NimDoor Malware Hits macOS Crypto Startups

North Korean hackers deploy NimDoor malware via fake Zoom updates to steal crypto wallets on macOS.

Photo of Aurelien Sage Aurelien Sage Follow on X Send an email July 3, 2025 - 6:30 PM
24 1 minute read
NimDoor malware targeting macOS crypto firms via fake Zoom updates
Market
  • NimDoor malware disguises as Zoom updates to infect macOS devices.
  • Targets crypto firms by stealing wallets, passwords, and Telegram data.
  • Uses rare Nim language and AppleScript for stealth and persistence.

North Korean hackers have launched a new campaign using NimDoor malware to target macOS-based crypto firms. The malware is cleverly disguised as a Zoom SDK update and spreads through Telegram messages and email invites. Victims receive a fake Calendly link that downloads an AppleScript file padded with thousands of blank lines to hide its code. When executed, the script installs NimDoor onto the device.

How NimDoor Stays Hidden

What makes this malware particularly dangerous is its stealth. It’s written in Nim, a rarely used programming language that helps the code evade traditional security analysis. Once installed, NimDoor injects itself into other processes, uses encrypted WebSocket channels for communication, and resists deletion by reinstalling itself if terminated. It also includes a beaconing system via AppleScript, pinging command servers every 30 seconds.

What NimDoor Steals

The main goal of NimDoor is to steal sensitive data from crypto companies. It collects:

  • Browser passwords from Chrome, Brave, Firefox, and more.
  • macOS Keychain contents including saved credentials.
  • Local Telegram databases and encryption keys.
  • Terminal command history and system information.

This gives attackers the ability to compromise crypto wallets, hijack Telegram accounts, and steal business-critical data—all while staying under the radar.

Protecting Against This Threat

Crypto firms and individual users should avoid downloading updates from unofficial links or direct messages. Always use trusted sources for software updates. Additionally, regularly monitor system login items and be cautious of any suspiciously named applications or scripts. Endpoint protection tools should be configured to detect unusual process injections and AppleScript activity.

Read Also :

Disclaimer: The content on CoinoMedia is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency investments carry risks, and readers should conduct their own research before making any decisions. CoinoMedia is not responsible for any losses or actions taken based on the information provided.
Tags
Photo of Aurelien Sage Aurelien Sage Follow on X Send an email July 3, 2025 - 6:30 PM
24 1 minute read
Photo of Aurelien Sage

Aurelien Sage

Aurelien Sage is a blockchain enthusiast and writer, crafting insightful articles on decentralized technologies, Web3, and the future of finance. His work simplifies complex concepts, empowering readers to navigate the evolving crypto landscape with confidence.

Related Articles

Nano Labs BNB purchase via OTC for $50M

Nano Labs Buys $50M in BNB to Boost Crypto Reserves

July 4, 2025 - 3:30 AM
“Bitcoin mining farm powered by renewable energy in Brazil.”

Tether & Adecoagro Launch Renewable Bitcoin Mining

July 4, 2025 - 2:30 AM
Arctic Pablo Coin, Pudgy Penguins Crypto, Snek Token News, Meme Coin Presale 2025, Best Crypto To Buy Now

$2,000 Could Turn Into $38,000? Arctic Pablo Ignites in Subzero Springs as Pudgy Penguins and Snek Charge Forward

July 4, 2025 - 1:45 AM
BitMEX trading screen displaying RLUSD margin option

BitMEX Pioneers RLUSD Margin for Derivatives

July 4, 2025 - 1:30 AM
Back to top button