Recommended

#BTCCOGWEEK: Celebrate the Classics of Meme Coins
Crypto Deposit Make instant crypto transfers to your futures account
USDT-M Perpetual Futures Trade futures contracts settled in USDT
VIP Fee Discounts Enjoy different fee discounts based on your VIP level
Coin-M Perpetual Futures Trade futures contracts settled in cryptocurrency
Fiat Deposit Buy your favourite coins in seconds
Affiliates Invite friends & get rewarded
Convert Covert your crypto instantly
Support Centre Find our FAQs here
Announcements Find all our official announcements
BTCC Academy Learn about blockchain and crypto
News The latest trends in the crypto market

Promotions

Referral
Campaigns
Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / coincentral /
Exclusive: North Korean Hackers Deploy Stealthy Mac Malware in Brazen Crypto Heist

Exclusive: North Korean Hackers Deploy Stealthy Mac Malware in Brazen Crypto Heist

Author:
coincentral
Published:
2025-07-03 09:33:15
18
1

North Korean Hackers Target Crypto Projects with New Mac Malware

Another day, another crypto hack—but this time, Apple users are in the crosshairs. North Korea’s Lazarus Group has upgraded its arsenal with macOS-targeted malware, hunting for nine-figure exploits.

Silicon Betrayal: How the Attack Works

The malware masquerades as legitimate blockchain dev tools, bypassing Gatekeeper protections. Once installed, it drains wallets and exfiltrates private keys faster than a memecoin rug pull.

Security researchers confirm the code shares fingerprints with Lazarus’ 2023 Ronin Network breach—a $625 million masterpiece of digital larceny.

Crypto’s Irony: Decentralized Finance, Centralized Theft

While DeFi preaches ‘be your own bank,’ Lazarus operates like Wall Street’s worst nightmare—a hedge fund that actually delivers 100,000% returns… by stealing them.

TLDR

  • North Korean hackers target crypto projects using new Mac malware called “NimDoor” that bypasses Apple’s memory protections
  • Attackers impersonate trusted contacts on messaging apps and send fake Zoom update files to install the malware
  • The malware is written in Nim programming language, making it harder to detect and allowing it to run on multiple operating systems
  • NimDoor steals crypto wallet credentials, browser passwords, and Telegram data while avoiding detection through smart timing delays
  • Security researchers confirm Macs are increasingly targeted by sophisticated state-sponsored attackers, debunking the myth that Apple devices are immune to malware

North Korean hackers are using new strains of malware aimed at Apple devices in cyberattack campaigns targeting crypto companies. The attacks represent a growing threat to Mac users in the cryptocurrency space.

According to cybersecurity firm Sentinel Labs, the attackers impersonate trusted contacts on messaging apps like Telegram. They then request fake Zoom meetings via Google Meet links before sending what appears to be a Zoom update file to victims.

Once the fake update is executed, the payload installs malware called “NimDoor” on Mac computers. The malware specifically targets crypto wallets and browser passwords stored on the infected devices.

The attack vector follows a familiar pattern used by North Korean groups through social engineering and fake updates. However, the use of Nim-compiled binaries on macOS represents an unusual choice for cybercriminals.

Nim is a relatively new and uncommon programming language that is becoming popular with cybercriminals. The language can run on Windows, Mac, and Linux without changes, allowing hackers to write one piece of malware that works everywhere.

The programming language also compiles fast to code and creates standalone executable files. Most importantly for cybercriminals, Nim-based malware is very hard for security software to detect.

Mac Vulnerability Exposed

Previously, it was widely believed that Mac computers were less susceptible to hacks and exploits. Security researchers now confirm this is no longer the case for sophisticated attacks.

The malware is able to bypass Apple’s memory protections to inject its payload onto infected systems. This capability allows the malware to operate despite Apple’s built-in security measures.

North Korean-aligned threat actors have previously experimented with Go and Rust programming languages. However, Nim offers advantages over these alternatives for cybercriminal operations.

Sophisticated Theft Capabilities

The NimDoor payload contains a credential-stealer designed to silently extract browser and system-level information. The malware then packages this data and sends it to the attackers’ servers.

The malware includes a script that steals Telegram’s encrypted local database and the decryption keys. This allows attackers to access victims’ encrypted messaging history and contacts.

NimDoor uses smart timing by waiting ten minutes before activating to avoid detection by security scanners. This delay helps the malware avoid triggering immediate security alerts.

The malware performs keylogging, screen recording, and clipboard retrieval on infected systems. It also includes a full-featured infostealer called CryptoBot with a focus on cryptocurrency theft.

Browser Extension Targeting

The infostealer specifically targets browser extensions, seeking out wallet plugins used for cryptocurrency storage. This focus reflects the campaign’s primary goal of stealing digital assets.

Blockchain security firm SlowMist recently alerted users to a related massive malicious campaign. This campaign involved dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials.

Cybersecurity solutions provider Huntress reported similar malware incursions linked to the North Korean state-sponsored hacking group “BlueNoroff.” These attacks occurred as early as June of this year.

Sentinel Labs researchers concluded that macOS has become a larger target for threat actors over recent years. The trend particularly affects highly sophisticated, state-sponsored attackers targeting the cryptocurrency industry.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service
Social Media

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved