North Korean hackers are deploying new malware variants designed for Apple devices in a cyberattack campaign targeting cryptocurrency firms.
A report released Wednesday by cybersecurity firm Sentinel Labs reveals that the attackers pose as trusted contacts on messaging platforms like Telegram. They then lure victims into a fake Zoom meeting using a Google Meet link, eventually sending what looks like a legitimate Zoom update file, which is actually malware.
Nimdoor targets Mac computers
Once the fake “Zoom update” is executed, it installs malware known as “NimDoor” on Mac computers, which proceeds to target cryptocurrency wallets and stored browser passwords.
While Macs were once considered more resistant to hacks and malware, this incident highlights that they are no longer immune.
Although the delivery method—using social engineering, deceptive scripts, and fake software updates—is typical of North Korean (DPRK) cyberattacks, Sentinel Labs researchers noted that this campaign stands out due to its use of the Nim programming language. Nim is rarely used in macOS malware, making it more difficult for traditional security tools to detect.
“The early stages of the attack follow a familiar DPRK playbook,” the researchers said, “but the use of Nim-compiled binaries on macOS is a more unusual and concerning development.”
Nim is a relatively new and uncommon programming language that’s gaining traction among cybercriminals due to its cross-platform capabilities—it can run on Windows, macOS, and Linux without modification. This allows hackers to create a single piece of malware that works across all major operating systems.
In addition to its versatility, Nim compiles quickly, produces standalone executable files, and is notoriously difficult for security tools to detect. According to Sentinel Labs researchers, while North Korean-linked threat actors have previously used languages like Go and Rust, Nim provides notable advantages in stealth and efficiency.
Data-stealing malware payload
The payload includes a credential-stealing component “designed to silently collect browser data and system-level information, bundle it, and transmit it out,” according to researchers.
Additionally, a script is embedded to extract Telegram’s encrypted local database along with its decryption keys.
To evade detection, the malware incorporates a delay mechanism, waiting ten minutes before initiating its activity, allowing it to slip past many security scanners.
Macs Aren’t Immune to Malware
In June, cybersecurity firm Huntress reported similar malware attacks tied to BlueNoroff, a North Korean state-sponsored hacking group.
According to researchers, the malware stood out for its ability to bypass Apple’s built-in memory protections to inject malicious payloads.
The malware’s capabilities include keylogging, screen recording, clipboard access, and the deployment of a “full-featured infostealer” known as CryptoBot—specifically designed to target cryptocurrency. CryptoBot scans browser extensions in search of crypto wallet plugins, enabling theft directly from users’ wallets.
Adding to growing concerns, blockchain security company SlowMist this week warned of a “massive malicious campaign” involving numerous fake Firefox extensions, all engineered to steal cryptocurrency wallet credentials.
“Over the last few years, we’ve seen macOS increasingly targeted by threat actors—especially highly sophisticated, state-sponsored groups,” Sentinel Labs concluded, effectively dispelling the long-standing myth that Macs are immune to viruses.
