fetch(on-chain data) … decode() … run() Base64/hex blobs EVM logs & calldata DNS/HTTP fallback

What Is “EtherHiding” 

Instead of hosting malicious code on a normal server that defenders can seize or block, the attacker stores small, encoded chunks inside public Ethereum transactions or contract logs. A web script (delivered via malvertising, supply-chain plug-ins, or watering holes) reads those chunks through a blockchain API, decodes them, and executes the loader. Because the data lives on-chain, it’s globally reachable, content-addressed, and difficult to take down.

Typical Attack Chain

1. Initial Access: Malicious ad, compromised media site/CMS, or rogue browser extension injects a short bootstrap script.
2. On-Chain Fetch: Script queries an RPC/HTTPS provider (e.g., api.* endpoints) for specific transaction hashes, topics, or calldata slots.
3. Decoding/Assembly: Base64/hex segments are combined and lightly obfuscated; feature flags select OS/locale/wallet targets.
4. Second Stage: Downloader retrieves stealer or RAT (Windows/macOS/Linux), often with crypto-asset discovery modules.
5. Exfil & Cash-out: Credentials, cookies, and seed phrases exfiltrate to C2; stolen funds are bridged/mixed rapidly.

Who’s at Risk (US/EU/UK/AU/IN)

• Crypto exchanges, fintech, Web3 startups, and enterprises with staff using wallet browser extensions.
• Media/AdTech networks susceptible to malvertising and third-party script injection.
• MSP/MSSP and SOC teams relying solely on URL/domain blocklists (which won’t stop on-chain reads).

Key Defensive Insights

• On-chain is “content,” not “command”: Treat blockchain RPC endpoints like code repositories—monitor and gate their use from browsers and servers.
• Runtime controls beat static lists: Use browser isolation, EDR script-control, strict CSP, and extension allow-lists.
• Look for patterns: Repeated /api?module=logs / eth_getLogs / eth_call requests from untrusted web origins followed by suspicious eval/new Function/WebAssembly.instantiate.

Detections & Hunts (SOC Playbook)

Network / Proxy
- Alert if user browsers access blockchain RPC providers (e.g., */api?module=account|logs, */eth_rpc, */v1/mainnet/*) from non-dev machines.
- Flag sequences: GET blockchain API --> GET opaque JavaScript blob --> POST to unfamiliar C2.

EDR / Telemetry
- Block or alert on eval/new Function with decoded base64/hex of unusual size.
- Monitor chrome.exe/edge.exe spawning child processes, writing to extension directories, or accessing wallet extension paths.
- Watch for clipboard hooks + Window title enumeration of wallet UIs.

Browser Security / CSP
- Enforce CSP that disallows inline scripts and restricts connect-src to approved domains; denylist known RPC providers for non-dev OU.
- Extension allow-list for wallet/crypto tooling; disable developer mode for extensions in enterprise.

SIEM (KQL/Generic Sketch)
- where http.url contains "eth_getLogs" or "module=logs" and deviceRole != "dev"
- | join (process where command_line matches base64 decode and (eval|Function)) on device_id, 5m window
- | add_alert "EtherHiding-like chain fetch & runtime decode"

Mitigations (Do These Now)

• Harden Third-Party Scripts: Remove unused plug-ins; pin integrity (SRI) for critical libraries; enable subresource integrity for CDN assets.
• CSP & CORP/COEP: default-src 'none'; script-src 'self'; connect-src 'self' https://api.your-needed-domains; adopt CORP/COEP to constrain cross-origin data.
• Restrict Blockchain RPC: Proxy and authenticate all RPC/Explorer traffic; block from general user VLANs.
• Extension Governance: Enterprise policy to only allow audited extensions; auto-remove unapproved crypto add-ons.
• EDR Script Controls: Disable JIT/eval where possible; block suspicious script interpreters launched by browsers.
• Credential Hygiene: Hardware keys for exchange/admin access; password managers with anti-phishing domain binding.

Incident Response (If You Suspect EtherHiding Activity)

1. Isolate affected endpoints; capture browser memory and network traces for IOC extraction.
2. Rotate credentials, revoke sessions (SSO, exchange accounts, cloud consoles), and re-enroll MFA.
3. Audit wallet extensions, browser profiles, and clipboard history; move funds to new wallets with hardware key signing.
4. Block implicated RPC/API endpoints at proxy; add detections for the observed on-chain selectors.
5. Harden ad/analytics supply chain; enable content-security-policy-report-only before enforcing.

Indicators to Watch (Examples)

• High-entropy base64/hex blobs fetched from blockchain explorer APIs by non-developer browsers.
• Transaction log queries filtered on uncommon topics immediately before malware C2 traffic.
• New or modified Chrome/Edge extensions not in the organization allow-list.

Related Reading on CyberDudeBivash

• Malvertising campaigns & browser hardening
• Stealer telemetry and response checklists
• Securing browser wallets in enterprise

#EtherHiding #BlockchainAbuse #NorthKorea #Lazarus #Malvertising #Web3Security #CryptoTheft #SmartContracts #ThreatIntelligence #SOC #EDR #CSP #BrowserSecurity #SIEM #DFIR #ZeroTrust #US #UK #EU #Australia #India

Educational, defensive guidance only. No exploit code or operational details are provided.