Cybercriminals Use EtherHiding to Spread Malware and Constantly Shift Payloads Online

Attackers are taking malware delivery to a new level using a technique known as EtherHiding, which stores malicious payloads directly inside blockchain smart contracts.

This method, first observed by researchers at Censys, allows cybercriminals to update and rotate malware with minimal effort while keeping compromised websites unchanged.

By leveraging the Binance Smart Chain testnet and JavaScript injections, the campaign shifts the hosting model from centralized servers to decentralized blockchain storage, creating a durable, low‑cost delivery network.

How the EtherHiding Attack Works

The attack starts with a web injection on a compromised website. Criminals add a script tag containing a Base64‑encoded JavaScript blob disguised behind a fake CAPTCHA image, often using the recognizable reCAPTCHA logo from Wikimedia.

When victims try to “verify they are human,” the injected JavaScript loads the Ethers library and communicates with smart contracts on the Binance Smart Chain. Through eth_call requests, the script retrieves OS‑specific payloads without using static URLs.

The first smart contract validates whether the browser is automated or headless. If it passes, a second call fetches the payload based on the victim’s operating system, Windows or macOS.

Attackers even use a “contract gate” mechanism that accepts or denies victims based on unique identifiers stored in browser cookies. All updates occur on‑chain, allowing attackers to modify payloads by simply altering blockchain data rather than web servers.

Once verified, the script displays a fake CAPTCHA prompt asking users to copy and run text locally, a social‑engineering trick called the Click‑Fix technique. On Windows, the copied command triggers MSHTA for remote execution.

On macOS, it uses Terminal commands to download additional scripts with curl and establish persistence via LaunchAgent files. This deception bypasses many antivirus or browser defenses because users execute the commands themselves.

macOS and Blockchain‑Based Control

The macOS payload goes further, performing credential theft and command‑and‑control (C2) communication. It collects system details, verifies stored passwords using native tools, and even scrapes data from Telegram or Steam profiles to find updated C2 addresses.

The script stays in constant contact with the attacker’s server, synchronizing stolen credentials and fetching new commands periodically.

EtherHiding highlights how blockchain infrastructure is being repurposed for malicious use. By using smart‑contract storage for dynamic payloads, attackers hide behind decentralized systems that are difficult to take down.

Defenders can still detect such threats by monitoring websites for base64‑encoded scripts, unexpected Ethers library imports, or fake CAPTCHA assets that instruct users to copy code.

This campaign shows that decentralized technology, once meant for transparency and security, is now a powerful tool for adaptive malware distribution.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Cybercriminals Use EtherHiding to Spread Malware and Constantly Shift Payloads Online appeared first on Cyber Security News.