North Korean Hackers Deploy Nim-Based Mac Malware in Crypto Industry Attack
Published at:2025年07月03日 20:24
Views:567
A North Korea-linked cyber threat group has launched a new macOS-targeting malware called NimDoor, compiled using the relatively obscure Nim programming language, according to a SentinelLabs report. This sophisticated attack specifically targets Web3 and cryptocurrency companies.
The malware leverages Nim's unique capability to execute code during compilation, creating hybrid binaries that combine runtime functionality with malicious logic – a technique that significantly complicates reverse engineering and detection. First observed in April 2025 attacking a cryptocurrency startup, security researchers have since confirmed similar incidents across the industry.
The attack chain begins with social engineering via Telegram, where victims receive meeting invitations through Calendly. Subsequent emails contain Zoom links that actually deliver an AppleScript masquerading as a Zoom SDK update. The script retrieves secondary payloads from attacker-controlled servers before deploying two Mach-O binaries for persistent system access.
This campaign represents the latest evolution of North Korea's cyber warfare tactics, which increasingly utilize less common programming languages like Nim, Go, Rust, and Crystal to bypass traditional security measures. The strategy aligns with Pyongyang's broader pattern of cryptocurrency-focused cyber operations, which have reportedly netted over $1.3 billion in 2024 alone.
The revelation follows recent international efforts to combat North Korea's cybercrime operations, including a May 2025 pledge between South Korea and the EU for enhanced cooperation. The U.S. Department of Justice has also taken action, charging four North Korean operatives just days ago for stealing $900,000 through a sophisticated IT worker impersonation scheme targeting blockchain companies.
The malware leverages Nim's unique capability to execute code during compilation, creating hybrid binaries that combine runtime functionality with malicious logic – a technique that significantly complicates reverse engineering and detection. First observed in April 2025 attacking a cryptocurrency startup, security researchers have since confirmed similar incidents across the industry.
The attack chain begins with social engineering via Telegram, where victims receive meeting invitations through Calendly. Subsequent emails contain Zoom links that actually deliver an AppleScript masquerading as a Zoom SDK update. The script retrieves secondary payloads from attacker-controlled servers before deploying two Mach-O binaries for persistent system access.
This campaign represents the latest evolution of North Korea's cyber warfare tactics, which increasingly utilize less common programming languages like Nim, Go, Rust, and Crystal to bypass traditional security measures. The strategy aligns with Pyongyang's broader pattern of cryptocurrency-focused cyber operations, which have reportedly netted over $1.3 billion in 2024 alone.
The revelation follows recent international efforts to combat North Korea's cybercrime operations, including a May 2025 pledge between South Korea and the EU for enhanced cooperation. The U.S. Department of Justice has also taken action, charging four North Korean operatives just days ago for stealing $900,000 through a sophisticated IT worker impersonation scheme targeting blockchain companies.
Related Tags
North Korea
crypto hack
macOS malware
Nim programming
cyber security