North Korean Hackers Target Crypto Firms With New ‘NimDoor’ Malware Masquerading as Zoom Update

A North Korean cybercrime group is using fake Zoom updates to deliver a new strain of macOS malware called NimDoor, according to security researchers at SentinelLabs. The malware is designed to target cryptocurrency firms, with the goal of stealing sensitive data such as wallet credentials, Telegram messages, and browser passwords.

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

NimDoor reflects a leap in DPRK’s offensive toolkit, mixing compile-time trickery with native scripting to complicate and deter analysis.

SentinelOnePhil Stokes

The attack begins with a familiar tactic: social engineering. Hackers reach out to potential victims via Telegram, posing as legitimate contacts. They then schedule meetings through Calendly and share what appears to be a routine Zoom update. In reality, the update is a malware-laced installer that bypasses Apple’s built-in security checks.

What makes NimDoor particularly notable is its unusual codebase. It’s written in Nim, a programming language rarely used in malware development. Because of that, Apple’s malware detection tools currently don’t recognize it, giving the backdoor a clear path onto devices running macOS.

Once deployed, NimDoor immediately goes to work. It extracts login credentials, digs through crypto wallet files, and copies Telegram databases. The malware also installs a login item to ensure it reloads on every startup, making it harder to detect or remove. SentinelLabs warns that the malware can also fetch additional payloads after installation, meaning initial infection may only be the beginning.

To protect themselves, SentinelLabs urges crypto firms and macOS users to take several precautions:

• Block unsigned installer packages
• Only download Zoom updates directly from zoom.us
• Review Telegram contacts for unknown or suspicious profiles sharing executable files

This latest operation adds to a growing body of evidence that North Korean hacking groups are intensifying their focus on the crypto sector. Just last week, Interchain Labs revealed that a developer working on Cosmos infrastructure was secretly affiliated with the DPRK. Meanwhile, U.S. prosecutors have charged North Korean nationals with laundering more than $900,000 in stolen crypto through the privacy mixer Tornado Cash.

The scale of these campaigns is alarming. According to blockchain forensics firm TRM Labs, North Korea-linked hackers have stolen an estimated $1.6 billion from Web3 organizations in the first half of 2025 alone. February’s Bybit breach accounted for $1.5 billion of that total, making it the single largest known crypto heist this year.