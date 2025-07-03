By using Nim, miscreants are able to bypass traditional AV measures

They approach their victims on Telegram and invite them to a Zoom meeting

The malware steals sensitive data and crypto tokens

North Koreans are targeting Mac users with brand new malware in an attempt to steal cryptocurrency and other sensitive data, experts have warned.

Security researchers from SentinelLabs discovered NimDoor, a unique backdoor malware written in a lesser-known programming language called Nim, which they attributed to North Korea state-sponsored adversaries engaged primarily in cryptocurrency theft, which is then used to fund both its state apparatus and its weapons program.

Nim is used, first and foremost, to evade detection. The backdoor also uses AppleScript for beaconing and asynchronous sleep timers, tricking traditional security measures and maintaining persistence.

Alarming evolution

The attack usually starts on Telegram, where victims are approached by a seemingly trusted contact and invited to a fake Zoom meeting.

The link redirects the victim to a spoofed Zoom page that prompts them to install an update in order to participate in the call. Instead of the update, the victims are dropped the malicious payload, which steals all sorts of sensitive data, from browsing history, search activity, cookies, Telegram data, to Keychain passwords.

“This represents an alarming evolution in North Korean cyber capabilities, particularly because it specifically exploits the growing remote-working trend and Mac users' perceived lower vulnerability to such attacks,” the researchers explained.

North Korean state-sponsored threat actors are known for their campaigns targeting cryptocurrency and Web3 companies. Among the biggest and most dangerous groups is Lazarus, a threat actor that netted more than $3.4 billion, in different attacks between 2021 and 2025.

Among the biggest heists is the ByBit attack that happened in February 2025, when they stole approximately $1.5 billion in different tokens. Ronin Bridge was compromised in March 2022 for $600 million, while Poly Network lost roughly the same amount of money the year prior.