Companies that work with cryptocurrencies (digital money, like Bitcoin) and Web3 – a more decentralized version of the internet, based on blockchain, that gives people greater control over their data and transactions – are being targeted by North Korean hackers.
The North Koreans created a malware called NimDoor, made in the Nim programming language, which uses advanced techniques to deceive users and steal information, such as browser passwords (like Google Chrome and Firefox) and Telegram data.
According to the cybersecurity company SentinelOne, the malware attacks macOS systems (from Apple computers) using sophisticated methods. It also has a system that ensures its persistence on the computer, even if the user tries to delete it or restart the device.
Hackers use a strategy called social engineering, which is like a digital scam to deceive victims. They send messages via Telegram, pretending to offer a meeting on Zoom, scheduled through a real application called Calendly.
The victim receives an email with a link that appears to be for the meeting, along with instructions to run a program that supposedly updates Zoom.
This program is actually an AppleScript (a code used on Apple computers) that downloads another script from a remote server. Meanwhile, the link redirects the victim to the official Zoom website, to avoid raising suspicion.
The downloaded script unpacks files with malicious code that keeps the virus active on the computer and steals information.
The core of the attack is a program called InjectWithDyldArm64, which activates two codes: Target and trojan1_arm64. These codes work together to:
Collecting data: they steal saved passwords from browsers and information from Telegram;
Communicating with the hackers: the virus connects to the hackers' servers every 30 seconds, sending data from the computer (such as open programs) and receiving new instructions; and
Staying hidden: it uses tricks to avoid being deleted, even if the user tries to close the program or restart the computer.
Why is it dangerous?
North Korean hackers are becoming more skilled, even attacking macOS systems, which were previously less targeted. The Nim language allows for the creation of hard-to-detect codes, and the use of AppleScript shows a level of sophistication, according to experts.
Moreover, the BabyShark campaign, linked to the Kimsuky group, uses similar tactics, such as fake emails that mimic requests for interviews or secure documents. Since January 2025, these attacks have deceived targets in South Korea, installing tools like Chrome Remote Desktop to access computers remotely.
The Kimsuky group also uses platforms like GitHub and Dropbox to spread malware, such as Xeno RAT, an open-source virus. They send fake emails, impersonating academic institutions or diplomats, to deceive victims and install malicious code through links or attachments.
Another strategy, called ClickFix, makes victims execute commands on Windows, often through fake CAPTCHA pages or messages requesting the installation of legitimate programs, such as AnyDesk, allowing hackers to control the computer remotely.