North Korean Hackers Target Crypto Firms with NimDoor Malware on Apple Devices

Security researchers have uncovered a new and dangerous computer virus targeting crypto companies through Apple devices. This malware, known as NimDoor, is a backdoor tool used by a North Korean hacking group to steal sensitive data, including passwords and cryptocurrency wallet files. The attack is cleverly disguised and manages to bypass many built-in macOS security checks, making it a significant threat to users.

The attack begins with a message sent through Telegram, a platform known for its vulnerability to crypto malware. Hackers pose as legitimate contacts and invite the target to a fake meeting scheduled via Calendly, a widely used calendar tool. The target is then asked to download what appears to be a Zoom update. However, instead of updating the video app, the file installs malware that runs quietly in the background, sidestepping macOS safety checks by disguising itself as a trusted update.

The virus is called NimDoor because it was created using the Nim programming language, which is not commonly used in cyberattacks. This makes it harder for Apple’s security system to recognize and block it. Once installed, NimDoor starts stealing sensitive data, including saved passwords from web browsers, files from Telegram conversations, and crypto wallet credentials. It also sets up a backdoor, allowing hackers to return later and install more malicious software.

Security experts have warned crypto-related businesses to strengthen their digital safety. They advise firms to block unsigned installer files and only download Zoom updates from official websites. Additionally, experts recommend checking Telegram contact lists for suspicious profiles, particularly those that send unknown files. These simple checks can prevent attackers from gaining access to sensitive information.

This new malware attack is part of a larger campaign by North Korea’s notorious hacking group. Recently, the U.S. Department of Justice filed a civil forfeiture to seize $7.74 million worth of crypto linked to North Korean IT workers. These workers pretended to be remote employees, earning money illegally and sending it back to North Korea to help the government avoid sanctions and fund its military programs. According to TRM Labs, North Korean-linked groups stole around $1.6 billion from web3 companies in just the first half of 2025. The biggest hit came in February when Bybit lost $1.5 billion in a single breach, accounting for over 70% of all crypto losses in that period.

The NimDoor malware is notable for its use of a novel persistence mechanism that takes advantage of signal handlers to reinstall itself when terminated or during system reboots. This ensures that the malware remains active even if attempts are made to remove it. The attack chain involves social engineering tactics to trick users into downloading and executing the malicious payload, underscoring the evolving tactics of North Korean hackers in targeting the cryptocurrency ecosystem.

The discovery of NimDoor highlights the growing threat posed by state-sponsored cyber actors to the Web3 and cryptocurrency sectors. As the use of cryptocurrencies continues to rise, so does the attractiveness of these digital assets to cybercriminals. The NimDoor malware represents a significant advancement in the capabilities of North Korean hackers, who have shown a willingness to adapt their tactics to exploit new vulnerabilities and technologies.

The use of macOS malware by North Korean hackers is particularly concerning, as it indicates a shift in their targeting strategy. Traditionally, macOS has been considered less vulnerable to malware compared to other operating systems. However, the development of NimDoor demonstrates that no platform is immune to sophisticated cyber threats. Users of macOS, particularly those involved in cryptocurrency transactions, must remain vigilant and implement robust security measures to protect their digital assets.

The NimDoor malware campaign serves as a reminder of the importance of cybersecurity in the cryptocurrency space. Users must be cautious of phishing attempts and other social engineering tactics, and ensure that their systems are protected with up-to-date security software. Additionally, the cryptocurrency community must continue to collaborate with cybersecurity experts to develop and implement effective defenses against emerging threats. The ongoing evolution of cyber threats requires a proactive approach to security, with a focus on education, awareness, and the adoption of best practices.