- By using NIM, the disbelievers are able to bypass traditional avation measures
- They approach their victims of telegram and invite them to a zoom meeting
- Malware steals sensitive data and cryptographic tokens
The North Koreans target Mac users with new malicious software in order to steal cryptocurrency and other sensitive data, experts warned.
Sentinelabs security researchers have discovered Nimdoor, unique malware for a less known programming language called NIM, which they attributed to the opponents sponsored by the State of North Korea engaged mainly in the flight of cryptocurrency, which is then used to finance its state devices and its program of weapons.
Nim is used, above all, to escape detection. The stolen door also uses Applescript for the assessment and asynchronous sleep timers, the creation of traditional security measures and the maintenance of persistence.
Alarming evolution
The attack generally begins with the telegram, where the victims are approached by apparently reliable contact and invited to a false zoom meeting.
The link redirects the victim to a page of usurped zoom which encourages them to install an update in order to participate in the call. Instead of the update, the victims are abandoned the malicious payload, which steals all kinds of sensitive data, the history of navigation, research activity, cookies, telegram data, passwords of keychain.
“This represents an alarming evolution in the North Korean cyber capacities, in particular because it specifically exploits the growing tendency of remote work and that Mac users have perceived a lower vulnerability to these attacks,” explained the researchers.
The actors of the threat sponsored by the North Korean state are known for their campaigns targeting cryptocurrency and web companies. Among the most important and dangerous groups are Lazarus, a threat actor who brought back more than $ 3.4 billion, in various attacks between 2021 and 2025.
Among the largest burglaries is the statement attack which occurred in February 2025, when they stole approximately 1.5 billion dollars in different tokens. Ronin Bridge was compromised in March 2022 for $ 600 million, while Poly Network lost roughly the same amount of money the previous year.
