North Korean Threat Actors Use NimDoor Malware to Target Apple Devices

Summary: How are North Korean threat actors using NimDoor malware to target cryptocurrency companies through Apple devices?

North Korean hackers are using a new malware strain called NimDoor to target cryptocurrency companies by infiltrating Apple devices. The attack begins with social engineering on platforms like Telegram, leading victims to download a fake Zoom update that installs the malware. Once active, NimDoor steals data from crypto wallets, browsers, and even Telegram, using tactics designed to evade detection.

North Korean threat actors have launched a new cyberattack campaign targeting cryptocurrency companies, deploying advanced malware strains designed to infiltrate Apple devices. The malware bypasses Apple’s built-in memory protections and delivers an infostealer payload aimed specifically at extracting data from crypto wallets.

Researchers at cybersecurity firm SentinelLabs uncovered the new social engineering tactic reportedly used by North Korean threat actors. The threat actors begin by posing as a trusted contact on messaging platforms like Telegram, engaging the victim in conversation to establish credibility. They then invite the target to a fake Zoom meeting, disguised as a Google Meet session, and follow up by sending a file that mimics a legitimate Zoom update. This file, however, serves as the delivery method for malicious payloads.

Once the fraudulent “update” file is executed, it installs a malware strain known as “NimDoor” onto the victim’s device. From there, the malware proceeds to harvest sensitive information, specifically targeting cryptocurrency wallets and stored browser credentials.

Although the initial attack method follows a familiar pattern—leveraging social engineering, lure scripts, and fake software updates commonly associated with DPRK-linked campaigns—the malware’s use of the Nim programming language sets it apart.

The researchers note that Nim-compiled binaries are rarely seen targeting macOS, making the malware less recognizable to conventional security tools and potentially more difficult to analyze and detect.

Furthermore, the researchers observed that North Korean threat actors have previously experimented with programming languages like Go and Rust. However, the recent shift toward using Nim reflects a strategic advantage. While still relatively uncommon, Nim is gaining traction among cybercriminals due to its cross-platform capabilities, allowing the same codebase to run on Windows, Linux, and macOS without modification.

This flexibility enables threat actors to develop a single malware strain that can operate seamlessly across multiple operating systems, increasing the efficiency and reach of their attacks.

The malicious payload includes a credential-stealing component engineered to discreetly harvest browser and system-level data, bundle the information, and transmit it to the attackers. In addition, the researchers identified a script within the malware that targets Telegram by extracting both its encrypted local database and the corresponding decryption keys.

Notably, the malware employs a delayed activation mechanism, waiting ten minutes before executing its operations in an apparent effort to evade security scanners.

Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.

Post Views: 8