North Korean hackers use fake Zoom updates to deliver ‘NimDoor’ macOS malware targeting crypto firms

A North Korean threat group is infecting Apple devices with a new computer virus called NimDoor to infiltrate cryptocurrency companies and steal wallet credentials, security firm SentinelLabs warned in a research report.Attackers message targets on Telegram, a familiar social engineering tactic employed by cybercriminals. Hackers then organize a malicious meeting through Calendly and lure victims into downloading a bogus Zoom Update sideloaded with malware that runs without triggering Apple’s safety checks.The implant stands out because it was written in Nim, a niche programming language rarely used in malware. SentinelLabs said Apple’s built-in protection signatures do not yet flag NimDoor, giving the backdoor a free pass onto macOS-powered machines. Once installed, it harvests browser passwords, Telegram databases, and crypto wallet files, then opens a login-item agent that reloads the malware and pulls follow-up payloads.To address the issue, SentinelLabs urged crypto firms to block unsigned installer packages, verify Zoom updates only from zoom.us, and audit Telegram contact lists for new profiles that push executable files.The warning adds to a growing DPRK playbook. Last week, Interchain Labs revealed Cosmos maintainers had unknowingly hired a North Korean developer, and U.S. prosecutors charged DPRK nationals with laundering more than $900,000 in stolen crypto via Tornado Cash. The U.S. Department of Justice says operatives posed as American citizens in several schemes to steal data from U.S. companies. TRM Labs estimates North Korea-linked groups siphoned $1.6 billion from web3 operators in the first half of 2025, led by February’s $1.5 billion Bybit breach. That's over 70% of all crypto losses in H1, according to the security startup.Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.