North Korean hackers are reportedly deploying a new malware strain called “NimDoor” to infiltrate crypto companies, according to a recent report from cybersecurity firm Sentinel Labs.
The malware is notable for being written in Nim, a relatively obscure programming language that helps it evade conventional detection mechanisms, especially on Apple’s macOS systems.
Disguised as Zoom software updates, NimDoor is distributed primarily through Telegram channels, which are often frequented by cryptocurrency communities.
NimDoor Malware Grants Hackers Remote Access to Steal Sensitive Data
Once installed, NimDoor grants remote access to the infected device, allowing attackers to steal sensitive information.
The stolen information includes crypto wallet credentials, saved browser passwords, and local Telegram data, potentially giving hackers access to private communications and authentication tokens.
Sentinel Labs notes that the use of Nim is rare and strategic, as it enables the malware to better bypass Apple’s security protections and avoid being flagged by antivirus software.
The campaign highlights the increasing sophistication of state-sponsored cyberattacks, particularly from North Korea, which has been linked to numerous high-profile crypto thefts in recent years.
With NimDoor, attackers are leveraging social engineering, obscure programming languages, and trusted platforms like Telegram to exploit the cryptocurrency sector—a lucrative target for cybercrime due to its often decentralized and less-regulated nature.
Also Read: North Korean Operatives Impersonated US Citizens To Steal Crypto From American Companies: DOJ
Attack Starts with Telegram Impersonation and Fake Calendly Meeting Invite
The attack begins with a classic social engineering tactic: a hacker impersonates a trusted contact on Telegram and invites the victim to schedule a meeting via Calendly.
Soon after, the target receives an email containing a Zoom meeting link and instructions to run a fake “Zoom SDK update script.”
The malicious script is hosted on an attacker-controlled domain and named zoom_sdk_support.scpt. Interestingly, variants of this file have been identified in public malware repositories, often marked by a typo in a code comment reading “Zook SDK Update” instead of “Zoom.”
To avoid detection, the script is heavily padded with around 10,000 lines of blank space, effectively concealing its real purpose and making it harder for analysts and security tools to flag its behavior.
Also Read: Circle Faces Scrutiny As North Korea’s USDC Activity Remains Unchecked
Huntress Links Malware Activity to North Korea’s BlueNoroff Hacking Group
In June, cybersecurity firm Huntress linked similar malware activity to BlueNoroff, a North Korean state-sponsored hacking group.
Researchers found the malware notable for its ability to bypass Apple’s memory protections and successfully inject its payload. Once active, the malware enables functions such as keylogging, screen recording, clipboard monitoring, and more.
A key component is CryptoBot, a sophisticated infostealer specifically designed to target cryptocurrency users.
It searches through browser extensions to locate and extract data from wallet plugins, making it highly effective in crypto theft.
In parallel, blockchain security firm SlowMist recently warned of a large-scale malicious campaign involving dozens of fake Firefox extensions, all aimed at stealing crypto wallet credentials—further underscoring the rising threat to digital asset security.