Chiara Bianchi
A new wave of cyberattacks believed to originate from North Korea is now targeting macOS users working in the cryptocurrency and Web3 sectors, cybersecurity firm Sentinel Labs has revealed. The malware, dubbed “NimDoor,” utilizes an uncommon programming language and employs social engineering tactics to infiltrate Apple systems through fake Zoom updates and phishing links.
Researchers report that the attackers initiate contact via Telegram, posing as reputable contacts to earn the trust of potential victims. These individuals—often employees at blockchain or crypto firms—are invited to phony Zoom calls, where they are instructed to download what appears to be a legitimate Zoom SDK update.
Behind the scenes, this update script executes a chain of malicious processes:
-
AppleScript-based beacons to maintain surveillance,
-
Bash scripts for credential extraction,
-
Nim and C++-compiled binaries that enable remote control and persistence.
One such binary, known as CoreKitAgent, employs a signal-based mechanism that keeps it active even after reboots, making it incredibly difficult to eliminate.
Digital Wallets in the Crosshairs
This campaign appears to specifically target crypto-related data, with a focus on stealing:
-
Browser-stored credentials,
-
Digital wallet information,
-
Keychain and encrypted files from Apple’s password manager,
-
And even Telegram’s local database, which could include private keys and seed phrases.
The malware is designed to extract data from major browsers like Chrome, Brave, Edge, and Firefox, all while remaining undetected by traditional antivirus tools.
A New Tactic in North Korea’s Cyber Arsenal
Sentinel Labs has confidently linked the attack to North Korea-aligned threat actors, continuing a longstanding strategy of funding state activities through crypto theft. This particular operation marks a notable shift: previous North Korean campaigns used Go or Rust, but NimDoor represents one of the first high-profile uses of the Nim language in macOS-based attacks.
Notorious groups like Lazarus have repeatedly targeted the crypto sector, with past efforts including Python-based malware like Kandykorn, which was distributed on Discord servers disguised as crypto bots.
macOS Security Assumptions No Longer Hold
Cybersecurity experts now warn that the traditional belief in macOS’s superior malware resistance is outdated. With threat actors adopting obscure languages and complex persistence mechanisms, users and developers alike must rethink their approach to digital security.
Sentinel Labs also referenced recent malware strains such as:
-
SparkKitty, which stole seed phrases from iOS photo galleries,
-
And a trojanized wallet app that silently replaced legitimate wallet software on Mac systems.
Stay Alert: What You Should Know
-
Be cautious of unsolicited Zoom invitations or software updates, even from known contacts.
-
Never download SDKs or tools from unverified sources.
-
Use multi-factor authentication and encrypted password managers.
-
Monitor system behavior for unusual activity, especially after updates or app installations.
As North Korea’s cyber strategies grow more advanced, crypto professionals must remain vigilant—not only about the assets they manage but the platforms they use.
