North Korean Hackers Deploy Sophisticated Mac Malware to Target Cryptocurrency Sector

Nation-backed North Korean hackers have released a new malware family dubbed “NimDoor”, specifically designed to infect Apple Mac computers used by individuals and entities within the cryptocurrency trade.

The activity highlights the higher technical skills of cyber operators from the Democratic People’s Republic of Korea (DPRK), who are increasingly relying on the theft of digital assets as a source of state financing.

Advanced Social Engineering Campaign

According to a report by cybersecurity firm Sentinel Labs, the attackers are employing social engineering by claiming to be legitimate contacts through the popular communication service among crypto experts, Telegram. Victims are tricked into joining what appear to be business Zoom calls, often sent through Google Meet links.

When they attain a trust relationship, the attackers spread a camouflaged file claiming to be a Zoom update. When executed, the file installs the NimDoor malware, granting North Korean hackers full access to the machine.

A New Breed of Mac Malware

Like standard Windows-based malware, NimDoor is written in the programming language Nim, a relatively obscure language that is not commonly used in malware construction. This provides a stealth advantage, as it bypasses a large number of standard security scanners.

When it is installed, the malware initiates a 10-minute delay to evade detection while executing its payload, which includes:

• Extraction of browser credentials
• Theft of cryptocurrency wallet data
• Access to system information
• Decryption of Telegram’s local storage databases

Such a level of infiltration allows attackers to control valuable assets in finance and communication, leaving crypto firms and traders highly vulnerable.

A Tactical Shift in DPRK Cyber Operations

This campaign shows all the hallmarks of North Korea’s most notorious state-sponsored hacking unit, the Lazarus Group. The group, previously tied to the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack, is now applying its significant resources to the crypto industry.

The NimDoor malware demonstrates a calculated shift in its tactics. By moving from their traditional Windows targets to macOS and using an obscure programming language like Nim, the attackers are deliberately targeting a new, high-value demographic and designing their tools to bypass conventional security measures.

Their focus on cryptocurrency has proven incredibly lucrative. The 2022 hack of the Ronin Bridge, attributed to Lazarus, resulted in the theft of approximately $620 million in a single incident.

A Geopolitical Threat Funded by Hacking

What this shows is that North Korea now treats cybercrime as a core component of its state economy. The financial scale is staggering: in 2024 alone, North Korean hackers stole an estimated $1.34 billion worth of digital assets.

This figure represents nearly two-thirds of all cryptocurrency stolen globally that year. These are not random acts of cybercrime; they are state-directed operations with the primary goal of funding the nation’s sanctioned weapons and nuclear programs.

This reality has forced an international response. Governments, led by the U.S. Treasury, have begun sanctioning networks like the Cambodia-based Huione Group, which are believed to help launder the stolen assets. Crypto theft has officially become a geopolitical issue.

A New Mandate for Security

The sophistication of the NimDoor attack serves as a clear warning that baseline security is no longer adequate for anyone operating in the crypto space. The assumption that macOS is inherently safe is now a dangerous liability.

For organizations, this requires an immediate upgrade in defensive posture. The new minimum standard of operational security must include robust endpoint protection, frequent third-party audits, and rigorous, ongoing staff training on how to recognize phishing and impersonation tactics.

Ultimately, technology alone is not a complete solution. Basic human diligence—like questioning unsolicited contacts, verifying download sources, and using secure communication channels—remains a critical defense layer against the social engineering tactics that enable these attacks.

The threat has moved beyond generic malware. To survive, cryptocurrency firms must shift from a reactive to a proactive security model, anticipating and defending against targeted, platform-specific attacks.