NimDoor Malware Slips into Macs via Fake Video Meetings

The attacks, linked to groups in North Korea, focus on stealing information from cryptocurrency companies by exploiting trust and targeting macOS users.

The scheme began when a hacker reached out through messaging apps like Telegram as a trusted contact. Then, they suggested a quick video call and sent a Google Meet link, followed by what appears to be a Zoom update file. When opened, the file installs a malware called “NimDoor” on the victim’s Mac.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is a Liquidity Pool in Crypto? (Animated)

SUBSCRIBE

ON YOUTUBE

Once installed, NimDoor searches for cryptocurrency wallet keys, saved browser passwords, and other private data. It also runs a script that collects Telegram’s encrypted local database and the keys needed to unlock it.

The malware waits about ten minutes before starting its activity to avoid immediate detection.

The malware was written in Nim, a programming language rarely used in macOS attacks. Nim allows the same malicious code to run on Mac, Windows, and Linux, which means hackers do not need separate versions for each system. It also produces lightweight files that launch fast and leave fewer traces.

Researchers noted that while the social-engineering tactic is familiar, using Nim binaries on macOS is unusual and harder for security tools to recognize.

Recently, Kaspersky researchers Sergey Puzan and Dmitry Kalinin found a new type of malware called SparkKitty. How does the malware work? Read the full story.