Google Threat Intelligence Group observed DPRK actor UNC5342 adopting EtherHiding in the Contagious Interview social engineering campaign to deliver malware and support cryptocurrency theft. The campaign targets developers, especially in cryptocurrency and technology sectors, through fake recruiters, fraudulent companies, malicious coding tests, and ClickFix-style prompts. JADESNOW, a JavaScript downloader, uses smart contracts on BNB Smart Chain and Ethereum to fetch, decrypt, and execute later-stage payloads, commonly leading to the Python-based INVISIBLEFERRET backdoor. EtherHiding makes payload delivery more resilient because malicious code can be stored or referenced through decentralized blockchain infrastructure and retrieved with read-only calls that reduce visibility. The activity matters because it shows a DPRK-aligned actor applying a technique previously associated with criminal campaigns to a high-value social engineering and crypto-theft operation.