03.07.2025
2 min
575
North Korean state hackers have launched a new series of attacks using the macOS malware NimDoor, which recovers after an attempted liquidation and steals cryptocurrency assets. The malware is able to return its files after the process is completed, bypasses standard macOS protections, and targets Web3 companies, including through fake Zoom SDK updates distributed on Telegram and via Calendly.
Researchers from SentinelOne report that NimDoor consists of three components:
The peculiarity is in the non-standard signal-persistence mechanics, when the virus does not just restart, but reinstalls itself from scratch, maintaining full functionality even after attempts to destroy it. It also uses AppleScript for backdoor access, sending information to the attackers’ server every 30 seconds.
In addition, another branch of the attack is launched – via zoom_sdk_support.scpt, which:
This is the first large-scale campaign where the Nim language is used to write malicious code under macOS, with a clear adaptation to the multi-component architecture of the Apple system. Over the past year, North Korea has already been implicated in cyberattacks through:
fake video meetings with deepfake participation,
fake Ledger applications for stealing seed phrases,
attacks on Web3 via npm packages.
This indicates the transition of the DPRK to cross-platform espionage, with the expansion of the arsenal from Windows to macOS. Instead of primitive viruses, the state actor now uses a cross-platform multi-layered architecture with non-standard survival methods. This is a new reality in which even the completion of the process does not mean the end of the threat. Protecting macOS requires new strategies: behavioral analysis, sandbox tracking, and monitoring system signals.
