- When using NIM, criminals can avoid traditional AV measures
- They approach their victims in Telegram and invite them to a zoom meeting
- Malware steals confidential data and cryptographic tokens
North Koreans are pointing to Mac users with a new malware in an attempt to steal cryptocurrencies and other confidential data, experts warned.
Sentinellabs’s security researchers discovered Nimdoor, a unique rear door malware written in a less known programming language called NIM, which attributed to the adversaries sponsored by the state of North Korea committed mainly in the theft of cryptocurrencies, which is then used to finance both their state apparatus and their weapons program.
Nim is used, in the first place, to evade detection. The rear door also uses applepting for sleep timers and asynchronous sleep, cheating traditional security measures and maintaining persistence.
Alarming evolution
The attack usually begins in Telegram, where victims are addressed by seemingly reliable contact and invited to a false zoom meeting.
The link redirects the victim to a counterfeit zoom page that encourages them to install an update to participate in the call. Instead of the update, the victims are eliminated by the malicious payload, which steals all types of confidential data, from the navigation history, search activity, cookies, telegram data, to Llaquina passwords.
“This represents an alarming evolution in the cyber -north Korean cyber capabilities, particularly because specifically exploits the growing remote work trend and the least perceived vulnerability of Mac users to such attacks,” the researchers explained.
Threat actors sponsored by the state of North Korea are known for their campaigns aimed at cryptocurrency and web3 companies. Among the largest and dangerous groups is Lázaro, a threat actor who scored more than $ 3.4 billion, in different attacks between 2021 and 2025.
Among the largest robberies is the Bybit attack that occurred in February 2025, when approximately $ 1.5 billion stole in different tokens. Ronin Bridge was committed in March 2022 for $ 600 million, while Poly Network lost approximately the same amount of money the previous year.
