According to (The Block): SentinelLabs warned that North Korean hackers are using the NimDoor backdoor virus disguised as a Zoom update to attack macOS systems, stealing encrypted wallet data and passwords.

Security company SentinelLabs warned in a recent research report that a North Korean cyberattack organization is using a new type of macOS backdoor virus called NimDoor to infect Apple devices, thereby infiltrating cryptocurrency companies and stealing wallet credentials and browser passwords.

The virus is hidden in a fake Zoom update program, and the spreading method mainly takes place through the Telegram social platform. The attackers used familiar social engineering strategies: first reaching out to target users via Telegram, then scheduling a 'meeting' on Calendly to entice victims to download a malicious installation package disguised as a Zoom update. The software bypassed Apple's security detection mechanisms through 'sideloading' and successfully ran on the device.

The uniqueness of NimDoor lies in the fact that it is written in Nim, a niche programming language rarely used in malware, which also helps it evade Apple's current virus detection. Once installed, this backdoor will:

Collect saved passwords from browsers;

Steal the local database from Telegram;

Extract cryptocurrency wallet files;

And create login startup items to achieve persistent operation and download subsequent attack modules.

SentinelLabs recommends:

Cryptocurrency companies should prohibit all unsigned installation packages;

Download Zoom updates only from the official zoom.us website;

Review the Telegram contact list and be wary of unfamiliar accounts that actively send executable files.

This attack is part of North Korea's ongoing targeting of the Web3 industry. Previously, Interchain Labs revealed that the Cosmos project team had inadvertently hired North Korean developers. At the same time, the U.S. Department of Justice has also charged several North Korean suspects, alleging that they laundered over $900,000 in stolen cryptocurrency through Tornado Cash, impersonating U.S. citizens and planning multiple cyberattacks.

According to the latest estimates from blockchain security company TRM Labs, in the first half of 2025, hacker organizations linked to North Korea have collectively stolen over $1.6 billion in crypto assets. Among them, the Bybit attack incident in February alone caused a loss of $1.5 billion, accounting for over 70% of all crypto losses in Web3 during the first half of the year.