plowunited.net –North Korean hackers have launched a sophisticated campaign using NimDoor malware to target macOS devices at Web3 and cryptocurrency companies. Cybersecurity researchers at Sentinel Labs revealed that the hackers exploit social engineering tactics combined with malicious scripts to infiltrate their victims. The attackers often contact targets through messaging platforms like Telegram. They trick victims into joining calls arranged via scheduling services such as Calendly. Once engaged, hackers send emails disguised as legitimate updates, including a “Zoom SDK update” script. This script installs NimDoor malware silently without alerting the user.
Read More : Realme 15T India Launch Date, Colours, RAM & Storage Leak
The malware then establishes communication with a command and control (C2) server, enabling remote control. NimDoor is unique because it combines code written in C++, Nim, and AppleScript. This multi-language approach makes the malware harder to detect and analyze. Once active, NimDoor executes bash scripts to collect sensitive data. It extracts information from popular browsers including Chrome, Edge, Arc, Brave, and Firefox. It also steals iCloud Keychain passwords and Telegram user data from infected devices. This data harvesting can lead to significant security breaches for firms handling sensitive crypto transactions and Web3 infrastructure.
NimDoor’s Persistence and Evolving Threat Techniques
Sentinel Labs’ analysis highlights NimDoor’s advanced persistence mechanism. The malware uses signal-based handlers (SIGINT/SIGTERM) to reinstall itself if the process is terminated or the system restarts. This persistence ensures continuous access to victim devices, making removal difficult. North Korean hackers leverage this feature to maintain long-term control and data exfiltration capabilities.
The use of Nim, a lesser-known programming language, gives attackers an edge. This language is less familiar to many cybersecurity professionals and automated detection tools. By combining Nim with C++ and AppleScript, the hackers create malware that evades traditional security defenses more effectively. This trend of using obscure programming languages for cyberattacks is increasing, complicating detection efforts across the industry.
The campaign targeting Web3 and crypto firms highlights the growing risk faced by this sector from nation-state actors. Firms must enhance security training to recognize social engineering attempts and deploy updated endpoint protections capable of identifying multi-language malware. Sentinel Labs recommends continuous monitoring and employing threat intelligence to counter these evolving threats.
As attackers innovate, security teams must adapt quickly to protect critical infrastructure and user data in the fast-growing blockchain and cryptocurrency space. The detailed research on NimDoor underscores the importance of staying informed about novel attack vectors used by advanced threat groups like those linked to North Korea.
