New Cyber Threat to macOS Users: The Dangerous NimDoor Backdoor
Recent research by SentinelLabs has revealed a concerning cyberattack carried out by hackers associated with North Korea, targeting macOS users. This attack aims to steal cryptocurrency and other sensitive information, as reported by TechRadar.
The researchers identified a backdoor named NimDoor, which is written in the relatively rare programming language Nim. This backdoor helps evade detection by traditional antivirus solutions. Once installed, NimDoor utilizes AppleScript for communication and asynchronous sleep timers, allowing the malware to maintain a presence on the system and bypass security measures. In cybersecurity, the term "beaconing" refers to the technique whereby malware periodically connects to a command and control (C2) server to report its presence and receive instructions.
The attack typically begins on Telegram: victims receive a message from a fictitious trusted contact inviting them to a Zoom meeting. Clicking the link directs them to a fake Zoom page that prompts them to install an "update" to join the call. Instead, the NimDoor malware is downloaded, which steals various types of data:
- Browser history and search queries;
- Cookies and chats in Telegram;
- Passwords from the macOS Keychain.
SentinelLabs experts express concern regarding the advancement of North Korean cyber capabilities, particularly due to the exploitation of remote work trends and a false sense of security among Mac users.
State-sponsored hacker groups from North Korea, notably the Lazarus Group, have previously stolen cryptocurrency to fund their programs. From 2021 to early 2025, they have stolen over $3.4 billion, including:
- Attack on ByBit exchange in February 2025: approximately $1.5 billion in tokens;
- Hack of Ronin Bridge in March 2022: about $600 million;
- Attack on Poly Network in 2021: around $600 million.
Experts advise all macOS users to exercise caution: do not click on suspicious links, even if they come from acquaintances, and only install updates through official channels, not from browser pop-ups.
