Cybercriminals are using a macOS malware called NimDoor to steal data and passwords from wallets.

The analysis company Sentinel Labs published an alert on Wednesday (2) about a new cyber threat from North Korean hackers against cryptocurrency companies. According to the report, cybercriminals are using a macOS malware called NimDoor to steal data and passwords from cryptocurrency wallets on Apple devices.

According to the company, hackers send messages to targets via Telegram and then arrange a malicious meeting through Calendly, a meeting scheduling service. They then trick victims into downloading a fake Zoom update, loaded with malware that operates without triggering Apple’s security checks.

The virus stands out for being written in Nim, a niche programming language rarely used in malware. Sentinel stated that Apple's built-in protection signatures do not yet flag NimDoor, giving the backdoor free access to macOS machines.

Once installed, the virus collects passwords from browsers, Telegram databases, and cryptocurrency wallet files, and then opens a login item agent that reloads the malware and extracts subsequent payloads.

To address the issue, the company asked cryptocurrency firms to block unsigned installation packages, verify Zoom updates only at zoom.us, and audit Telegram contact lists for new profiles sending executable files.

North Korean hackers and cryptocurrencies

The alert from Sentinel Labs adds to a growing modus operandi from the Republic of North Korea. Last week, Interchain Labs revealed that the maintainers of the crypto project Cosmos unknowingly hired a North Korean developer, and American prosecutors accused citizens of the Asian country of laundering over $900,000 in stolen cryptocurrencies via Tornado Cash.

The U.S. Department of Justice states that agents impersonated American citizens in various schemes to steal data from American companies.

TRM Labs estimates that North Korea-linked groups diverted $1.6 billion from web3 operators in the first half of 2025, led by the hack of about $1.5 billion from Bybit in February. This represents over 70% of all cryptocurrency losses in the first half.