Skip to main content
Security

Web3 Users Compromised by EtherHiding Malware Campaign via JavaScript Injection

Threat actors are leveraging compromised websites and four BSC contracts to deploy credential-stealing malware, bypassing traditional network defenses.
November 30, 20253 min

A close-up view highlights a futuristic in-ear monitor, featuring a translucent deep blue inner casing with intricate internal components and clear outer shell. Polished silver metallic connectors are visible, contrasting against the blue and transparent materials, set against a soft grey background
A polished metallic square plate, featuring a prominent layered circular component, is securely encased within a translucent, wavy, blue-tinted material. The device's sleek, futuristic design suggests advanced technological integration

Briefing

A sophisticated, multi-stage attack dubbed ‘ClickFix’ is actively targeting Web3 users by compromising legitimate websites with malicious JavaScript injections. The primary consequence is the theft of user credentials and private keys via common stealers like AMOS and Vidar, leading directly to wallet draining. This campaign achieves high stealth and resilience by using the “EtherHiding” technique, which stores the final-stage malware payload across four separate smart contracts deployed on the Binance Smart Chain.

The foreground presents a detailed view of a sophisticated, dark blue hardware module, secured with four visible metallic bolts. A prominent circular cutout showcases an intricate white wireframe polyhedron, symbolizing a cryptographic primitive essential for secure transaction processing

Context

The prevailing threat landscape has seen a critical increase in supply chain attacks, where threat actors compromise a trusted third-party service to inject malicious code into front-end interfaces. This exploit leverages the inherent trust users place in legitimate websites and exploits the lack of comprehensive security measures that scan for malicious data hidden in on-chain state. The architecture bypasses conventional network-level security tools that typically block known malware delivery domains.

The image presents a dynamic visual of a central vortex composed of swirling blue and white digital patterns, drawing the eye towards a core hub. This hub is defined by four prominent, sleek white rectangular components radiating from a central axis, suggesting a functional mechanism within a digital ecosystem

Analysis

The attack chain initiates when a user visits a compromised website, triggering a malicious JavaScript inject that displays a fake CAPTCHA check, the ‘ClickFix’ lure. This script then executes the “EtherHiding” vector, querying a set of four smart contracts on the Binance Smart Chain to retrieve a Base64-encoded payload. A critical “gate contract” controls the delivery, allowing the threat actor to selectively enable or disable the attack by altering on-chain state.

This mechanism ultimately serves an OS-specific stealer that harvests credentials and private keys. The use of the immutable blockchain as a command-and-control server makes the payload highly resistant to takedown attempts.

A sleek, futuristic white and metallic cylindrical apparatus rests partially submerged in dark blue water. From its open end, a significant volume of white, granular substance and vibrant blue particles ejects, creating turbulent ripples

Parameters

  • Attack Vector Obfuscation ∞ Four smart contracts on BSC used for payload storage and delivery.
  • Infection Method ∞ Malicious JavaScript injection on compromised legitimate websites.
  • Payload Stealers ∞ AMOS and Vidar malware families.
  • Control Mechanism ∞ On-chain state change via a “gate contract” to toggle the attack.

The image displays a close-up perspective of two interconnected, robust electronic components against a neutral grey background. A prominent translucent blue module, possibly a polymer, houses a brushed metallic block, while an adjacent silver-toned metallic casing features a circular recess and various indentations

Outlook

Immediate mitigation requires all Web3 users to exercise extreme caution with any unexpected CAPTCHA or wallet-signing request, regardless of the host website’s apparent legitimacy. For protocols, this incident establishes a new security standard mandating continuous monitoring for third-party script integrity and the integration of on-chain forensic tools to identify malicious data storage patterns. The technique of using blockchain state for C2 infrastructure is a contagion risk that will likely be adopted by other sophisticated threat actors, necessitating a shift in defense from network-level to on-chain data analysis.

A translucent blue, rectangular device with rounded edges is positioned diagonally on a smooth, dark grey surface. The device features a prominent raised rectangular section on its left side and a small black knob with a white top on its right

Verdict

This EtherHiding campaign represents a significant escalation in Web3 attack sophistication, demonstrating that threat actors are successfully leveraging the blockchain’s immutability as an undetectable command-and-control infrastructure.

supply chain attack, malicious javascript inject, on-chain payload delivery, smart contract obfuscation, credential stealer malware, private key theft, wallet draining scam, social engineering lure, Base64 encoded payload, Binance Smart Chain, gate contract logic, multi-stage infection, web3 security threat, front-end compromise, remote code execution, OS specific malware Signal Acquired from ∞ thehackernews.com

Micro Crypto News Feeds

wallet draining

Definition ∞ Wallet Draining is a malicious activity where an attacker illicitly transfers funds from a victim's digital wallet.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

smart chain

Definition ∞ A Smart Chain is a type of blockchain network specifically designed to support the execution of smart contracts and decentralized applications.

private keys

Definition ∞ Private keys are secret cryptographic codes that grant exclusive access and control over a user's digital assets on a blockchain.

javascript injection

Definition ∞ JavaScript Injection is a cyberattack where malicious JavaScript code is inserted into a website.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

on-chain

Definition ∞ On-chain refers to any transaction or data that is recorded and validated directly on a blockchain ledger, making it publicly verifiable and immutable.

web3

Definition ∞ Web3 represents the conceptual evolution of the internet, aiming for a decentralized architecture built upon blockchain technology and distributed ledger systems.

Tags:

Tags: