Researchers from SentinelLabs have recently detected a new cyber attack carried out by North Korean hackers targeting macOS users to steal cryptocurrency and other sensitive information, as reported by TechRadar.

They identified a backdoor named NimDoor, developed in a relatively rare programming language called Nim, which helps avoid detection by conventional antivirus solutions. Once installed, NimDoor utilizes AppleScript for beaconing and asynchronous sleep timers, allowing the malware to maintain its presence on the system and evade security measures. It is worth noting that the term beaconing in cybersecurity refers to a technique where malware periodically communicates with a command and control (C2) server to report its presence and receive instructions or exfiltrate data.

The attack typically begins on Telegram: victims receive a message from a fictitious trusted contact inviting them to a Zoom meeting. When the link is clicked, a fake Zoom page opens requesting the installation of an "update" to join the call. Instead, the malicious NimDoor code is downloaded, which steals various data:

• Browser history and search queries;
• Cookies and chats on Telegram;
• Passwords from macOS Keychain.

"This is concerning in terms of the evolution of North Korean cyber capabilities, especially with the exploitation of remote work trends and a false sense of security among Mac users," stated SentinelLabs.

State-sponsored hacker groups from North Korea, including the notorious Lazarus Group, have previously stolen cryptocurrency to fund their programs. Between 2021 and early 2025, they absconded with over $3.4 billion, including:

• Attack on ByBit exchange in February 2025: approximately $1.5 billion in tokens;
• Hack of Ronin Bridge in March 2022: around $600 million;
• Attack on Poly Network in 2021: about $600 million.

Experts advise all macOS users to be cautious: do not click on suspicious links, even if they come from acquaintances, and install updates only through official channels, not from browser pop-ups.