NimDoor Malware Hits macOS Crypto Startups

North Korean hackers deploy NimDoor malware via fake Zoom updates to steal crypto wallets on macOS.

Photo of Aurelien Sage Aurelien Sage Follow on X Send an email July 3, 2025 - 6:30 PM
24 1 minute read
NimDoor malware targeting macOS crypto firms via fake Zoom updates
Market
  • NimDoor malware disguises as Zoom updates to infect macOS devices.
  • Targets crypto firms by stealing wallets, passwords, and Telegram data.
  • Uses rare Nim language and AppleScript for stealth and persistence.

North Korean hackers have launched a new campaign using NimDoor malware to target macOS-based crypto firms. The malware is cleverly disguised as a Zoom SDK update and spreads through Telegram messages and email invites. Victims receive a fake Calendly link that downloads an AppleScript file padded with thousands of blank lines to hide its code. When executed, the script installs NimDoor onto the device.

How NimDoor Stays Hidden

What makes this malware particularly dangerous is its stealth. It’s written in Nim, a rarely used programming language that helps the code evade traditional security analysis. Once installed, NimDoor injects itself into other processes, uses encrypted WebSocket channels for communication, and resists deletion by reinstalling itself if terminated. It also includes a beaconing system via AppleScript, pinging command servers every 30 seconds.

What NimDoor Steals

The main goal of NimDoor is to steal sensitive data from crypto companies. It collects:

  • Browser passwords from Chrome, Brave, Firefox, and more.
  • macOS Keychain contents including saved credentials.
  • Local Telegram databases and encryption keys.
  • Terminal command history and system information.

This gives attackers the ability to compromise crypto wallets, hijack Telegram accounts, and steal business-critical data—all while staying under the radar.

Protecting Against This Threat

Crypto firms and individual users should avoid downloading updates from unofficial links or direct messages. Always use trusted sources for software updates. Additionally, regularly monitor system login items and be cautious of any suspiciously named applications or scripts. Endpoint protection tools should be configured to detect unusual process injections and AppleScript activity.

Read Also :

Disclaimer: The content on CoinoMedia is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency investments carry risks, and readers should conduct their own research before making any decisions. CoinoMedia is not responsible for any losses or actions taken based on the information provided.
Tags
Photo of Aurelien Sage Aurelien Sage Follow on X Send an email July 3, 2025 - 6:30 PM
24 1 minute read
Photo of Aurelien Sage

Aurelien Sage

Aurelien Sage is a blockchain enthusiast and writer, crafting insightful articles on decentralized technologies, Web3, and the future of finance. His work simplifies complex concepts, empowering readers to navigate the evolving crypto landscape with confidence.

Related Articles

Hamak Limited Bitcoin investment announcement

Hamak Limited Adds Bitcoin to Treasury Reserves

July 3, 2025 - 9:00 PM
Bitcoin long-term holders record 14.7M BTC held

Bitcoin Long-Term Holders Hit Record 14.7M BTC

July 3, 2025 - 8:30 PM
“Amina Bank logo with Ripple RLUSD stablecoin”

Global First: Swiss‑Regulated Amina Bank Backs Ripple RLUSD

July 3, 2025 - 8:00 PM
next bull run crypto, Qubetics crypto ROI, Solana ETF crypto, Filecoin price support, high ROI crypto 2025, DPoS Qubetics, decentralized storage token, cross-border payment crypto, TICS token launch, crypto bull run picks

Qubetics Crosses $700K Volume, Is it the Next Bull Run Crypto? Solana’s ETF Adds Fuel While Filecoin Holds Critical Support

July 3, 2025 - 7:15 PM
Back to top button