North Korean hackers have launched a new attack using NimDoor malware targeting MacOS crypto firms.
What is NimDoor?
NimDoor is a new malware that disguises itself as Zoom updates and spreads through Telegram messages and email invites. Victims receive a fake Calendly link that downloads an AppleScript file padded with thousands of blank lines to hide its code. When executed, the script installs NimDoor onto the device.
How NimDoor Stays Hidden
The main threat of NimDoor is its stealth. It’s written in Nim, a rarely used programming language, helping the code evade traditional security analysis. Once installed, NimDoor injects itself into other processes, uses encrypted WebSocket channels for communication, and resists deletion by reinstalling itself if terminated. It also includes a beaconing system via AppleScript, pinging command servers every 30 seconds.
What NimDoor Steals
NimDoor's main goal is to steal sensitive data from crypto companies. It collects:
* Browser passwords from Chrome, Brave, Firefox, and more. * macOS Keychain contents, including saved credentials. * Local Telegram databases and encryption keys. * Terminal command history and system information.
This gives attackers the ability to compromise crypto wallets, hijack Telegram accounts, and steal business-critical data, all while staying under the radar.
The NimDoor malware attack emphasizes the importance of using reliable sources for software updates and regularly monitoring systems for suspicious applications and activity.