N Korean Hackers Drop NimDoor macOS Malware Via Fake Zoom Updates

SentinelLabs uncovers NimDoor, new North Korea-aligned macOS malware targeting Web3 and crypto firms. Exploits Nim, AppleScript, and steals Keychain, browser, shell, and Telegram data.

A new report from SentinelLabs, released on July 2, 2025, reveals a sophisticated cyberattack campaign targeting Web3 and cryptocurrency companies. Threat actors aligned with North Korea are aggressively exploiting macOS systems with a newly discovered malware called NimDoor, utilizing complex, multi-stage attacks and encrypted communications to remain undetected.

The research, authored by Phil Stokes and Raffaele Sabato and shared with Hackread.com, highlights the attackers’ shift towards less common, cross-platform programming languages like Nim. This change complicates efforts to detect and analyse their malicious activities.

The group also uses AppleScript in clever ways, not just for the initial breach but also as simple, hard-to-spot backdoors. Their methods show a clear improvement in staying hidden and persistent, including using encrypted WebSocket (wss) communication and unusual ways to ...