Cybersecurity experts at SentinelLabs have uncovered a sophisticated new malware campaign dubbed NimDoor, orchestrated by North Korean state-sponsored hackers. This advanced backdoor, coded in the obscure Nim programming language, is designed to target macOS users, particularly those in the cryptocurrency and Web3 sectors, to steal valuable digital assets and sensitive data. The stolen cryptocurrency is believed to fund North Korea’s state operations and weapons programs.
Stealthy Tactics to Evade Detection
NimDoor leverages the Nim language to bypass traditional antivirus tools, as its uncommon usage makes it harder for security software to detect. The malware employs AppleScript for beaconing and asynchronous sleep timers, enabling it to maintain persistent access to infected systems while evading conventional security measures. This marks a significant leap in the technical sophistication of North Korean cyberattacks.
Social Engineering via Fake Zoom Updates
The attack begins with social engineering tactics, where hackers impersonate trusted contacts on Telegram to lure victims into scheduling fake Zoom meetings via Calendly. Victims receive a phishing email containing a spoofed Zoom update link, which, instead of updating the software, deploys the NimDoor malware. Once installed, the malware extracts sensitive information, including browsing histories, cookies, Telegram data, Keychain passwords, and cryptocurrency wallet credentials.
Exploiting Remote Work Trends
“This campaign highlights an alarming evolution in North Korean cyber tactics, exploiting the rise of remote work and the misconception that Mac users are less vulnerable to attacks,” SentinelLabs researchers noted. The use of fake Zoom updates capitalizes on the trust users place in routine software updates, making the attack particularly deceptive.
Lazarus Group’s Billion-Dollar Heists
The campaign is attributed to the notorious Lazarus Group, a North Korean hacking collective responsible for stealing over $3.4 billion in cryptocurrency through various attacks between 2021 and 2025. High-profile heists include the $1.5 billion ByBit exchange breach in February 2025 and the $600 million Ronin Bridge hack in March 2022. The group’s focus on Web3 and crypto firms underscores their strategy to target high-value individuals and organizations with insufficiently protected digital wallets.
Protecting Against NimDoor
To safeguard against such threats, experts recommend heightened caution with unsolicited emails, links, or software update prompts, especially those received via messaging platforms. Adopting robust cybersecurity practices, such as multi-factor authentication and regular software updates from verified sources, is critical for macOS users in the crypto space.