servers. This technique reduces the chances of disruption since blockchain data cannot be easily taken down. Google researchers connected this operation to a broader campaign named Contagious Interview, where fake job offers were used to infect victims. The findings reveal that North Korean groups are integrating decentralized technology to maintain persistence across multiple operations.
Fake Recruitment Campaigns as a Primary Entry Point
Both Cisco and Google observed that these cyber operations often start with fraudulent job postings aimed at professionals in the cryptocurrency and cybersecurity industries. Victims are contacted with supposed interview offers and asked to complete fake assessments that include files embedded with malware.
The infections involve a mix of malware families such as JadeSnow, BeaverTail, and InvisibleFerret, which together enable attackers to steal credentials, deploy ransomware, and gain deeper access into systems. Researchers believe the campaigns seek both financial gain and long-term access to corporate environments for espionage and future exploitation.
Defensive Measures and Ongoing Threats
Cisco Talos and Google have released indicators of compromise (IOCs) to help organizations detect related malicious activity. These indicators include technical markers that security teams can use to monitor and block suspicious behavior linked to these campaigns.
Analysts say that the combination of social engineering and blockchain-based tools is creating new challenges for cybersecurity defense. Since public blockchains cannot be easily controlled or shut down, they are becoming a preferred infrastructure for threat actors seeking to maintain access and conceal their operations.
Researchers from both companies continue to track these campaigns and share findings with the global cybersecurity community. They recommend that organizations verify job offers carefully, restrict file downloads during hiring processes, and update monitoring systems to detect evolving malware families like BeaverTail, OtterCookie, and EtherHiding.
