North Korean hackers use fake Zoom updates to deliver ‘NimDoor’ macOS malware targeting crypto firms

North Korean hackers use fake Zoom updates to deliver ‘NimDoor’ macOS malware targeting crypto firms

Reported by The BlockL SentinelLabs warns that North Korean groups use an unusual NimDoor macOS backdoor, hidden in fake Zoom updates, to steal cryptocurrency wallet data and passwords.

The threat follows a string of DPRK exploits that have extracted over $1.6 billion from cryptocurrency firms in the first half of 2025, according to TRM Labs.

A North Korean threat group is infecting Apple devices with a new computer virus called NimDoor to infiltrate cryptocurrency companies and steal wallet credentials, security firm SentinelLabs warned in a research report.

Attackers message targets on Telegram, a familiar social engineering tactic employed by cybercriminals. Hackers then organize a malicious meeting through Calendly and lure victims into downloading a bogus Zoom Update sideloaded with malware that runs without triggering Apple’s safety checks.

The implant stands out because it was written in Nim, a niche programming language rarely used in malware. SentinelLabs said Apple’s built-in protection signatures do not yet flag NimDoor, giving the backdoor a free pass onto macOS-powered machines. Once installed, it harvests browser passwords, Telegram databases, and crypto wallet files, then opens a login-item agent that reloads the malware and pulls follow-up payloads.

To address the issue, SentinelLabs urged crypto firms to block unsigned installer packages, verify Zoom updates only from zoom.us, and audit Telegram contact lists for new profiles that push executable files.

The warning adds to a growing DPRK playbook. Last week, Interchain Labs revealed Cosmos maintainers had unknowingly hired a North Korean developer, and U.S. prosecutors charged DPRK nationals with laundering more than $900,000 in stolen crypto via Tornado Cash. The U.S. Department of Justice says operatives posed as American citizens in several schemes to steal data from U.S. companies. TRM Labs estimates North Korea-linked groups siphoned $1.6 billion from web3 operators in the first half of 2025, led by February’s $1.5 billion Bybit breach. That's over 70% of all crypto losses in H1, according to the security startup.

Source

Security Incidents

Related News
Bybit hackers move over half the stolen ETH onto Bitcoin, largely using ThorChain Bybit hackers move over half the stolen ETH onto Bitcoin, largely using ThorChain
Stablecoin neobank Infini exploited for $49 million: security analysts Stablecoin neobank Infini exploited for $49 million: security analysts
NoOnes CEO Ray Youssef discloses $8 million exploit weeks after the fact, confirming crypto sleuth ZachXBT's investigation NoOnes CEO Ray Youssef discloses $8 million exploit weeks after the fact, confirming crypto sleuth ZachXBT's investigation
Lending Protocol Sonne Finance Exploited for $20M Lending Protocol Sonne Finance Exploited for $20M
Users Lost $69M in $WBTC due to Address Poisoning Users Lost $69M in $WBTC due to Address Poisoning
Latest News More More
Tether plans further Bitcoin mining expansion in South America with Adecoagro tie up
17 Hours Ago JPMorgan's blockchain unit tests new carbon credit tokenization application with S&P Global
3 Days Ago Ethereum community plans onchain ‘time capsule’ to mark 10th anniversary of network’s genesis block
June 25 Circle's post-IPO stock surge pushes market cap near Coinbase and USDC
June 20 Kraken offers bitcoin ‘staking’ yield via Babylon without wrapping or lending
delate
Use TokenInsight App All Crypto Insights Are In Your Hands
Open