Researchers from SentinelLabs have uncovered a new threat from North Korean-affiliated hackers aimed at macOS users for stealing cryptocurrency and confidential information, as reported by TechRadar.

They identified a backdoor named NimDoor, developed using the relatively obscure programming language Nim, which helps it evade detection by traditional antivirus programs. Once installed, NimDoor employs AppleScript for beaconing and asynchronous sleep timers, allowing the malware to maintain a presence on the system and bypass security measures. The term "beaconing" in cybersecurity refers to a technique where malware periodically connects to a command and control server (C2) to report its presence and receive instructions or exfiltrate data.

The attack typically begins in Telegram: victims receive messages from a fictitious trusted contact inviting them to a Zoom meeting. Clicking the link opens a fake Zoom page prompting the installation of an "update" to join the call. Instead, the malicious NimDoor code is downloaded, which exfiltrates various data:

• Browser history and search queries;
• Cookies and chats from Telegram;
• Passwords from macOS Keychain.

"This is concerning in terms of the evolution of North Korean cyber capabilities, especially given the exploitation of the remote work trend and the false sense of security among Mac users," noted SentinelLabs.

State-sponsored hacker groups from North Korea, including the notorious Lazarus Group, have previously stolen cryptocurrency to fund their programs. From 2021 to early 2025, they have stolen over $3.4 billion, including:

• The ByBit exchange attack in February 2025: approximately $1.5 billion in tokens;
• The Ronin Bridge hack in March 2022: around $600 million;
• The Poly Network attack in 2021: about $600 million.

Experts advise all macOS users to exercise caution: do not open suspicious links, even if they come from acquaintances, and install updates only through official channels, not from browser pop-up windows.