macOS Under Siege: NimDoor Malware Targets Telegram, Wallets, and Keychains

A new, highly advanced malware strain—NimDoor—has emerged as the latest cyber weapon in the arsenal of North Korean state-sponsored hackers, specifically targeting macOS systems used by cryptocurrency and Web3 organizations. This episode explores the complex tactics and alarming capabilities of NimDoor, a malware family showcasing a blend of C++ and Nim programming, stealthy persistence mechanisms, and an intense focus on stealing digital assets.First identified in early 2025, NimDoor marks a significant evolution in North Korean cyber operations. Delivered through social engineering on Telegram, the attack chain begins with a deceptive fake Zoom SDK update. Once executed, the malware installs multiple payloads—including GoogIe LLC and CoreKitAgent—designed to establish persistence, exfiltrate data, and communicate with command-and-control servers using TLS-encrypted WebSocket connections and layered RC4 encryption.This episode covers:Anatomy of the NimDoor Infection Chain: How Telegram lures and fake SDKs lead to multi-stage infections on macOS.Advanced Persistence via Signals: A rare signal-based persistence mechanism enables NimDoor to reinstall itself if terminated—an unusually resilient feature for macOS malware.Targeted Data Theft: NimDoor steals sensitive browser data, cryptocurrency wallet credentials, Telegram's encrypted databases, macOS Keychain items, and even command histories.Why Nim Matters: The use of Nim, a lesser-known and rarely detected language in malware development, allows attackers to evade traditional antivirus and EDR solutions while enabling sophisticated binary construction.North Korea’s Cyber Objectives: The Lazarus Group and its affiliated APTs are not just stealing information—they are funneling stolen cryptocurrency to fund the North Korean regime, bypassing sanctions.macOS as a Target: This attack busts the myth of Apple’s invincibility, illustrating how macOS is now firmly in the crosshairs of nation-state threat actors.Modular Payloads and Exfiltration Tools: From C++ loaders to Nim-compiled components and Bash scripts like upl and tlgrm, the malware’s design is optimized for flexibility and maximum data theft.How to Defend:Don’t trust third-party cryptocurrency tools—especially if shared via chat platforms like Telegram.Train teams to recognize fake software prompts and suspicious update requests.Apply the principle of least privilege, and implement strict application allowlists.Patch aggressively and monitor for unexpected outbound connections over wss (WebSocket over TLS).Understand that malware written in Nim is no longer exotic—it's active and dangerous.The NimDoor campaign represents a convergence of nation-state strategy, programming innovation, and cryptocurrency exploitation. For Web3 builders, crypto investors, and cybersecurity professionals, it’s a wake-up call that threat actors are not just evolving—they're innovating faster than ever.

There are no comments yet.

Please log in to write the first comment.