North Korean hackers are now targeting Mac users in the cryptocurrency sector with a new type of malware: The NimDoor attack can steal your crypto wallets, passwords, and even decrypted Telegram chats.
North Korean hackers have developed advanced new Mac malware, dubbed “NimDoor,” specifically designed to breach Apple computers and steal sensitive cryptocurrency assets. These highly organized attacks threaten anyone involved in crypto projects, shattering the old belief that macOS is immune to targeted cybercrime. The SEO key phrase “Mac malware” is central to this story, as the security landscape for Mac users has fundamentally changed.
In This Article:
- Attackers disguise themselves as trusted contacts and deliver Mac malware through fake Zoom updates on messaging apps.
- NimDoor uses a rare programming language, Nim, making Mac malware harder to detect and more dangerous than ever.
- The Mac malware quietly steals crypto wallets, browser credentials, and even your encrypted Telegram data before sending it to North Korean servers.
- State-backed North Korean hacker groups are now focused on Mac malware to steal digital assets from crypto companies and users globally.
Attackers disguise themselves as trusted contacts and deliver Mac malware through fake Zoom updates on messaging apps.
According to cybersecurity experts at Sentinel Labs, these hackers use social engineering to pose as people the victims already know—especially on messaging apps like Telegram. They then trick victims into joining fake Zoom meetings and ask them to install what seems like a harmless Zoom update. But this file actually installs Mac malware called NimDoor, which begins its attack on the unsuspecting user’s system.
NimDoor uses a rare programming language, Nim, making Mac malware harder to detect and more dangerous than ever.
What makes this Mac malware especially dangerous is its use of the Nim programming language. Nim lets hackers write malware that works on Windows, Mac, and Linux all at once—and it often evades security tools. Nim compiles fast, creates standalone files, and flies under the radar of most antivirus systems, giving attackers a powerful advantage in their campaign.
The Mac malware quietly steals crypto wallets, browser credentials, and even your encrypted Telegram data before sending it to North Korean servers.
Once installed, NimDoor silently steals browser passwords, system credentials, and even encrypted Telegram chat data—using scripts to access and decrypt the local database. It waits about 10 minutes to avoid triggering security alerts, then sends all stolen data straight to the attackers’ remote servers. At this point, the Mac malware has also captured screenshots, keystrokes, and any copied data on your clipboard.
State-backed North Korean hacker groups are now focused on Mac malware to steal digital assets from crypto companies and users globally.
These attacks don’t come out of nowhere. Security firms like SlowMist and Huntress have linked similar malware, named CryptoBot, to state-sponsored North Korean attackers—including the notorious BlueNoroff group. With dozens of fake browser extensions targeting crypto wallets, it’s now clear that macOS is firmly in the crosshairs for these highly skilled threat actors chasing digital wealth.
