North Korean Hackers Target Web3 Startups with Malware Tactics

Edward Zhou
Edward Zhou

CEO & Founder

 
July 16, 2025 2 min read

North Korean Hackers Target Web3 Startups with NimDoor Malware

North Korean hackers are employing sophisticated tactics to target Web3 and cryptocurrency companies using malicious software known as NimDoor. This malware is a macOS backdoor that poses as a fake Zoom update, tricking victims into installing it. The technique involves phishing links distributed via Calendly and Telegram that lure users into downloading the malware. The malware is designed to steal sensitive data such as browser history and Keychain credentials.

North Korea hackers

Image courtesy of Security Affairs

“DPRK threat actors are utilizing Nim-compiled binaries and multiple attack chains in a campaign targeting Web3 and Crypto-related businesses,” states the analysis published by SentinelOne. The malware employs encrypted communications and is capable of reinfection if killed, mimicking legitimate AppleScript tools to avoid detection.

Attack Mechanism of NimDoor

The attack chain starts with fake Zoom invitations sent via Telegram and Calendly. Victims receive a script named “zoom_sdk_support.scpt,” which is padded with 10,000 lines of whitespace to obscure its malicious intent. This script downloads a second-stage payload from a lookalike domain that mimics legitimate Zoom URLs.

The attackers utilize two Mach-O binaries—one named ‘a’ written in C++ and another called ‘installer’ compiled from Nim. The first binary decrypts malware for data theft, while the second ensures persistence by deploying deceptive Nim binaries.

Hacker in a dark hoody

Image courtesy of CSO Online

“This kind of process injection technique is rare in macOS malware and requires specific entitlements to be performed,” according to researchers. The two payloads maintain persistence by handling termination signals, allowing the malware to redeploy core components.

Multi-Stage Infection Process

The infection process is multi-staged, initially involving a benign file that is executed to disguise the malicious activities. The second Mach-O binary, ‘installer,’ drops additional payloads written in Nim, setting up persistence on infected systems. These include scripts designed to exfiltrate data from browsers and applications like Telegram.

“Earlier this year, we saw threat actors utilizing Nim as well as Crystal,” the SentinelOne researcher notes. “We expect the choice of less familiar languages to become an increasing trend among macOS malware authors due both to their technical advantages and their unfamiliarity to analysts.”

Understanding these unique attack vectors is crucial for organizations in the Web3 and crypto sectors as they navigate the evolving threat landscape. For those interested in protecting their assets and infrastructure, exploring advanced cybersecurity solutions can be a strategic move.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article