Ellis Stannard
Ellis Stannard is a part-time security researcher and core member of the Ransom-ISAC (Information Sharing and Analysis Center) initiative, where he contributes to collaborative threat intelligence efforts focused on ransomware and advanced persistent threat (APT) campaigns.
Session
This report presents the first documented analysis of Cross-Chain TxDataHiding (XCTDH), a novel command-and-control technique employed by DPRK-linked threat actors in cryptocurrency theft operations. The attack leverages multiple blockchain networks—TRON and Aptos as decentralized pointer systems, and Binance Smart Chain (BSC) for encrypted payload storage—to create virtually untraceable, takedown-proof malware infrastructure.Discovered during investigation of a malicious GitHub repository used in fake job recruitment campaigns, this technique represents a significant evolution from previously documented blockchain-based C2 methods. Unlike Etherhiding (which stores payloads in smart contract storage), XCTDH embeds malicious code within blockchain transaction input data across multiple chains, retrieved via standard RPC calls that are indistinguishable from legitimate cryptocurrency traffic.The attack chain begins with social engineering through fraudulent job postings, progresses through weaponized repositories containing heavily obfuscated JavaScript, and culminates in multi-stage payload delivery that evades modern EDR solutions. At an operational cost of approximately $1 USD, attackers establish resilient infrastructure that can dynamically update payloads, automatically failover between blockchain networks, and resist traditional takedown efforts—all while appearing as legitimate crypto wallet activity.This analysis details the technical mechanisms, attribution indicators linking the campaign to DPRK operations, economic asymmetries favoring attackers, and the strategic implications of blockchain-based C2 for the future threat landscape.