Researchers from SentinelLabs have uncovered a new cyberattack carried out by North Korean hackers, aimed at macOS users for stealing cryptocurrency and confidential information, according to TechRadar.

They identified a backdoor called NimDoor, written in the relatively obscure programming language Nim, which helps avoid detection by traditional antivirus solutions. Once installed, NimDoor employs AppleScript for beaconing and asynchronous sleep timers, allowing the malware to maintain a presence on the system and bypass security measures. The term "beaconing" in cybersecurity refers to a technique where malware periodically communicates with a command and control server (C2) to report its presence and receive instructions or exfiltrate data.

The attack typically begins in Telegram: victims receive a message from a fictitious trusted contact inviting them to a Zoom meeting. Clicking on the link opens a fake Zoom page that prompts the user to install an "update" to join the call. Instead, the malicious NimDoor code is downloaded, which steals various types of data:

• Browser history and search queries;
• Cookies and chats from Telegram;
• Passwords from macOS Keychain.

"This is concerning regarding the development of North Korean cyber capabilities, especially considering the rise of remote work and the false sense of security among Mac users," said SentinelLabs.

State-sponsored hacker groups from North Korea, including the notorious Lazarus Group, have previously stolen cryptocurrency to fund their programs. From 2021 to early 2025, they have stolen over $3.4 billion, including:

• Attack on ByBit exchange in February 2025: approximately $1.5 billion in tokens;
• Ronin Bridge hack in March 2022: about $600 million;
• Poly Network attack in 2021: around $600 million.

Experts advise all macOS users to be cautious: do not open suspicious links, even if they come from acquaintances, and only install updates through official channels rather than from browser pop-ups.