North Korean hackers target macOS in latest malware campaign targeting crypto firms

North Korean cybercriminals have been targeting crypto firms using a new strain of malware that exploits Apple devices in a multi-stage attack.

Researchers at cybersecurity firm Sentinel Labs have issued a warning about the campaign, which leverages social engineering and advanced persistence techniques to compromise macOS systems.

The malware, dubbed “NimDoor,” is written in the lesser-known Nim programming language and is capable of evading traditional antivirus tools.

According to Sentinel Labs, the attackers initiate contact by impersonating trusted individuals on messaging platforms like Telegram. Victims, who in this case appear to be employees at blockchain or Web3 firms, are lured into fake Zoom meetings via phishing links and are instructed to install what appears to be a routine Zoom SDK update.

Once executed, the update script installs multiple stages of malware onto the victim’s Mac device. These include AppleScript-based beacons, Bash scripts for credential theft, and binaries compiled in Nim and C++ for persistence and remote command execution.

Binaries are standalone program files that carry out specific tasks within the malware chain. One binary, called CoreKitAgent, uses a signal-based persistence mechanism that runs when users try to close the malware, allowing it to stay active even after the system reboots.

Cryptocurrencies are a key target of the operation. The malware specifically seeks out browser-stored credentials and application data related to digital wallets.

The malware executes scripts designed to extract information from popular browsers like Chrome, Brave, Edge, and Firefox, as well as Apple’s Keychain password manager. Another component targets Telegram’s encrypted database and key files, potentially exposing wallet seed phrases and private keys exchanged over the messaging app.

North Korean hackers responsible

Sentinel Labs has attributed the campaign to a North Korea-aligned threat actor, continuing a pattern of crypto-focused cyberattacks by the Democratic People’s Republic of Korea. 

Hacking groups such as Lazarus have long targeted digital asset companies in efforts to bypass international sanctions and fund state operations. Previous operations have seen malware written in Go and Rust, but this campaign marks one of the first major deployments of Nim against macOS targets.

As previously reported by crypto.news, in late 2023, researchers observed another DPRK-linked campaign that deployed a Python-based malware known as Kandykorn. It was distributed through Discord servers disguised as a crypto arbitrage bot and primarily targeted blockchain engineers using macOS.

Sentinel Labs has warned that as threat actors increasingly adopt obscure programming languages and sophisticated techniques, traditional security assumptions around macOS are no longer valid.

Over the past months, several malware strains have targeted Apple users, including SparkKitty, which stole seed phrases via photo galleries on iOS, and a trojan that replaced wallet apps on macOS with a malicious version.