According to ShibDaily, North Korean hackers have launched a new cyberattack campaign targeting cryptocurrency companies by deploying a sophisticated malware strain known as NimDoor. This malware is designed to infiltrate Apple devices, bypassing built-in memory protections to extract sensitive data from crypto wallets and browsers.

The attack begins with social engineering tactics on platforms like Telegram, where hackers pose as trusted contacts to engage victims in conversation. They then invite the target to a fake Zoom meeting, disguised as a Google Meet session, and send a file that mimics a legitimate Zoom update. This file serves as the delivery method for the malicious payload. Once executed, the malware installs NimDoor on the victim's device, which proceeds to harvest sensitive information, specifically targeting cryptocurrency wallets and stored browser credentials.

Researchers at cybersecurity firm SentinelLabs uncovered this new tactic, noting that the use of the Nim programming language sets this malware apart. Nim-compiled binaries are rarely seen targeting macOS, making the malware less recognizable to conventional security tools and potentially more difficult to analyze and detect. The researchers observed that North Korean threat actors have previously experimented with programming languages like Go and Rust, but the shift toward Nim reflects a strategic advantage due to its cross-platform capabilities. This allows the same codebase to run on Windows, Linux, and macOS without modification, increasing the efficiency and reach of their attacks.

The malicious payload includes a credential-stealing component engineered to discreetly harvest browser and system-level data, bundle the information, and transmit it to the attackers. Additionally, the researchers identified a script within the malware that targets Telegram by extracting both its encrypted local database and the corresponding decryption keys. Notably, the malware employs a delayed activation mechanism, waiting ten minutes before executing its operations in an apparent effort to evade security scanners.