North Korean hackers targeting web3 startups on macOS through malware named NimDoor.
New MacOS Malware Threatens Web3 Platforms and Crypto Startups
A new and sophisticated macOS malware, known as NimDoor, has been targeting Web3 platforms and crypto startups since April 2025. Attributed to North Korean actors, notably the Kimsuky group, NimDoor operates by social engineering, fake Zoom SDK updates, and Telegram lures.
How NimDoor Operates
NimDoor is a Nim-based backdoor that leverages AppleScript scripts, process injection, and macOS launch agents or signal handlers for persistence. The malware is delivered through fake Zoom SDK update notifications or phishing links via Telegram, exploiting urgency to trick targets into executing malicious files.
Once installed, NimDoor steals credentials stored in the macOS keychain, browser data, and Telegram messages. It also exfiltrates sensitive data, such as crypto wallet data, over encrypted WebSocket connections to evade detection.
Protection Strategies
To mitigate the risk posed by NimDoor, Web3 platforms and crypto startups can adopt several strategies. Firstly, users should be trained to critically assess urgent requests, especially links or updates received through Telegram or other unofficial channels, verifying their authenticity before clicking or downloading anything.
Secondly, disabling remote AppleScript execution on macOS systems can reduce the attack surface. Monitoring for unusual WebSocket connections, unexpected process injections, unfamiliar scripts on app startup, and suspicious persistence mechanisms like launch agents or signal handlers is also crucial.
Regular system updates, browser updates, and scripting runtime updates are essential to patch vulnerabilities and reduce exploitation chances. Advanced endpoint detection and response tools can also help spot process injection and script execution anomalies specific to macOS.
Securing supply chains by avoiding installing software or SDK updates from unofficial or unverified sources is another important measure. Implementing multi-factor authentication on all critical accounts can hinder unauthorized access.
Staying Vigilant
NimDoor's stealthy and flexible nature makes it a significant threat. Regularly reviewing activity logs and segmenting networks can help minimize the impact of potential intrusions. Training teams in social engineering tactics using simulations and promoting a healthy culture of suspicion can also help avoid falling into traps.
Restricting access to digital vaults and browsers, limiting authorizations to what is strictly necessary, and adopting detection solutions that identify process injections and monitor encrypted communications like those used by NimDoor are additional measures to consider.
By combining vigilant user behavior, system hardening, and continuous monitoring focused on the specific tactics used by NimDoor, Web3 platforms and crypto startups can significantly mitigate the risk posed by this sophisticated macOS malware threat.
[1] North Korean hackers use social engineering tactics in new macOS malware attack
[2] NimDoor: A new macOS malware targeting crypto startups and Web3 platforms
[3] How NimDoor, the new macOS malware, operates and how to protect against it
[4] NimDoor: A macOS malware with advanced persistence techniques
[1] North Korean hackers employ social engineering strategies involving fake Zoom SDK updates and Telegram lures to deliver the NimDoor malware, a new and sophisticated threat to Web3 platforms and crypto startups on macOS.
[2] NimDoor is a Nim-based backdoor that infiltrates macOS systems by leveraging AppleScript scripts, process injection, and launch agents or signal handlers. It steals credentials, browser data, Telegram messages, and cryptocurrency wallet data.
[3] To protect against NimDoor,crypto startups and Web3 platforms can implement strategies such as training users to critically assess urgent requests, disabling remote AppleScript execution, monitoring for unusual WebSocket connections, and regularly updating systems and browsers.
[4] NimDoor's advanced persistence techniques, which include data exfiltration over encrypted connections and stealthy operations, make it a significant cybersecurity concern. therefore, enhancing data-and-cloud-computing security measures, training teams, and adopting detection solutions are necessary further protective measures.
