article North Korean Hackers Deploy New macOS Malware Targeting Crypto Industry — What You Need to Know

A Sophisticated New macOS Malware Threat Targets Web3 and Crypto Firms

In a troubling development, North Korean hackers have stepped up their cyberoffensive with a brand-new malware strain designed specifically for macOS systems, targeting businesses in the Web3 and cryptocurrency sectors. Dubbed NimDoor, this advanced threat is written in the Nim programming language, a choice that complicates detection and analysis due to its unique code compilation process.

Why Nim Language? A Game-Changer in Malware Development

Unlike traditional programming languages, Nim compiles code in a way that blends runtime execution with the malware’s core logic, creating binaries that are harder for security tools to dissect. This technique effectively conceals malicious behavior, making reverse engineering a more difficult task.

According to a recent report by SentinelLabs, NimDoor was initially detected during an April 2025 attack against a crypto startup. Since then, several cybersecurity companies have confirmed additional infections within the industry.

How the Attack Unfolds: Social Engineering and Sophisticated Delivery

SentinelLabs reveals that the attackers rely heavily on tried-and-true social engineering tactics to gain entry:

• Targets are approached via Telegram by impostor contacts.

• Victims are invited to schedule meetings through Calendly.

• Subsequently, they receive emails containing a Zoom meeting link and instructions to install a so-called “Zoom SDK update.”

This Zoom update link actually leads to an AppleScript file hosted on domains mimicking official Zoom URLs. The script is padded with thousands of lines of whitespace to evade automated scans, ultimately fetching a secondary payload from attacker-controlled servers.

Inside the Malware: Multi-Stage Payload with Persistence and Data Theft

Once downloaded, NimDoor installs two Mach-O binaries into the system’s temporary folder:

• The first binary, crafted in C++, performs process injection to launch the trojan.

• The second, written in Nim and labeled as the installer, installs persistence mechanisms ensuring the malware remains active after reboots or termination attempts.

The installer then drops two additional Nim-based components named GoogIe LLC and CoreKitAgent, which provide ongoing access and system surveillance capabilities.

The malware also runs two scripts designed to exfiltrate data:

• The upl script collects login details and browsing histories from popular browsers such as Google Chrome and Firefox.

• The tlgrm script targets Telegram data specifically.

All stolen information is compressed and sent to attacker-controlled servers disguised as secure upload portals.

North Korea’s Expanding Cyber Toolset

SentinelLabs points out that this isn’t the first time North Korean threat actors have leveraged less conventional programming languages to evade detection. Past campaigns included malware written in Go, Rust, and more recently, Crystal. Analysts anticipate increasing use of such uncommon languages as attackers seek to outpace conventional security measures.

Context: Ongoing North Korean Crypto-Related Cybercrime

This latest attack is part of a growing wave of cyber threats originating from North Korea. Earlier in 2025, hackers linked to a Lazarus Group subgroup targeted U.S. crypto developers with malware spread through fake companies like Blocknovas LLC and Softglide LLC—both shell organizations with fabricated addresses. The campaign used fraudulent job offers to distribute malware aimed at stealing crypto wallets and credentials.

In response to escalating cyber risks, South Korea and the European Union agreed in May to enhance cooperation focused on combating North Korea’s cryptocurrency crimes. Officials emphasized the urgency of coordinated efforts amid a surge of cyberattacks.

Alarming Figures: Cryptocurrency Theft Continues Unabated

According to South Korean lawmaker Ha Tae-keung, North Korean hackers have stolen an additional $310 million in cryptocurrency from South Korean wallets since the infamous $2 billion heists documented by the United Nations in 2019. Meanwhile, blockchain analytics firm Chainalysis reported a staggering $1.3 billion in stolen crypto assets linked to North Korea in 2024 alone.

Just days ago, the U.S. Department of Justice charged four North Korean nationals with stealing more than $900,000 by masquerading as remote IT workers at blockchain companies. The group exploited fake identities to alter smart contracts, facilitating thefts that allegedly fund North Korea’s weapons development programs.

What Lies Ahead

With cyber threats evolving rapidly and attackers adopting novel programming approaches like Nim, defending Web3 and crypto infrastructures demands heightened vigilance and innovation. The international community’s ability to coordinate across borders and sectors remains crucial to curbing these increasingly sophisticated attacks.