Reported by The BlockL SentinelLabs warns that North Korean groups use an unusual NimDoor macOS backdoor, hidden in fake Zoom updates, to steal cryptocurrency wallet data and passwords.
The threat follows a string of DPRK exploits that have extracted over $1.6 billion from cryptocurrency firms in the first half of 2025, according to TRM Labs.
A North Korean threat group is infecting Apple devices with a new computer virus called NimDoor to infiltrate cryptocurrency companies and steal wallet credentials, security firm SentinelLabs warned in a research report.
Attackers message targets on Telegram, a familiar social engineering tactic employed by cybercriminals. Hackers then organize a malicious meeting through Calendly and lure victims into downloading a bogus Zoom Update sideloaded with malware that runs without triggering Apple’s safety checks.
The implant stands out because it was written in Nim, a niche programming language rarely used in malware. SentinelLabs said Apple’s built-in protection signatures do not yet flag NimDoor, giving the backdoor a free pass onto macOS-powered machines. Once installed, it harvests browser passwords, Telegram databases, and crypto wallet files, then opens a login-item agent that reloads the malware and pulls follow-up payloads.
To address the issue, SentinelLabs urged crypto firms to block unsigned installer packages, verify Zoom updates only from zoom.us, and audit Telegram contact lists for new profiles that push executable files.
The warning adds to a growing DPRK playbook. Last week, Interchain Labs revealed Cosmos maintainers had unknowingly hired a North Korean developer, and U.S. prosecutors charged DPRK nationals with laundering more than $900,000 in stolen crypto via Tornado Cash. The U.S. Department of Justice says operatives posed as American citizens in several schemes to steal data from U.S. companies. TRM Labs estimates North Korea-linked groups siphoned $1.6 billion from web3 operators in the first half of 2025, led by February’s $1.5 billion Bybit breach. That’s over 70% of all crypto losses in H1, according to the security startup.
