Advertisement
North Korean Hackers Exploit Unusual “NimDoor” Malware to Breach Macs
- North Korea-linked hackers use NimDoor, a Nim-written backdoor, posing as trusted contacts on Telegram to trick victims into installing it via fake Zoom updates.
- NimDoor’s rare Nim code and AppleScript backdoors evade detection, working across Mac, Windows, and Linux, and bypass Apple’s memory protections for deep access.
- Once installed, it steals crypto wallet data, browser logins, Telegram keys, and runs keyloggers and infostealers like CryptoBot, exfiltrating data while dodging scanners.
North Korean hackers are stepping up their game with new malware strains targeting Apple devices, zeroing in on crypto firms through a polished social engineering campaign.
Sentinel Labs researchers Phil Stokes and Raffaele Sabato detail the phishing operation in a report published July 2, and their findings show how North Korea-linked actors are pivoting to less common programming languages like Nim, which complicates detection, alongside AppleScript backdoors that infiltrate a target’s system.
The phishing scam goes somewhat like this: the attackers pose as trusted contacts on apps like Telegram, then lure targets into a fake Zoom call through a Google Meet link. There, a bogus “Zoom update” file is awaiting the victim, and when they run it, they’re actually installing a backdoor called NimDoor, built to siphon crypto wallet data and browser credentials from Mac computers.
Related: Crypto Heists Hit Record High in H1 2025 as State-Sponsored Attacks Surge
DPRK Now Using NimDoor
Explained a bit simpler, NimDoor is written in Nim, a rare language that lets hackers deploy the same payload across several operating systems like Mac, Windows, Linux, etc, with little fuss. Unlike more common Go or Rust exploits, Nim’s unusual footprint makes it harder for security tools to flag.
Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts and fake updates, the use of Nim-compiled binaries on macOS is a more unusual choice.
Sentinel Labs The bigger worry is how well the malware burrows into Apple’s defenses. Sentinel’s findings show it bypasses built-in memory protections to embed itself deeper, running keyloggers, screen recorders, clipboard hijackers, and an infostealer named CryptoBot designed to hunt wallet extensions inside browsers.
Then, once active, the payload does several things, like stealing browser logins, packages up system data, grabs Telegram’s local encrypted database and its keys, then slips it all out silently, waiting a full ten minutes to dodge scanners.
Huntress, another security firm, reported similar incidents last month linked to BlueNoroff, a known North Korean state-backed crew.
Related: Bitcoin’s Three-Month Rally Shows Signs of Fatigue as Profit-Taking Rises
Author
José Oramas
José is a journalist and translator with a keen interest in blockchain and cryptocurrencies.
