- North Korea-linked hackers use NimDoor, a Nim-written backdoor, posing as trusted contacts on Telegram to trick victims into installing it via fake Zoom updates.
- NimDoors rare Nim code and AppleScript backdoors evade detection, working across Mac, Windows, and Linux, and bypass Apples memory protections for deep access.
- Once installed, it steals crypto wallet data, browser logins, Telegram keys, and runs keyloggers and infostealers like CryptoBot, exfiltrating data while dodging scanners.
North Korean hackers are stepping up their game with new malware strains targeting Apple devices, zeroing in on crypto firms through a polished social engineering campaign.
Sentinel Labs researchers Phil Stokes and Raffaele Sabato detail the phishing operation in a report published July 2, and their findings show how North Korea-linked actors are pivoting to less common programming languages like Nim, which complicates detection, alongside AppleScript backdoors that infiltrate a targets system.
The phishing scam goes somewhat like this: the attackers pose as trusted contacts on apps like Telegram, then lure targets into a fake Zoom call through a Google Meet link. There, a bogus Zoom update file is awaiting the victim, and when they run it, theyre actually installing a backdoor called NimDoor, built to siphon crypto wallet data and browser credentials from Mac computers.
Related: Crypto Heists Hit Record High in H1 2025 as State-Sponsored Attacks Surge
Advertisement

Explained a bit simpler, NimDoor is written in Nim, a rare language that lets hackers deploy the same payload across several operating systems like Mac, Windows, Linux, etc, with little fuss. Unlike more common Go or Rust exploits, Nims unusual footprint makes it harder for security tools to flag.
Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts and fake updates, the use of Nim-compiled binaries on macOS is a more unusual choice.

The bigger worry is how well the malware burrows into Apples defenses. Sentinels findings show it bypasses built-in memory protections to embed itself deeper, running keyloggers, screen recorders, clipboard hijackers, and an infostealer named CryptoBot designed to hunt wallet extensions inside browsers.
Then, once active, the payload does several things, like stealing browser logins, packages up system data, grabs Telegrams local encrypted database and its keys, then slips it all out silently, waiting a full ten minutes to dodge scanners.
Huntress, another security firm, reported similar incidents last month linked to BlueNoroff, a known North Korean state-backed crew.
Related: Bitcoins Three-Month Rally Shows Signs of Fatigue as Profit-Taking Rises