EtherHiding: Web2 malicious code concealed in a Web3 Smart Contracts.

A new malware campaign called “EtherHiding” has emerged, which uses Binance’s Smart Chain contracts to host parts of a malicious code chain. Guardio researchers have revealed the risks associated with this malicious attack, represents a novel approach that threat actors are employing to carry out cyberattacks using smart contracts.


Threat actors are using the decentralized web and anonymous nature of the blockchain in hosting malicious code. Image-source: Fixitgearware


Nati Tal and Oleg Zaytsev of Guardio Labs disclosed that:

“EtherHiding presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.”

The EtherHiding campaign starts, by threat actors hijacking vulnerable WordPress sites and tricking users into downloading fake browser updates that are actually malware.

Nati and Oleg describes the situation stating that:

“Over the last two months, threat actors have been leveraging a vast array of hijacked WordPress sites, this threat actors has misled users into downloading malicious fake “browser updates”.

Further steps utilized by these attackers include hosting the code on Cloudflare Worker hosts, but they quickly switched to using the decentralized web and anonymous nature of blockchain to host their malicious code, after the Cloudflare worker hosts was taken down.

Guardio researched hinted that:

“While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder.”



Guardio Labs described the “fake browser update” EtherHiding campaign as one that has been ongoing for the last two months. Threat actors utilize this campaign to propagate malware with the sole intent of infecting their victims. The threat actor utilized a website they have defaced to run an overlay browser update before the site can be displayed (usually, this may be a site that an unsuspecting victim usually visits). Unbeknownst to the victim, the malicious update consists of an infostealer malware in the category of Amadey, Lumma, or RedLine.


                             Softoniclabs WordPress based site compromised, and defaced to spread the malware. Image-source: Guardio

Randy McEoin reports that the attack namedClearFake” targets compromised WordPress websites hosting hidden malicious JavaScript code concealed by the attacker. The threat actor begins by injecting an initial bridgehead code into article pages, which subsequently retrieves a second-stage payload from the attacker’s command-and-control server (C2), leading to the defacement of the entire website.




Employing this approach allows the threat actor to remotely alter the malicious code, adjusting tactics, updating blocked domains, replacing detected payloads, all without needing to re-access the WordPress site. Furthermore, they can display any desired message.



However, the new evolution of the “ClearFake” shows threat actors utilizing Binance’s Smart Chain to host the code anonymously, making it difficult to detect and take down, some sort of bullet proof hosting facilitated by the Blockchain. The code is injected into primary template of the compromised WordPress sites (e.g. Balada Injector), and queries the BSC Blockchain to retrieve a payload, which is then executed as JavaScript code.

A fresh contract instance is generated and subsequently initialized with the attacker’s controlled blockchain address and Application Binary Interface (ABI), which specifies the contract’s functions and structure.



Mitigating this issue presents a challenge because of the decentralized nature of blockchain systems. Once a smart contract is deployed, it operates autonomously, meaning it cannot be simply shut down by Binance. Instead, the available recourse is to provide a temporary solution, which involves notifying the community about a potentially malicious or illicitly used contract. The address which has been identified as “Fake_Phishing2561” is still notable online, and delivers the malicious payload.

                        BscScan Report: Official Binance explorer indicating the Fake contract and malicious tag. Image-source: Guardio


Researchers at Guardio emphasized that:

“Apparently as of today, there is no way to stop it. A critical point of intervention to halt such campaigns lies in understanding why WordPress sites are so vulnerable and frequently compromised, as they serve as primary gateways for these threats to reach a vast pool of victims.”


Summarizing the event:

Utilizing blockchain technology enables attackers to host their code in an unblockable manner. This campaign underscores the significant threat posed by hosting malicious code on the blockchain for nefarious purposes. To safeguard WordPress sites, the most effective approach involves consistent WordPress infrastructure and plugin updates, securing credentials, employing strong and regularly changing passwords. Researchers at Guardio also listed the IoC’s (Indicator Of Compromise) on its blog post.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments