North Korean threat actors have once again made headlines for their sophisticated cyber attacks targeting crypto businesses. According to a recent report by SentinelLabs, these threat actors have been using innovative techniques to infect Web3 and Crypto organizations with macOS malware designed to steal credentials.
The researchers at SentinelLabs provided an in-depth analysis of a series of attacks launched by Democratic People’s Republic of Korea (DPRK) threat actors in April 2025. North Korea-affiliated attackers have been linked to a number of major cryptocurrency heists in recent years, all in an effort to generate revenue for the Pyongyang regime. One notable incident occurred in February 2025, when the Lazarus Group, a DPRK-linked group, stole $1.4 billion worth of crypto from the ByBit exchange.
In their analysis, SentinelLabs researchers observed the attackers using social engineering techniques to gain initial access to their targets. Once inside, the threat actors deployed novel tactics, techniques, and procedures (TTPs) to achieve persistence and launch the Nim-based malware known as NimDoor. The use of the Nim programming language has become increasingly popular among macOS malware authors due to its unfamiliarity to analysts, making detection more challenging for defenders.
The attack chain used by the North Korean threat actors consisted of a mix of scripts and binaries written in AppleScript, C++, and Nim. This approach, combined with the use of wss for communication and signal interrupts, is designed to bypass security measures and evade detection. The researchers at SentinelLabs emphasized the importance of understanding lesser-known programming languages like Nim to defend against these types of attacks effectively.
The initial Nim attack chain observed in April began with a social engineering technique commonly used by DPRK actors, involving impersonation of a trusted contact over Telegram and a Zoom meeting invitation. The attackers sent an email containing a malicious AppleScript file that retrieved and executed a second-stage script from a command-and-control server, ultimately launching the core logic of the attack.
The multi-stage infection process for the NimDoor malware involved the deployment of various scripts and binaries written in different languages. Two Mach-O binaries were downloaded to initiate independent execution chains, leading to the installation of GoogIe LLC and CoreKitAgent on the victim’s system. These binaries were designed to achieve long-term access, recovery, and persistence for the threat actor, making it challenging for defenders to detect and remove the malware.
In conclusion, the report by SentinelLabs sheds light on the evolving tactics of North Korean threat actors and the importance of staying vigilant against cyber attacks targeting crypto businesses. By understanding the unique characteristics of malware like NimDoor and investing in efforts to defend against them, organizations can better protect themselves from sophisticated cyber threats.