North Korean Hackers Deploy New ‘NimDoor’ Malware to Target Crypto Firms via Mac

In Brief:

Sentinel Labs reports North Korean attackers are spreading Mac malware called NimDoor through fake Zoom updates on Telegram.

The malware, written in the rare Nim language, steals crypto wallet data, browser passwords, and Telegram info.

Cybersecurity firm Sentinel Labs has uncovered a new wave of cyberattacks from North Korea targeting cryptocurrency companies, this time using a Mac-specific malware called NimDoor. Disguised as Zoom update files, the malware is distributed through social engineering on messaging apps like Telegram, where attackers pose as trusted contacts.

NimDoor is uniquely written in Nim, a rarely used but powerful programming language that compiles quickly and can run across macOS, Windows, and Linux. Its use enables the malware to bypass Apple’s memory protections and delay detection by waiting 10 minutes before activating, thereby avoiding standard security scans.

Once deployed, NimDoor performs a range of information-theft functions. It is designed to extract sensitive data from cryptocurrency wallets, browser-stored passwords, and even encrypted Telegram data. Sentinel Labs notes that it can steal both the Telegram local database and its decryption keys, posing a severe risk to individuals and businesses that rely on the platform for crypto-related communication.

The use of Nim language adds an additional layer of stealth. Unlike more common malware that relies on well-known languages, Nim-based code is less likely to trigger signature-based antivirus alerts, making NimDoor harder to detect and analyze.

This latest campaign underscores an ongoing trend in state-sponsored cybercrime: combining advanced programming tactics with targeted social engineering to infiltrate the digital asset ecosystem. With crypto companies often relying on cross-platform teams and remote collaboration tools like Telegram, the attack vector remains highly effective.

Security experts are advising cryptocurrency firms to be wary of unsolicited updates, especially on macOS, and to limit interactions to verified sources. Regular system checks and endpoint detection tools are also recommended to stay ahead of such sophisticated threats.

‍