Cybersecurity researchers have uncovered a new malware campaign by North Korean state-backed hackers aimed at cryptocurrency companies. This marks an alarming shift toward targeting Apple’s memory protection on macOS systems.
The malware, which hides in what looks like a Zoom update, is designed to infect computers used by developers and project staff. Once active, it can collect passwords, wallet data and internal files, raising the risk for teams building in Web3 and decentralized finance.
SentinelOne published a detailed technical analysis of the threat on 2 July, naming the exploit NimDoor after the obscure Nim programming language it uses. Because Nim is rarely seen on macOS, its use may help the malware evade detection by standard antivirus tools.
In the report, SentinelOne said, “DPRK threat actors are utilizing Nim-compiled binaries and multiple attack chains in a campaign targeting Web3 and crypto-related businesses.” This approach builds on a 2023 operation the firm called Hidden Risk , where similar groups used PDF lures and a clever persistence trick involving macOS’s zshenv file.
Meanwhile, blockchain data firm Chainalysis reported that North Korea-linked attackers stole more than $1 billion worth of crypto last year. The hacks were spread across 20 separate incidents, with stolen funds suspected to support weapons and missile programmes.
Cybersecurity experts urge Web3 companies to strengthen security on Mac devices. This includes blocking suspicious Zoom or Meet scripts, monitoring unsigned files, and reviewing user-level settings for hidden malware.
