N Korean Hackers Drop NimDoor macOS Malware Via Fake Zoom Updates

A new report from SentinelLabs, released on July 2, 2025, reveals a sophisticated cyberattack campaign targeting Web3 and cryptocurrency companies. Threat actors aligned with North Korea are aggressively exploiting macOS systems with a newly discovered malware called NimDoor, utilizing complex, multi-stage attacks and encrypted communications to remain undetected.

The research, authored by Phil Stokes and Raffaele Sabato and shared with Hackread.com, highlights the attackers’ shift towards less common, cross-platform programming languages like Nim. This change complicates efforts to detect and analyse their malicious activities.

The group also uses AppleScript in clever ways, not just for the initial breach but also as simple, hard-to-spot backdoors. Their methods show a clear improvement in staying hidden and persistent, including using encrypted WebSocket (wss) communication and unusual ways to maintain access even after malware is supposedly shut down.

How the Attacks Works

The attacks begin with a familiar social engineering trick: hackers pretend to be trusted contacts on platforms like Telegram, inviting targets to fake Zoom meetings. They send emails with a malicious Zoom SDK update script designed to look legitimate but is actually heavily disguised with thousands of lines of hidden code. This script then downloads more harmful programs from attacker-controlled websites, which often use names similar to real Zoom domains to fool users.

Once inside, the infection process becomes multi-layered. The hackers deploy several tools, including a C++ program that injects malicious code into legitimate processes, a rare technique for macOS malware. This allows them to steal sensitive data like browser information, Keychain passwords, shell history, and Telegram chat histories.

According to SentinelLabs’ blog post, they also install the Nim-compiled ‘NimDoor’ malware, which sets up long-term access. This includes a component named “GoogIe LLC” (note the deceptive capital ‘i’ instead of a lowercase ‘L’), which helps the malware blend in. Interestingly, the malware includes a unique feature that triggers its main components and ensures continued access if a user tries to close it or the system reboots.

Another Day, Another North Korean Campaign

SentinelLabs’ analysis shows that these North Korean-aligned actors are constantly developing new ways to bypass security. Their use of Nim, a language that allows them to embed complex behaviours within compiled programs, makes it harder for security experts to understand how the malware works. Additionally, using AppleScript for simple tasks like regularly checking in with their servers helps them avoid using more traditional, easily detectable hacking tools.

The report goes on to show how important it is for companies to strengthen their defences as these threats keep changing. As hackers try out new programming languages and more advanced tactics, cybersecurity researchers need to update how they detect and stop these attacks. SentinelLabs sums it up by calling them “inevitable attacks” that everyone should be ready for.