Researchers from SentinelLabs have uncovered a new threat in cyberspace associated with North Korean hackers. This attack targets macOS users to steal cryptocurrency and confidential data, as reported by TechRadar.
The researchers have identified a malware called NimDoor, developed in a relatively rare programming language called Nim. This backdoor helps evade traditional antivirus detection. Once installed, NimDoor employs AppleScript for communication and asynchronous timers, allowing the malware to maintain its presence on the system and bypass security measures. The term “beaconing” in cybersecurity refers to the technique used by malware to periodically communicate with a command and control (C2) server to report its presence and receive instructions.
The attack usually starts in Telegram, where victims receive messages from a fictitious trusted contact inviting them to a Zoom meeting. When the link is clicked, a fake Zoom page opens, requesting an “update” to join the call. Instead, the NimDoor malware is downloaded, which steals various data:
- Browser history and search queries;
- Cookies and Telegram chats;
- Passwords from macOS Keychain.
“This is concerning in terms of the development of North Korean cyber capabilities, especially given the rise of remote work and the false sense of security among Mac users,” noted SentinelLabs.
North Korean hacker groups, particularly the notorious Lazarus Group, have previously stolen cryptocurrency to fund their programs. From 2021 to early 2025, they stole over $3.4 billion, including:
- An attack on the ByBit exchange in February 2025: approximately $1.5 billion in tokens;
- The hack of Ronin Bridge in March 2022: about $600 million;
- An attack on Poly Network in 2021: around $600 million.
Experts advise macOS users to be cautious: do not click on suspicious links, even if they come from acquaintances, and to install updates only through official channels rather than from browser pop-ups.
