A new wave of cyberattacks targeting Apple devices has been linked to North Korean state-sponsored threat actors, according to a recent investigation by cybersecurity firm Sentinel Labs. The attackers have developed advanced malware strains, specifically engineered to compromise Mac computers, in an ongoing campaign aimed at cryptocurrency companies.
Featured News Headlines
Social Engineering via Telegram and Fake Zoom Updates
The threat actors begin their operations by impersonating trusted individuals on messaging platforms like Telegram. Victims are lured into joining fake video calls—often disguised as Zoom meetings—via a legitimate-looking Google Meet link. Shortly after, they are sent a seemingly harmless “Zoom update” file.
Once opened, this file installs a stealthy macOS malware variant known as NimDoor.
NimDoor: A Cross-Platform Menace
Unlike more commonly seen malware, NimDoor is written in Nim, a rare and unconventional programming language. This makes it significantly more difficult for traditional security tools to detect.
“Nim’s ability to compile across operating systems, including Windows, macOS, and Linux, allows attackers to deploy universal malware with minimal adjustments,” said Sentinel Labs researchers. “The use of Nim on macOS is particularly unusual and suggests a growing sophistication among DPRK-linked groups.”
NimDoor targets crypto wallets and saved browser credentials, silently harvesting sensitive data before transmitting it back to the attackers.
Credential Theft and Telegram Database Extraction
The malware isn’t limited to passive data collection. It includes a credential-stealing payload designed to extract browser data, system-level information, and even Telegram’s encrypted local database—along with the keys needed to decrypt it.
To avoid early detection, the malware is programmed to delay activation for 10 minutes after execution—a technique increasingly used to evade endpoint protection systems.
Expanding Target: macOS is No Longer Immune
For years, macOS users enjoyed a sense of security due to the platform’s smaller market share and perceived immunity to common malware. But that perception is rapidly shifting.
Recent findings by cybersecurity firm Huntress suggest that North Korean hacking group BlueNoroff has also deployed similar macOS malware strains capable of bypassing Apple’s memory protections. Their toolkit includes keylogging features, screen recording, clipboard monitoring, and a full-featured infostealer dubbed CryptoBot, which specifically targets crypto wallet browser extensions.
Browser Extensions Under Siege
This week, blockchain security firm SlowMist issued a separate warning about a large-scale campaign involving dozens of malicious Firefox extensions designed to hijack cryptocurrency wallet credentials.
“Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers,” Sentinel Labs concluded, adding further weight to the growing evidence that Macs are no longer immune to viruses or cyber intrusions.
