NimDoor malware disguises as Zoom updates to infect macOS devices.
Targets crypto firms by stealing wallets, passwords, and Telegram data.
Uses rare Nim language and AppleScript for stealth and persistence.
North Korean hackers have launched a new campaign using NimDoor malware to target macOS-based crypto firms. The malware is cleverly disguised as a Zoom SDK update and spreads through Telegram messages and email invites. Victims receive a fake Calendly link that downloads an AppleScript file padded with thousands of blank lines to hide its code. When executed, the script installs NimDoor onto the device.
How NimDoor Stays Hidden
What makes this malware particularly dangerous is its stealth. It’s written in Nim, a rarely used programming language that helps the code evade traditional security analysis. Once installed, NimDoor injects itself into other processes, uses encrypted WebSocket channels for communication, and resists deletion by reinstalling itself if terminated. It also includes a beaconing system via AppleScript, pinging command servers every 30 seconds.
What NimDoor Steals
The main goal of NimDoor is to steal sensitive data from crypto companies. It collects:
Browser passwords from Chrome, Brave, Firefox, and more.
macOS Keychain contents including saved credentials.
Local Telegram databases and encryption keys.
Terminal command history and system information.
This gives attackers the ability to compromise crypto wallets, hijack Telegram accounts, and steal business-critical data—all while staying under the radar.
North Korean hackers are using a new malware called "NimDoor" to target crypto companies, according to Sentinel Labs. Disguised as Zoom updates and spread via Telegram, the malware is written in the rare Nim language, allowing it to bypass Apple's security and steal crypto wallet…
— Wu Blockchain (@WuBlockchain) July 3, 2025
Protecting Against This Threat
Crypto firms and individual users should avoid downloading updates from unofficial links or direct messages. Always use trusted sources for software updates. Additionally, regularly monitor system login items and be cautious of any suspiciously named applications or scripts. Endpoint protection tools should be configured to detect unusual process injections and AppleScript activity.
Read Also :
NimDoor Malware Hits macOS Crypto Startups
Addentax Group Eyes 12,000 BTC in $1.3B Deal
Bitcoin $107K Rebound: Holders See Profit, Supply Hits ATH
Altseason Signal Flashes: Key Chart Hits 4-Year Mark
The post NimDoor Malware Hits macOS Crypto Startups appeared first on CoinoMedia.
