While cryptocurrency firms have grown accustomed to the usual parade of ransomware attacks and phishing schemes, a sophisticated new malware campaign targeting macOS systems demonstrates that North Korea’s Lazarus Group—fresh off their $1.4 billion heist from ByBit in February—has refined their approach with the kind of technical elegance that would be admirable if it weren’t so thoroughly criminal.
The campaign, active since April 2025, employs a particularly insidious social engineering vector that begins with seemingly innocuous Telegram messages from supposed legitimate contacts. Victims receive invitations to fake Zoom meetings scheduled through Calendly—because nothing says “professional legitimacy” quite like proper calendar etiquette—before being directed to attacker-controlled websites that spoof genuine Zoom domains with remarkable fidelity.
The real ingenuity lies in the malware itself, dubbed NimDoor for its use of the Nim programming language. This choice proves strategically brilliant: Nim’s rarity in malware development means traditional detection systems remain largely blind to its presence. The attackers compound this advantage by incorporating multiple languages—AppleScript, Bash, and C++—creating a polyglot nightmare for security analysts attempting forensic reconstruction. SentinelLabs’ analysis reveals that Web3 organizations have become primary targets in this sustained campaign against the cryptocurrency sector.
What truly sets NimDoor apart is its persistence mechanism. Rather than relying on conventional startup folders or registry modifications, the malware employs SIGINT and SIGTERM signal handlers that effectively resurrect the program after termination attempts. It’s the digital equivalent of a horror movie villain that simply won’t stay dead.
The malware’s appetite for sensitive data proves equally extensive, targeting browser-saved passwords, cryptocurrency wallet credentials, Keychain data, and Telegram communications. Encrypted WebSocket connections (wss) guarantee that exfiltrated data travels through channels designed to frustrate network monitoring tools. One particularly deceptive component called GoogIe LLC helps the malware blend seamlessly into legitimate system processes, making detection significantly more challenging.
AppleScript serves dual purposes as both initial access vector and lightweight backdoor, demonstrating the attackers’ understanding that the most effective camouflage often involves hiding in plain sight among legitimate system tools. The modular architecture suggests this represents merely the opening salvo in what promises to be an extended campaign.
For cryptocurrency firms already maneuvering regulatory uncertainty and market volatility, NimDoor represents an unwelcome reminder that technical sophistication knows no borders—particularly when state-sponsored actors require revenue generation through decidedly unconventional means. The targeting of cryptocurrency organizations mirrors broader attacks on decentralized platforms, as blockchain networks continue to present lucrative targets for sophisticated threat actors seeking to exploit their decentralized nature.
