A new type of computer virus, called NimDoor, is being used by North Korean hackers to attack Mac computers at companies in the crypto and Web3 industries. A cybersecurity firm, Sentinel Labs, found that this malware can steal personal and sensitive data from the victim’s computer.
How the Hack Works
Hackers first contact people through chat apps like Telegram. They use social engineering, a trick where they act friendly and ask the victim to join a video call using tools like Calendly. Then, they send an email with a fake “Zoom SDK update” that looks harmless but actually installs the NimDoor malware in the background.
Once installed, the malware:
- Steals browser data from Chrome, Firefox, Edge, Arc, and Brave
- Takes iCloud Keychain credentials (where Apple saves passwords)
- Collects Telegram user data
- Sends all this data to the hackers’ server
Hard to Remove
The malware is written using three languages – C++, Nim, and AppleScript. Using Nim helps the malware go undetected by many security tools because it’s a less common language that analysts don’t expect.
Even if the virus process is stopped or the Mac is restarted, NimDoor is smart enough to reinstall itself. It uses something called a “signal-based persistence mechanism” which helps it stay active on the computer.
What’s the Danger?
These attacks show that hackers, especially from North Korea, are using new tricks and coding languages to target crypto users. Their goal is to steal sensitive information and stay hidden for as long as possible.
The malware has especially focused on Web3 and cryptocurrency companies, where valuable digital assets and private keys are stored.
Security experts warn users to:
- Avoid opening links or updates from unknown sources
- Be careful with emails or messages asking to install software
- Keep antivirus tools updated to catch these new threats
Cyberattacks like these are getting more advanced, and users in the crypto space must stay alert.
