A North Korean hacking group is behind a new way of cyberattacks on Web3 and cryptocurrency companies, using a rare type of macOS malware.

Researchers at Sentinel Labs have identified this malware family as NimDoor because it utilizes the obscure programming language Nim.

The attack starts with a social engineering trick. The attackers reach their targets through Telegram by impersonating colleagues. They then ask the victims to execute a “Zoom SDK update script” after sending them a fake Zoom meeting link. The malicious script, which contains 10,000 blank lines and a single typo (“Zook” instead of “Zoom”), downloads

Once triggered, the malware downloads and installs several harmful programs, including one that can steal login credentials, browser data, and Telegram chat history. Another script secretly copies users’ system files, Keychain data, and even terminal history, sending it all back to a remote server.

Unlike most macOS malware, NimDoor uses advanced methods like process injection alongside encrypted WebSocket Secure (wss) communication. The malware becomes increasingly difficult to detect because of its advanced features, which enable secure communication with command servers.

A standout feature is its persistence mechanism: even if a user or system tries to stop the malware, it re-installs itself using macOS’s own signal handling tools (SIGINT/SIGTERM).

“Threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts,” wrote Sentinel Labs researchers Phil Stokes and Raffaele Sabato. They warn that attackers’ use of Nim and AppleScript, along with fake update lures, shows a new level of sophistication.

Security experts recommend that Web3 and crypto platforms need to enhance their security measures while teaching staff about social engineering techniques, given that this malware campaign demonstrates how attackers can use trust exploitation to penetrate secure systems.

Hi, I’m Kiara Fabbri a Tech News Writer at WizCase. I'm a multimedia journalist with a keen interest in innovative and immersive news storytelling. Fluent in three languages—Italian, English, and Spanish—I'm deeply engaged in all facets of news reporting. I am currently undertaking a Ph.D. exploring VR applications in journalism. Following my studies in psychology (BSc) and political psychology (MSc), I embarked on a three-year journey across South America. During this time, I undertook a 4000 km solo bicycle trip from Chile to Brazil. There, I camped, cooked on the road, and volunteered in various facilities. It was during these travels that I discovered my passion for journalism. Subsequently, I pursued a Master's program in journalism innovation and enterprise. My career in journalism has seen me produce VR immersive experiences covering a range of topics. These include documenting an Anti Militaristic raid of a NATO Base, life in the Brazilian Favelas, the recent violent protest clashes in Buenos Aires and finally social projects run by Skaters in the Argentinian ghettos. In addition to my journalistic endeavours, I also practice parkour, a discipline I have cultivated over several years now. I love to make the most of this skill in my journalistic style; for example, it has enabled me to capture dynamic footage from heights during the recent violent clashes in Buenos Aires. There, I scaled heights and employed a long stick on my camera to create aerial 360° views. Through my dedication to pushing the boundaries of journalism, I am committed to amplifying voices, sparking meaningful conversations, and driving positive change in the world.