North Korean Hackers Launch NimDoor Attack: Mac Crypto Wallets at Risk

North Korean Hackers Deploy ‘NimDoor’ Malware in Aggressive Crypto Theft Campaign Targeting Web3 Professionals

Newly uncovered cyberattack campaign linked to North Korean threat actors is targeting professionals across the Web3, blockchain, and cryptocurrency sectors, deploying advanced malware to steal digital assets and sensitive data from Mac users in a stealthy, persistent wave of intrusions.

The malware, identified as “NimDoor,” employs a potent mix of social engineering tactics, fake software updates, and uncommon programming languages to compromise devices and maintain footholds even after reboots, according to a joint report released by cybersecurity firms SentinelOne and Elastic Security Labs.

This latest operation underscores an alarming evolution in crypto-focused cybercrime, signaling how state-backed hacking groups are refining methods to bypass traditional security layers, harvest credentials, and drain digital wallets without immediate detection.

Source: X

Sophisticated Social Engineering: Calls, Calendly, and Fake Updates

Investigators say the attackers first initiate contact with targets using messaging platforms like Telegram under the guise of potential employers, business partners, or investors, often leveraging professional networking language to establish credibility.

They then schedule fake interviews or discussions through services like Calendly, creating a sense of legitimacy and urgency. Once trust is established, victims receive emails with phony Zoom SDK update links. Instead of updating video conferencing software, these downloads silently install the NimDoor malware on the user’s device, granting remote attackers full access to files, browser data, and crypto wallets.

“This level of personalized social engineering shows a clear intent to infiltrate high-value individuals in crypto and blockchain projects,” said Dr. Ian Cartwright, a cybersecurity researcher at SentinelOne. “They’re patient, targeted, and able to craft highly convincing traps.”

Targeting Browsers and Telegram for Maximum Data Theft

Once installed, NimDoor executes bash scripts that scan and extract data from web browsers, including Chrome, Firefox, Brave, Arc, and Microsoft Edge, focusing on session cookies, saved credentials, and browsing histories linked to crypto exchanges and wallets.

Source: Sentinel labs

In a particularly aggressive twist, NimDoor is engineered to steal iCloud Keychain credentials and exfiltrate Telegram user data, leveraging the platform’s popularity within crypto communities to intercept private communications, wallet addresses, and authentication codes.

Researchers note that by targeting Telegram, the malware can bypass email-based security alerts and directly compromise 2FA tokens, adding a dangerous layer to the attackers’ arsenal.

Stealth and Persistence: Surviving Reboots

What makes NimDoor particularly dangerous is its persistence mechanism. The malware is designed to survive system shutdowns and reboots by leveraging signal-based persistence, including SIGINT and SIGTERM handlers that detect termination attempts and automatically reload the malware in the background.

“Even if you think you’ve shut down the infection, it comes right back unless you fully wipe and harden the system,” explained Emily Zhao, a malware analyst with Elastic Security Labs.

This persistence allows hackers to continue siphoning off data and monitoring wallet activities for days or weeks without triggering alarms, significantly increasing the chances of crypto theft before users detect the compromise.

Using Uncommon Programming Languages to Evade Detection

Adding to the malware’s complexity, NimDoor is written using a blend of C++, AppleScript, and the Nim programming language, a rare choice in malware development. Experts believe this strategy helps attackers slip past traditional antivirus detection systems, which are often optimized to detect threats coded in more common languages like Python or JavaScript.

“The use of Nim is particularly notable because it complicates reverse engineering and detection,” said Zhao. “Security vendors will need to adapt quickly to handle this emerging trend.”

This move toward uncommon coding frameworks aligns with a broader shift in cybercrime, as threat actors look to outpace evolving security tools by adopting less familiar technologies.

A New Benchmark in State-Linked Crypto Theft

The NimDoor campaign highlights North Korea’s continued push to exploit the crypto ecosystem as a source of revenue amid international sanctions. The Lazarus Group and other state-linked entities have previously been tied to high-profile crypto heists and ransomware attacks, but NimDoor’s targeted approach marks a significant escalation in technical and operational sophistication.

“North Korean threat actors have recognized the value of targeting Web3 professionals who often manage large sums in wallets with insufficient protection,” said Dr. Cartwright. “They’re not just hitting exchanges anymore; they’re going after individuals who may have high-value keys on personal devices.”

Defending Against NimDoor and Similar Threats

Given the increasing sophistication of crypto theft campaigns, experts strongly advise those in the Web3 and crypto sectors to adopt proactive security measures:

• Be cautious with unsolicited emails, file downloads, and meeting requests, particularly if they request software updates or claim urgent action is needed.

• Use hardware wallets or cold storage for substantial crypto holdings, reducing the exposure of funds stored on internet-connected devices.

• Enable and secure two-factor authentication on all accounts, using app-based authenticators rather than SMS or Telegram-based codes when possible.

• Deploy advanced endpoint detection and response (EDR) solutions capable of behavioral analysis, rather than relying solely on signature-based antivirus tools.

• Regularly audit and update device and software security settings, ensuring patches are applied promptly to address vulnerabilities.

• Segment personal and professional devices, limiting the risk of crypto-related work compromising personal data or vice versa.

A Wake-Up Call for the Web3 Community

As the crypto industry continues to grow, so too will the incentive for advanced threat actors to develop tools like NimDoor, combining social engineering, technical exploits, and innovative coding tactics to bypass security defenses and exfiltrate funds.

“This is a wake-up call for the Web3 ecosystem,” said Dr. Cartwright. “It demonstrates that relying solely on standard security practices is no longer enough when dealing with nation-state level adversaries.”

As cybersecurity experts continue to dissect and analyze NimDoor, it’s clear that the future of crypto security will require a combination of technological vigilance and user awareness to counteract evolving threats.

Staying informed, cautious, and prepared will be essential in defending against the growing wave of crypto theft campaigns driven by advanced persistent threats like NimDoor.

Writer @Ellena

Ellena is an experienced crypto writer who loves to explore the intersection of blockchain technology and financial markets. She regularly provides insights into the latest trends and innovations in the digital currency space.

 

 Check out other news and articles on Google News

Disclaimer:

The articles published on hokanews are intended to provide up-to-date information on various topics, including cryptocurrency and technology news. The content on our site is not intended as an invitation to buy, sell, or invest in any assets. We encourage readers to conduct their own research and evaluation before making any investment or financial decisions.

hokanews is not responsible for any losses or damages that may arise from the use of information provided on this site. Investment decisions should be based on thorough research and advice from qualified financial advisors. Information on HokaNews may change without notice, and we do not guarantee the accuracy or completeness of the content published.