New macOS Malware Targets the Crypto Sector
North Korean hackers have launched a fresh cyber campaign aimed at macOS users in the crypto and Web3 space.
Researchers discovered NimDoor, a new malware strain that uses phishing and stealth tactics to access sensitive user data.
The Lazarus Group and its sub-group BlueNoroff (APT38/TA444) likely developed NimDoor to target crypto wallets, browsers, and messaging platforms.
NimDoor Uses Nim to Evade Detection
Hackers coded NimDoor using Nim, a rare programming language in the malware world. Most security tools fail to detect this type of code.
NimDoor installs on the victim’s system after a phishing message tricks the user into downloading a fake Zoom update or support tool.
These phishing messages arrive via Telegram, email, or fake Calendly invites, often posing as job offers or collaboration requests.
Step-by-Step Attack Breakdown
Once the victim downloads the file, a hidden AppleScript named zoom_sdk_support.scpt runs silently in the background.
This script downloads two binary files: one in C++ and the other in Nim. Together, they start collecting data and setting up control.
Here’s what NimDoor does next:
-
Steals credentials from browsers like Chrome, Firefox, Brave, and Arc
-
Extracts Telegram data, including saved session tokens
-
Accesses the macOS Keychain to steal stored passwords
-
Targets browser-based crypto wallets like MetaMask and Phantom
-
Installs LaunchAgents under fake names to stay active after reboot
The malware also uses encrypted WebSocket connections to send stolen data to its remote server.
Hackers Aim for Long-Term Access
To maintain access, NimDoor hides in LaunchAgents folders using fake names like “GoogIe LLC” or “CoreKitAgent.” This allows it to restart automatically.
The malware delays its activity for 10 minutes to bypass sandbox environments that test for threats immediately after launch.
NimDoor’s behavior shows the attackers planned for stealth and persistence, making it harder to detect or remove.
Why North Korea Targets Crypto
North Korean hacking groups, including Lazarus, focus on stealing crypto funds to support the nation’s economy under sanctions.
In 2022, Lazarus carried out the $600 million Ronin Bridge hack—one of the biggest crypto thefts ever.
Now, they’ve shifted attention to macOS devices, which many crypto developers and founders use.
This change shows how advanced and adaptable these attackers have become.
How Crypto Users Can Stay Safe
If you’re active in Web3 or crypto, especially on macOS, you should act now. Here’s how:
-
Avoid downloading files from unknown contacts
-
Never trust unsolicited Zoom or support links
-
Use hardware wallets for sensitive crypto storage
-
Check your Mac’s LaunchAgents and login items regularly
-
Update your system and apps to patch known risks
-
Enable 2FA on wallets and exchanges
Final Words
NimDoor proves that even macOS is no longer safe by default—especially in the crypto world.
Hackers now use smarter tools and better deception to steal funds and data.
Stay informed. Use best practices. Don’t let a phishing message cost you your crypto.
Stay ahead of cyber threats—only at TheFinRate.com.