Malicious North Korean Hackers Deploy NimDoor Malware Against Apple Gadgets
The NimDoor malware, a new threat in the cybersecurity landscape, has been deployed by North Korean threat actors to infiltrate Apple devices, primarily targeting cryptocurrency companies. The malware, which uses the Nim programming language, is rarely seen targeting macOS, making it a notable addition to the cybersecurity community's radar.
The malware is primarily distributed through malicious application installers, often disguised as legitimate software, that are shared on platforms like Baidu Netdisk, WeChat, and USB drives. Once installed, NimDoor employs advanced techniques to establish persistence and covert remote access on macOS systems.
One of the malware's tactics to evade detection is its delayed activation mechanism. NimDoor waits for ten minutes before executing its operations, allowing it to bypass many security scanners. It also uses multi-stage loaders, reflective DLL loading with XOR decryption, and disguises its processes as legitimate system binaries to avoid detection.
NimDoor's malicious payload includes a script that targets Telegram, extracting both the encrypted local database and the corresponding decryption keys. The malware also includes a credential-stealing component that discreetly harvests browser and system-level data, bundles the information, and transmits it to the attackers.
The malware's primary objective is to steal data from crypto wallets, browsers, and even Telegram. This approach allows the North Korean-linked group to quietly compromise Apple systems within cryptocurrency companies, extracting sensitive credentials, wallet data, and facilitating long-term espionage without raising immediate suspicion.
Researchers at cybersecurity firm SentinelLabs have uncovered a new social engineering tactic used by North Korean threat actors in this campaign. The attack involves social engineering on platforms like Telegram, leading victims to download a fake Zoom update that installs malware.
The shift toward using Nim provides a strategic advantage due to its cross-platform capabilities, allowing for a single malware strain to run on Windows, Linux, and macOS without modification. This versatility makes NimDoor a potent threat in the ever-evolving landscape of cyberattacks.
Binance's report (July 7, 2025) confirms NimDoor specifically targets Apple devices by exploiting such infection chains and stealth techniques to infiltrate cryptocurrency-related firms. The avoidance of traditional antivirus detection through obfuscation and reflective loading is integral to NimDoor's success in these campaigns.
In summary, the NimDoor malware infiltrates Apple devices used by cryptocurrency companies through disguised application installers, uses DLL hijacking and encrypted reflective loading to evade detection, and establishes persistent, covert control to steal crypto assets and credentials. Users are advised to exercise caution when downloading and installing software, especially from unfamiliar sources, and to keep their systems updated with the latest security patches.
The malware is also distributed through digital sources like magazine articles and websites, camouflaged as informative content or useful tools to trick unwary viewers into downloading and installing it.
To increase its reach and evade detection, NimDoor is becoming increasingly adaptable, infiltrating not only Apple devices but also Windows and Linux systems, thanks to its use of the Nim programming language.
