- By utilizing Nim, miscreants are in a position to bypass conventional AV measures
- They strategy their victims on Telegram and invite them to a Zoom assembly
- The malware steals delicate information and crypto tokens
North Koreans are concentrating on Mac customers with model new malware in an try and steal cryptocurrency and different delicate information, consultants have warned.
Safety researchers from SentinelLabs found NimDoor, a singular backdoor malware written in a lesser-known programming language known as Nim, which they attributed to North Korea state-sponsored adversaries engaged primarily in cryptocurrency theft, which is then used to fund each its state equipment and its weapons program.
Nim is used, at first, to evade detection. The backdoor additionally makes use of AppleScript for beaconing and asynchronous sleep timers, tricking conventional safety measures and sustaining persistence.
Alarming evolution
The assault often begins on Telegram, the place victims are approached by a seemingly trusted contact and invited to a pretend Zoom assembly.
The hyperlink redirects the sufferer to a spoofed Zoom web page that prompts them to put in an replace as a way to take part within the name. As a substitute of the replace, the victims are dropped the malicious payload, which steals all kinds of delicate information, from shopping historical past, search exercise, cookies, Telegram information, to Keychain passwords.
“This represents an alarming evolution in North Korean cyber capabilities, notably as a result of it particularly exploits the rising remote-working development and Mac customers’ perceived decrease vulnerability to such assaults,” the researchers defined.
North Korean state-sponsored risk actors are recognized for his or her campaigns concentrating on cryptocurrency and Web3 firms. Among the many greatest and most harmful teams is Lazarus, a risk actor that netted greater than $3.4 billion, in several assaults between 2021 and 2025.
Among the many greatest heists is the ByBit assault that occurred in February 2025, after they stole roughly $1.5 billion in several tokens. Ronin Bridge was compromised in March 2022 for $600 million, whereas Poly Community misplaced roughly the identical sum of money the yr prior.
