2025-11-02 // Dylan Evans
Potential EtherHiding Activity via Blockchain Explorer Connections
Defender XDRDetects suspicious network connections to blockchain explorer APIs that may indicate UNC5342’s use of new EtherHiding techniques for retrieving malicious payloads.
Detecting Suspicious Blockchain Explorer Connections
Overview
This detection identifies anomalous network connections to blockchain explorer APIs, which threat actors like UNC5342 use in their EtherHiding technique—an evasion method where malicious payloads are retrieved via smart contract interactions. The query flags suspicious URLs containing keywords like eth_call or free API keys (apiKey=freekey) that indicate compromised systems probing blockchain data for further exploitation.
Query
DeviceNetworkEvents
| where RemoteUrl has_any ("explorer", "block", "cypher", "eth", "bit", "coin", "crypto")
| where RemoteUrl has_any ("eth_call", "apiKey=freekey")
| project ReportId, DeviceId, Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
Logic Explanation
The query filters DeviceNetworkEvents for connections to known blockchain-related domains (e.g., explorer, eth) and checks if the URLs include suspicious patterns like:
eth_call: A read-only function call used by threat actors to extract data from smart contracts.apiKey=freekey: A common free API key provided by services like EthPlorer, often abused in automated probing.
It surfaces connections where:
- The destination URL matches one of the predefined patterns (case-insensitive).
- No explicit process list is enforced (commented out), allowing broader scope but risking false positives from legitimate browsers or scripts.
Tuning Notes
- False positives may arise if legitimate users interact with blockchain APIs (e.g., crypto traders) or if
eth_callqueries are part of automated monitoring tools.- Suggestion: Exclude known benign processes (e.g., Chrome, Firefox) by uncommenting and refining the
initiatingProcesseslist.
- Suggestion: Exclude known benign processes (e.g., Chrome, Firefox) by uncommenting and refining the
- False negatives could occur if the query misses newer blockchain domains or variations of
freekey.- Suggestion: Expand
blockchainExplorerPatternswith additional TLDs (e.g.,.eth,.io) or use regex for partial matches.
- Suggestion: Expand
References
- UNC5342’s EtherHiding Technique – Original query author.
- MITRE ATT&CK T1566.002: Data from Compromised System (smart contract interactions).
- EtherHiding Research Paper – Technical background on evasion methods.