North Korean Hackers Use NimDoor for Massive Crypto Theft

Cybersecurity experts have recently released a report in which a new malware campaign is designed to target professionals in the Web3 and digital currency sectors. The attackers are believed to be linked to North Korea who are carrying out a widespread crypto theft which is compromising Mac(Apple) devices used by the employees of crypto and blockchain companies.

This attack uses a mix of social engineering, fake software updates and uncommon programming languages to steal sensitive data from victims. What‘s more alarming is the persistent nature of it where this doesn’t disappear even after a reboot.

Hackers use fake calls and messages to trick users

In the latest NimDoor malware crypto theft operation, hackers initially make an approach to their targets through messaging apps like Telegram and are using their social engineering tricks. They pose themselves as potential employers or partners, often sending invites for calls using platforms like Calendly.

Once the victim trusts them, the hacker sends a fake email and pretends to offer a Zoom SDK update. But instead of updating Zoom, they silently download the NimDoor software in the background.

This gives hackers remote access to the system and initiates the data theft process which is without the victim even realizing it.

Malware Steals data from Browsers and telegram

The hackers are smart enough as they use various methods to steal the data by using telegram and their major focus is the target devices. The goal of NimDoor malware campaign is to extract as much valuable information as possible.

Once inside a system, it runs bash scripts that collect data from web browsers like Google Chrome, Firefox , Brave, Microsoft Edge and Arc.

It does not stop there. It also steals credentials from iCloud Keychain and steals Telegram users data, making this campaign a serious threat for anyone who is working with digital assets. The method and reach of this NimDoor malware attack are unlike anything researchers have seen recently.

Source: X

Malware can reinstall itself automatically

One of the most dangerous aspects of the NimDoor crypto theft operation is its persistence. Even if you shut down your Macor try to stop the process, the malware installs itself again and uses a signal based persistence system.

It leverages SIGINT and SIGTERM handlers to detect shutdown attempts and suddenly reload itself. This means if one the system is infected the crypto theft campaign can continue silently for many days unless the malware is detected and manually removed using advanced tools.

Hackers use uncommon programming Languages

Another factor that makes the crypto theft campaign more dangerous is the choice of programming languages used by the attackers. The malware is written using C++, Nim and AppleScript which makes it harder for most traditional antivirus software to detect.

Security experts say using the Nim language helps hackers avoid detection and complicates analysis. This technique is a part of a growing trend where cybercrimes are moving away from widely used coding languages to develop malware that can sneak past modern defense systems.

Source: Sentinel labs

The rise of such techniques are adding to the reach and impact of Crypto theft worldwide.

Conclusion

The crypto theft campaign is a wake-up call for the entire digital currency and Web3 community. By combining social engineering with technical sophistication, North Korean hackers have developed a tool that can silently steal personal and professional data while avoiding detection.

Users are strongly advised to be careful when receiving unexpected email or file downloads especially, if they claim to be updates and scheduling requests, investing in strong endpoint security, two-factor authentication and regular system checks is crucial to defend against the ongoing crypto theft wave.