New Malware NimDoor Targets Crypto Companies Through Fake Zoom Updates

North Korean hackers have developed a new macOS backdoor called NimDoor to target cryptocurrency and Web3 companies. The malware spreads through fake Zoom update scripts, according to security researchers at SentinelOne.

The hackers contact targets through Telegram, then invite them to schedule meetings via Calendly. They send fake “Zoom SDK update” scripts by email to complete the attack. Cybersecurity firm Huntabil.IT observed this attack chain in April 2025 during a targeted attack on a Web3 startup.

The initial script file contains 10,000 lines of empty space to avoid detection. The file even includes a typo – “Zook SDK Update” – in its code. When victims run the script, it downloads a second payload from fake domains that imitate real Zoom servers.

After the initial infection, NimDoor installs two main components on the victim's computer. The first component, written in C++, injects malicious code into legitimate system processes and connects to hacker-controlled servers through encrypted WebSocket connections. The second component, compiled from Nim programming language, creates permanent access to the infected system.

The malware deploys fake helper binaries named “GoogIe LLC” (which uses a visual spoof by replacing the lowercase “L” with an uppercase “i”) and “CoreKitAgent” and registers a LaunchAgent to maintain persistence after reboot or process termination. The backdoor uses an unusual technique that rewrites its core files to disk when someone tries to terminate it, making removal difficult.

Once installed, NimDoor runs automated scripts to steal sensitive information. The malware extracts passwords from macOS Keychain, browser data from Arc, Brave, Firefox, Chrome, and Edge, plus Telegram's local database and decryption keys. All stolen data gets compressed and sent to hacker servers via HTTPS.

Security researchers note two rare techniques in NimDoor's design. Process injection on macOS is uncommon due to Apple's security restrictions, making its use notable. The campaign also uses the Nim programming language for payload development, which differs from typical choices like C++ or AppleScript.

The attacks link to North Korea's Lazarus group and its BlueNoroff division, which have targeted cryptocurrency companies since 2017. These groups operate under international sanctions but continue funding North Korea's weapons programs through cryptocurrency theft. Their toolkit now covers Windows, Linux, and macOS systems.

Security experts recommend verifying software updates through official channels, checking unexpected meeting invites carefully, and using monitoring tools that can detect unusual process injection and network activity.