A new malware campaign reportedly linked to North Korean hackers is targeting Apple Mac users in the crypto industry, exploiting trust-based communication channels and bypassing traditional security protections.
Mac Malware Targets Crypto Projects via Fake Zoom Updates
Cybersecurity firm Sentinel Labs uncovered a disturbing tactic used by state-sponsored North Korean attackers, where they impersonate trusted contacts via Telegram and initiate a fake Google Meet call. The attackers then send a malicious Zoom “update” file—which, when executed, installs a stealthy malware known as NimDoor.
The malware specifically targets MacOS systems and deploys an advanced infostealer to compromise crypto wallets, Telegram data, and browser credentials.
Nim Programming Language Evades Detection
What makes this attack unusual and dangerous is the use of the Nim programming language—a relatively new and uncommon language in cybercrime.
Nim allows the malware to run seamlessly across Windows, Mac, and Linux platforms while remaining hard to detect by most antivirus software.
Sentinel Labs noted this is a strategic shift from Go and Rust previously used by North Korean-aligned hackers, further showcasing their evolving capabilities.
Stealth Infostealer Payload Compromises Wallets
Once active, NimDoor waits ten minutes before executing to avoid triggering security scanners. The payload includes:
- Keylogger and clipboard snooping
- Screen recording
- Telegram database theft with decryption keys
- Full-featured infostealer (CryptoBot) with a focus on browser extension crypto wallets
The malware can extract and exfiltrate system-level and browser data without alerting the user.
BlueNoroff Behind the Campaign?
The attack resembles past cyber campaigns linked to the BlueNoroff group, a known North Korean state-sponsored hacker cell. Huntress Labs also reported similar malware strains in June that bypassed Apple’s memory protections, a feat that once seemed unlikely for Mac users.
Mac Users Are No Longer Safe From Crypto Threats
This incident debunks the long-standing myth that MacOS is immune to malware, especially for high-value targets in the cryptocurrency ecosystem.
Blockchain security firm SlowMist also issued a warning this week about a massive phishing campaign using fake Firefox extensions to steal wallet credentials.
Conclusion: Vigilance Is Key for Crypto Firms
Crypto professionals—especially those using Apple devices—must remain vigilant. Avoid clicking unknown links, always verify Zoom or Google Meet sources, and regularly update security software.
Macs are now clearly in the crosshairs of sophisticated, crypto-focused cyber threats.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.