TL;DR
- North Korean hackers bait crypto professionals with fake Zoom updates via Telegram and Calendly links, deploying the elusive NimDoor backdoor on macOS.
- Written in Nim to evade Gatekeeper and AV tools, NimDoor persists at boot, and harvests browser passwords, Telegram data, and crypto wallet seeds for exfiltration.
- Security teams should block unsigned installers, restrict updates to trusted domains, audit Telegram invites, disable auto-run scripts, and bolster user phishing awareness.
North Korean threat actors have refined their social engineering toolkit by luring crypto professionals into downloading a counterfeit Zoom update. Targets receive Telegram messages promising an urgent security patch, followed by a Calendly link to schedule a “mandatory” meeting.
When the victim installs the supposed Zoom upgrade on macOS, NimDoor silently infiltrates the system, bypassing Apple’s safety checks and Gatekeeper protections to establish a foothold in seconds.
NimDoor’s Nim-Based Backdoor Evades macOS Protections
What makes NimDoor unique is its rare selection of programming language: Nim. Mainstream security tools and Apple’s built-in signature checks don’t recognize its code patterns, granting the backdoor a virtual free pass. Once executed, NimDoor plants a login item agent that ensures persistent execution at each boot. From there, it silently pulls follow-up payloads, morphing its behavior to dodge static and behavioral detection in European code tweak cycles.
Stealing Wallet Credentials and Sensitive Data
With system privileges in hand, NimDoor scours browser profiles for stored passwords and zeroes in Telegram databases. It then scours local directories for crypto wallet files, seed phrases, keystore JSONs, and local keychains, readying them for exfiltration.
Threat intelligence firm TRM Labs notes that DPRK operators have siphoned more than $1.6 billion from Web3 and crypto firms so far in 2025, underscoring NimDoor’s potential role in that lucrative haul.
Recommendations to Fortify Crypto Firm Defenses
Security experts urge companies to block unsigned installer packages at the network perimeter and restrict macOS systems to fetching updates only from verified domains like zoom.us. IT teams should audit newly added Telegram contacts and disable automatic script execution for downloaded meeting invites.
Regularly reviewing login-item entries and employing behavioral AI agents can detect clandestine persistence mechanisms. Above all, continuous user-awareness training remains critical, one misplaced click on a fake update is all an attacker needs.
