A recent report from SentinelLabs, dated July 2, 2025, details a sophisticated cyberattack campaign aimed at Web3 and cryptocurrency firms. Threat actors associated with North Korea are targeting macOS systems using a novel malware named NimDoor. These attackers employ complex, multi-stage methods combined with encrypted communications to evade detection.
The attackers utilize AppleScript not just for initial access but also as discreet backdoors, enhancing their ability to remain undetected and persistent. Their methods have evolved, incorporating encrypted WebSocket (wss) communications and unconventional techniques to maintain access, even after efforts to terminate the malware.
How the Attacks Function
The attack strategy initiates with a familiar social engineering tactic. Cybercriminals impersonate trusted contacts on platforms such as Telegram, luring victims into fraudulent Zoom meetings. They send emails that contain a compromised Zoom SDK update script, appearing authentic yet laden with thousands of lines of concealed code. This script subsequently downloads additional malicious software from websites controlled by the attackers, which often mimic legitimate Zoom domains.
Upon gaining access, the infection process is multi-layered. The hackers employ various tools, including a C++ application that injects harmful code into legitimate processes—a rare method for macOS malware. This enables the theft of sensitive information such as browsing data, Keychain passwords, shell history, and Telegram communications.
According to SentinelLabs, the installation of the Nim-compiled ‘NimDoor’ malware establishes prolonged access. Notably, a component named “GoogIe LLC” intentionally disguises itself by replacing a lowercase ‘L’ with a capital ‘i.’ The malware is engineered with a feature that activates its core components and ensures continued access, even if the user attempts to terminate it or after a system reboot.
Ongoing Challenges from North Korean Campaigns
SentinelLabs highlights the continuous evolution of tactics employed by these North Korean-aligned actors. Their utilization of Nim allows for the embedding of intricate behaviors within compiled programs, complicating the understanding of the malware’s functionality for security experts. Furthermore, their incorporation of AppleScript for routine communications with their servers aids in evading detection by more traditional security measures.
The report underscores the imperative for organizations to bolster their defenses against these evolving threats. As attackers experiment with new programming languages and advanced techniques, cybersecurity researchers must adapt their detection and prevention strategies. SentinelLabs emphasizes the necessity of readiness against these “inevitable attacks,” urging all stakeholders to enhance their security protocols.
