North Korean hackers target Mac users with devious new malware

21 hours ago 5

Hacker silhouette working on a laptop with North Korean flag on the background

(Image credit: Getty Images)

By using Nim, miscreants are able to bypass traditional AV measures
They approach their victims on Telegram and invite them to a Zoom meeting
The malware steals sensitive data and crypto tokens

North Koreans are targeting Mac users with brand new malware in an attempt to steal cryptocurrency and other sensitive data, experts have warned.

Security researchers from SentinelLabs discovered NimDoor, a unique backdoor malware written in a lesser-known programming language called Nim, which they attributed to North Korea state-sponsored adversaries engaged primarily in cryptocurrency theft, which is then used to fund both its state apparatus and its weapons program.

Nim is used, first and foremost, to evade detection. The backdoor also uses AppleScript for beaconing and asynchronous sleep timers, tricking traditional security measures and maintaining persistence.

Alarming evolution

The attack usually starts on Telegram, where victims are approached by a seemingly trusted contact and invited to a fake Zoom meeting.

The link redirects the victim to a spoofed Zoom page that prompts them to install an update in order to participate in the call. Instead of the update, the victims are dropped the malicious payload, which steals all sorts of sensitive data, from browsing history, search activity, cookies, Telegram data, to Keychain passwords.

“This represents an alarming evolution in North Korean cyber capabilities, particularly because it specifically exploits the growing remote-working trend and Mac users' perceived lower vulnerability to such attacks,” the researchers explained.

North Korean state-sponsored threat actors are known for their campaigns targeting cryptocurrency and Web3 companies. Among the biggest and most dangerous groups is Lazarus, a threat actor that netted more than $3.4 billion, in different attacks between 2021 and 2025.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Among the biggest heists is the ByBit attack that happened in February 2025, when they stole approximately $1.5 billion in different tokens. Ronin Bridge was compromised in March 2022 for $600 million, while Poly Network lost roughly the same amount of money the year prior.

New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article