Hackers use sophisticated malware to steal data from companies in the cryptocurrency and Web3 sector.
Companies that work with cryptocurrencies (digital money, like Bitcoin) and Web3 – a more decentralized version of the internet, based on blockchain, which gives people greater control over their data and transactions – are being targeted by North Korean hackers.
North Koreans created malware called NimDoor, made in the Nim programming language, which uses advanced techniques to deceive users and steal information such as browser passwords (like Google Chrome and Firefox) and Telegram data.
According to the cybersecurity company SentinelOne, the malware attacks macOS systems (from Apple computers) with sophisticated methods. It also has a system that ensures its persistence on the computer, even if the user tries to delete it or restart the device.
Hackers use a strategy called social engineering, which is like a digital scam to deceive victims. They send messages via Telegram, pretending to offer a Zoom meeting scheduled by a real app called Calendly.
The victim receives an email with a link that appears to be for the meeting, along with instructions to run a program that supposedly updates Zoom.
This program is actually an AppleScript (a code used on Apple computers) that downloads another script from a remote server. Meanwhile, the link redirects the victim to the official Zoom site to avoid raising suspicions.
The heart of the attack is a program called InjectWithDyldArm64, which activates two codes: Target and trojan1_arm64.
These codes work together to:
Collecting data: they steal saved passwords in browsers and information from Telegram;
Talking to the hackers: the virus connects to the hackers' servers every 30 seconds, sending data from the computer (like the programs that are open) and receiving new instructions; and
Staying hidden: it uses tricks to avoid being deleted, even if the user tries to close the program or restart the computer.
Why is it dangerous?
North Korean hackers are becoming more skilled, attacking even macOS systems, which were previously less targeted. The Nim language allows for the creation of hard-to-detect codes, and the use of AppleScript shows a level of sophistication, according to experts.
Furthermore, the BabyShark campaign, linked to the Kimsuky group, uses similar tactics, such as fake emails that imitate requests for interviews or secure documents. Since January 2025, these attacks have deceived targets in South Korea, installing tools like Chrome Remote Desktop to access computers remotely.
The Kimsuky group also uses platforms like GitHub and Dropbox to spread malware, such as Xeno RAT, an open-source virus. They send fake emails posing as academic institutions or diplomats to deceive victims and install malicious codes through links or attachments.
Another strategy, called ClickFix, makes victims execute commands on Windows, often through fake CAPTCHA pages or messages asking to install legitimate programs like AnyDesk, allowing hackers to control the computer remotely.
