Natalia Stryzhak / 04 July 2025

Emerging Cyber Threats to macOS Users: North Korean Attack

cyber attackmacOSNorth KoreacryptocurrencyNimDoor

Researchers at SentinelLabs have detected a new cyber threat linked to North Korean hackers targeting macOS users to steal cryptocurrency and confidential information, as reported by TechRadar.

They identified a backdoor named NimDoor, crafted in the lesser-known Nim programming language, which helps evade detection by traditional antivirus software. Upon installation, NimDoor employs AppleScript for beaconing and asynchronous sleep timers, allowing the malware to maintain presence on the system and circumvent security measures. In cybersecurity, beaconing refers to the technique where malicious software periodically communicates with a command and control (C2) server to report its presence and receive instructions or transmit data.

The attack typically initiates via Telegram, where victims receive a message from a fictitious trusted contact inviting them to a Zoom meeting. Clicking the link leads to a fake Zoom page that prompts the user to install an "update" to join the call. Instead, the malicious NimDoor code is downloaded, stealing a variety of data:

• Browser history and search queries;
• Cookies and chats from Telegram;
• Passwords from the macOS Keychain.

"This is concerning in terms of the development of North Korean cyber capabilities, especially due to the exploitation of remote work trends and the false sense of security among Mac users," noted SentinelLabs.

State-sponsored hacker groups from North Korea, including the notorious Lazarus Group, have previously stolen cryptocurrency funds to finance their programs. From 2021 to early 2025, they have stolen over $3.4 billion, including:

• ByBit exchange attack in February 2025: approximately $1.5 billion in tokens;
• Ronin Bridge hack in March 2022: around $600 million;
• Poly Network attack in 2021: about $600 million.

Experts advise all macOS users to exercise caution: avoid clicking suspicious links, even if received from acquaintances, and only install updates through official channels, not from browser pop-ups.