North Korean Hackers Unleash New Apple Malware in Imminent Crypto Threat—Here’s How
North Korea-linked threat actors have launched NimDoor to target companies in the Web3 and crypto industry. NimDoor, a sophisticated malware compiled in the Nim programming language specifically targets macOS systems.
Unlike more widely used programming languages, Nim allows code execution during compilation, creating binaries that mix runtime and malware logic. This complicates reverse engineering and detection efforts.
According to a new report by SentinelLabs, the campaign was first observed in April 2025 during an attack on a crypto startup. Multiple security firms have since confirmed similar incidents affecting other companies in the space.
How North Korea Deploys Cyberattacks on Crypto Startups: SentinelLabs Report
SentinelLabs reported that the attackers use classic social engineering techniques to trick victims into running the malicious code.
Victims are approached on Telegram by impersonated contacts and invited to schedule a meeting via Calendly. They later receive an email with a Zoom link and instructions to install a supposed “Zoom SDK update.”
According to the report, the link directs users to an AppleScript file hosted on domains mimicking Zoom’s official URLs. The script is heavily padded with thousands of lines of whitespace and ends with code that fetches a second-stage payload from attacker-controlled servers.
After the initial download, the malware deploys two Mach-O binaries in the system’s temporary directory. The first binary, written in C++, performs process injection to launch a trojan.
The second binary, compiled from Nim and labeled installer, installs persistence tools that ensure the malware remains active even after a system reboot or termination.
This stage drops two more Nim-based binaries: GoogIe LLC and CoreKitAgent, both of which play roles in long-term access and system monitoring. Once deployed, the malware executes two that steal user data.
The upl script extracts login credentials and browsing history from browsers such as Google Chrome and Firefox. The tlgrm script specifically targets Telegram data. All stolen data is compressed and sent to servers disguised as secure upload portals hosted by the attackers.
North Korea’s Cyber Arsenal Evolves: Hackers Turn to Rare Programming Language
SentinelLabs notes that this isn’t the first time DPRK-affiliated actors have used less common programming languages. Past campaigns have involved Go and Rust, and more recently, Crystal.
Analysts believe the use of such languages will rise as attackers look for ways to evade traditional detection tools.
This recent cybersecurity threat adds to the growing list of such activities emanating from North Korea. In April, North Korean hackers targeted U.S. crypto developers through a malware campaign using fake companies, including Blocknovas LLC and Softglide LLC, registered with false addresses.
Tied to a Lazarus Group subgroup, the operation used fake job offers to spread malware stealing crypto wallets and credentials.
In May, South Korea and the EU pledged closer cooperation to combat cyber threats, focusing on North Korea’s crypto crimes. During talks in Seoul, officials stressed the need for joint action amid rising attacks.
Lawmaker Ha Tae-keung stated that North Korean hackers have stolen another $310 million in cryptocurrency from South Korean wallets since the $2 billion thefts reported by the UN in 2019. Chainalysis, in addition, reported $1.3 billion in stolen funds in 2024
Just two days ago, the U.S. DOJ charged four North Koreans with stealing over $900,000 in cryptocurrency by posing as remote IT workers at blockchain firms. Using fake identities, they altered smart contracts to carry out the thefts, part of a scheme to fund North Korea’s weapons program.
The post North Korean Hackers Unleash New Apple Malware in Imminent Crypto Threat—Here’s How appeared first on Cryptonews.
